-
-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show a Warning When dumpwallet Command is Used #290
Comments
I'm in favor of this because of the increasing amount of scams, although I'm sure that scammers will find new ways to scam or explain out of this way, it makes sense for this small change. Given that this scam targets people who aren't technically inclined, I propose to make the message more easy to understand.
Assigning this to @a-bezrukov which should be a straightforward text change. |
I propose to force user to enter: |
PR created: #291 |
Yura's idea is not bad. Is it difficult to implement? |
No it's straightforward. Where will the string be hosted? For example, it could be shown by running the |
Yes, it should be shown when |
Sure. I think the best option is to add both. At that point it's really out of our control. Will update the code tomorrow. |
How do you like this version of the text: WARNING! This command exports all your private keys. Anyone with these keys has complete control over your funds. If someone asked you to type in this command, chances are they want to steal your coins. This is never needed for Znode setup or diagnosis! |
https://github.com/zcoinofficial/zcoin/pull/291/files Updated to include Yura's method. |
But why ;) I think we have to consider that most people aren't native speakers of English or very computer-literate. To them "print" doesn't mean screen output for example. That's what I tried to fix in my version. Also edited for clarity, got rid of redundancy, shortened sentences, explicitly added troubleshooting (which is exactly the context of the scam!) etc. |
Ok. Any feedback @reubenyap @yura-pakhuchiy ? |
Since user probably will be confused at this point, information text may also include where he can seek help and that he should not accept private messages and ask for assistance via public channels. |
I think the other way to look at it is if the user wants to use |
My point is we are trying to protect user who is being scammed and probably receiving instruction from private messages. At point he enters |
All new and refined:
Thumbs up or thumbs down please, gents |
I like the new wording. |
The issue with the current solution (the blocking part that waits for a response from the user) is that it requires |
This can be implemented as intended in another layer of RPC calls. The filter may be implemented in or around rpc/server.cpp and work for zcoin-cli and zcoin-qt. |
This is now implemented in #291 and merged to master. |
Since we introduced Znodes, dozens of users have been scammed out of their Znode collateral and any additional funds they had.
The Problem
Scammers usually operate like this:
walletpassphrase
. Unlocking, however, is only needed for coin-related functions (i.e., sending, minting and spending) and nothing else. The command the scammer uses to have the user "generate logs" isdumpwallet
. This command's name is inconspicuous enough for the average user as it could be thought of referring to dumping the wallet's logs. In reality of course it dumps all private keys. The command the scammer has the user enter is usually something along the lines ofdumpwallet logfile.zip
. This is another cover-up tactic as the generated file is plain-text but is likely recognised as an archive by the user's OS based on the ending. The average computer user will thus not be able to check the file's content before sending it to the scammer.Proposed Solution
As
dumpwallet
does not seem to be suspicious to the average user, there should be a warning added to the command's output.I suggest something along the lines of:
WARNING! This command exports all your private keys. Whoever has this output can gain complete control over your funds
Faced with an output like this, the user would likely reconsider sending the file to the scammer.
The text was updated successfully, but these errors were encountered: