Bitcoin Forum

I had the idea of making a easy to use Bitcoin multisig wallet with timelocked recovery key for a long time, and thanks to the recent development of miniscript in Bitcoin community, I'm able to produce a solution and product that allows the general public to use these advanced features in a very convenient way.

Technology

The underline miniscript of the solution is discussed in another topic https://bitcointalk.org/index.php?topic=5441806.0


The miniscript above produces a 2-of-3 multisig, with a 90 days timelock for the RECOVERY key.

For any UTXO created within 90 days, both the OWNER and MEMBERS key must sign the transaction to spend the coins. But after 90 days, the RECOVERY key can step in to work together with either the OWNER or MEMBERS key to spend the coins.


Product

Based on the miniscript technology above, we created a product, Mixin Safe, to make all those steps convenient for Bitcoin holders.

Whenever a new Mixin Safe is created, the Bitcoin holder needs to provide the OWNER public key. To do this, a miniscript compatible wallet is required, we have tested Bitcoin Core and Ledger, and noticed upcoming miniscript support announcements from other hardware vendors, e.g.

• Coldcard https://github.com/Coldcard/firmware/pull/227
• BitBox02 https://twitter.com/_benma_/status/1670022585461907456
• SeedSigner https://twitter.com/pythcoiner/status/1670458117983805442

Then the Bitcoin holder needs to use our another product Mixin Messenger to produce a MPC public key as the MEMBERS key. Although it's possible to generate this MEMBERS key only by yourself, we recommend to choose at least two Mixin Messenger devices, better with your partner, so the MPC key is generated as a 1-of-2 threshold ECDSA key.

Mixin Messenger is an open source MPC wallet for 6 years https://github.com/MixinNetwork/android-app, and the MPC code we used is from https://github.com/taurusgroup/multi-party-sig

Finally, we the Mixin Safe service maintainer holds the RECOVERY key for emergency recovery usage once the OWNER key is lost.


Security

The solution is based on Bitcoin multisig script with timelock, and the recovery key timelock can be adjusted when the wallet is created.

The OWNER key is managed by third party and popular bitcoin wallets,  can have a normal backup solution, and no need to worry about it's stolen or lost. Because nobody will be able to spend the coins with this only OWNER key, and the coins can be recovered even if the OWNER key is completely lost.

The MEMBERS key is managed by open source MPC solution. If MEMBERS key is managed by a few people in 1-of-2 or 3-of-5 or even 5-of-10, it's almost impossible to lose the MEMBERS key.


Try It!

Now the product is generally available, it's a website which is designed to have intuitive interface to use.

https://safe.mixin.one/

Thank you, and welcome suggestions.

I am trying to understand, is it a bitcoin mixing service or you are talking about a wallet, perhaps an online wallet?

In case it's a wallet then isn't it means there is this fake sense of decentralization? After all you hold the key and your clients are trusting you with their funds.

Sorry, If I got the whole idea wrong.

I would love to see the finished product first. Then you can start with a review campaign to see the response from the community. I can help you in that if you want.

It is not a mixer, it's code for making a multisig transaction where some members cannot spend from it by signing using their keys until after a fixed time period.

But this last link from the OP looks like it's a service that is trying to replace crypto custodials for companies (think Coinbase holding coins for Blackrock), not intended for the general public - I mean how can you say a timelocked multisig is more secure than a hardware wallet, for example?

The link above is the beta product, you can already sign in and start using it. I know the Mixin name makes it sound like a mixer, but It's just a wallet.

To start using the product, you need Mixin Messenger, which is an MPC wallet,  to make the Mixin Safe account. And thank you so much for helping.

Sorry the website doesn't make it clear for people to understand the product, we are still polishing the website design and words.


Hi, it's a wallet service. The wallet is provided as a website to make it easy to access from anywhere, but the website doesn't hold the private keys, it's just an interface to make it easy to do multisig.

It's some kind of custodian services those companies will use, but it's built with general public in mind, the website interface is pretty easy to use, and pricing is transparent and cheap.

For security, it's better to read the post instead of the website, the website is under development and missing some points.

So Mixin Safe is a multisig wallet with three keys, OWNER, MEMBERS and RECOVERY.

The OWNER key is managed by user's own hardware wallet, Ledger, BitBox02, etc.

The MEMBERS key is also managed by user's wallets, the Mixin Messenger MPC wallet. The MEMBERS key can be managed by the user own or friends, make it difficult to lose.

And the recovery key is timelocked, and can only be used when timelock expired and must be used together with OWNER or MEMBERS key.

When I say this is more secure than a single hardware wallet, I mean hardware wallet is secure, but a single hardware wallet is easy to lose or broke, Mixin Safe uses hardware wallet, and try to eliminate single point of failure.

If I understand correctly this Mixing Messanger wallet is fork of Signal app, but is there any other way to register other than entering phone number.
I tried registering with one phone number and I received data error, I also don't want to share my number for this purpose, even if app claims it won't share it with anyone.

https://www.talkimg.com/images/2023/07/14/ZrE1g.jpeg

That indirectly means phone number could be shared privately with different companies, governments and/or individuals.

It's much easier and safer to use multisig setup and combine hardware wallet with another device or a wallet, than to download and install all Mixin stuff, and pay $100 or more every year.

Can anyone do a TLDR for plebs like me? Cause I doubt that I understand this project correctly, from what I read and understand, this is a kind of wallet where there are two keys and you can't open the wallet with just one, is that correct? If so, then OP should probably change the name of the project because I don't see how mixing is a feature in this.

A product is not for everyone. Most people use centralized exchanges or custodians for their easy to use and convenient feature. Mixin Safe is designed mainly for those people prefer convenience than understanding the tech stuff behind the scenes, but in a decentralized and secure way.

And for the phone number thing, it's the same, phone number is just a phone number, we share nothing, we never do ads or analyze data.

Anyway, you can choose to use anonymous number when get an account.



The Mixin name is from the same brand under Mixin Network and Mixin Messenger. They do have some mixin features in a decentralized way.

Mixin Safe is a product built on Mixin Messenger features, to provide a multisig+timelock Bitcoin wallet service. But with Mixin Safe, this mixin ability is reduced from the original Mixin Network.

Ow, I totally misread the name, I thought it was Mixin' but hey, you learn new things. I noticed that there's an uncapitalized "mixin", is that bitcoin mixing or something? Now that I know the name, I get now what you're pitching.

Yes, Mixin products have the bitcoin mixing capabilities and work very well for 5 years already.

I tried to sign up using my phone number within the Android app, and getting the code was impossible. I am unsure if it's a network issue from my sim card operator or maybe from the mixin. Each time I tap on resent message, it asks to verify the recaptcha. It seems recaptcha is currently under impossible-to-solve mode. Tried a couple of times to get the OTP but failed for now.  


Please do not post multiple replies in a row. Posting consecutive posts in a row is not allowed. You can edit your previous posts and add something if you want.

May you tell the country of your sim card? We use Twilio to send out verification code, there may be some issues in some countries. Recaptcha should be easy to solve, will have a look.

And thank you for the multiple posts warning, I have fixed that.

I am just trying to understand this. So Mixin Safe is a wallet where we have control over our funds as we have the private key but at the same time the Mixin Safe also stores our private key (Rename it to Onwer Key), so in case if we lose our private key, we can get help from Mixin Safe.
This may or may not be acceptable as since the site has access to our keys, they can cause harm anytime if they want. This is similar to any centralized site but in this case, we access through the Keys and the site also can access our funds. Clear me if i am wrong  ???

My other question is this wallet an open source or a closed source?

Hi, it's not like that we have your key.

The wallet is 2-of-3 multisig, which means the wallet is controlled by 3 keys, owner, members and recovery.

You have owner and members key. We have the recovery key, and the recovery key is timelocked by Bitcoin script, so that our key can only be used after your Bitcoin address is inactive for over 1 year.

So if you possess your owner and members key, our recovery key will be useless. And just in case you lost your owner key or members key, our recovery key can be used, and it can only be used together with owner or members key.  That means, if you lost both owner and members key, then our recovery key is useless as well. Because the 2-of-3 wallet  can only be accessed by 2 keys together.



All our code are open source here https://github.com/MixinNetwork

I am from Bangladesh and use a Grameen phone sim card. Sometimes SMS comes in delayed due to network problems. But I have checked again and confirmed that I did not receive any SMS yet. About recaptcha, I don't think it's from your end. Sometimes Recaptcha behaves likes that and I have faced this issue on various platforms before.

You're welcome.

Signal third-party Twilio data breach exposed 1,900 phone numbers in 2022, and now we are supposed to trust you who are using app based on Signal and same third party Twilio?
Sorry for saying this, but I am little suspicious whenever I have to send any of my personal data for any registration.
If I had to choose between better security and convenience, I will always choose security.

I tried using anonymous number and it didn't work with Mixin.

I understand your choice. I'm not saying the product is perfect for anyone. Mixin Safe can be a much better solution for people who want a easy to use and decentralized solution to manage their coins, instead of using CEX.

And Mixin Safe is designed to be used by family or team members together, it's important to make it convenient and obvious to understand. The goal is to make BTC accessible to everyone in the world, so everyone is confident about their BTC holdings without worrying about losing their coins.

People are already using centralized banks, with all their personal information shared with the banks. Now Mixin Safe can be a decentralized bank, in a very similar approach but with BTC as the money. Mixin Safe can be a better bank for those who are already banked, and Mixin Safe is also a better alternative to CEX for those who choose CEX over wallets


Anonymous number needs to be bought and connected to a private key at first, and are only for some invited testers for now. Will be open to public very soon.

I tried as much as possible to understand this service, I think I got the point, but my question is what is the benefit of this service for ordinary users? I mean, what will make the average user leave the software wallet (free and easy) or the hardware wallet and go towards this type of service (which has some degree of centralization)?

This is another point as well, users must use your other product "Mixin Messenger", and this is something that many people may not want, because the user will need to download several applications and register on the site and all these things will seem annoying and make users feel that someone is sharing their sensitive data with them.

I understand all your concerns, and know that we have a long way to do a good marketing. We are not a new team, and Mixin Messenger is an old product operating for already 6 years.

But first of all, we need to make sure this is a good product, it must be secure, decentralized, and convenient. It's not a product for all, and it begins by serving the people need it well.

Thank you

You cannot know from the start that the product will not have users even if it is completely centralized and even if there are better alternatives.  It can be said that it is too early to admit this.  Almost all of us know that a small percentage of users care about privacy. 
I believe that this will be concluded based on the review campaign that they intend to launch soon, by assigning 100 participants from Bitcointalk, as their evaluations will be of great benefit in assessing the project's effectiveness and profitability. Choosing bitcointalk + Royse services is a great decision to determine how much the service is efecient.

Hello, I've checked your website, pretty sleek and elegantly simple which I like since it's refreshing to the eyes but I have to ask, do the reviewers have to pay when they create their wallet? Also, is Mornin Key the only available one for testers?

The package plan in test starts from $2 per year, so the reviewers do need to pay at least $2 to the standard plan to create a safe and send out a transaction.

Mornin Key is the free and easiest wallet to test, but we also have guides for Bitcoin Core and Ledger at the moment https://support.mixin.one/en/category/mixin-safe-n3u479/

I'm still reviewing this mixin safe, and currently, I'm still a little confused, but I tried to download the mixin safe messenger. If I look at it, it seems like a typical wallet like a trust wallet.

Then I'm also a bit confused if I'm obligated to buy a cold card because I saw that to have one it's around 147$ each and the morning key is around 1.1$ each here in our currency. If I use a mixin safe, is it required for me to buy a cold card and mornin key?

If I understand the purpose of this service well, then I must ask, Why is it limited to mostly hardware wallets and Bitcoin core?
In the guides I am not seeing any talk about wallets like Electrum, Sparrow Wallet etc

Yes, hardware wallets are superior in security vs SPV wallets, but a majority of people use the latter. So why are they not recommended? Am I missing something?

Mixin Safe is not a single software, it's a service that makes multisig easy to use, the minimum requirements for this service is Mixin Messenger and a Bitcoin private key wallet.

The Bitcoin private key wallet can be any Bitcoin wallets that support miniscript well. So Bitcoin Core is the most trusted and free choice, you don't need to buy anything. And Mornin Key is the other software choice, and as I know no other Bitcoin software wallets support Miniscript wallet yet.



1. Yes, any phone number which can receive SMS is acceptable.
2. We are considering other choices, including email.


Yes, the answer is correct. Once other software wallets fully support the miniscript feature, they can be used with Mixin Safe.

I think that storing any value with the help of a temporary service or one controlled by a third party cannot be a good solution. Sounds like "not your key, not your coins" to me.

How about Bluewallet, since this one also supports miniscript I can used this on the mixin safe?  I thought, your requiring each users to have morni key, but I was wrong about this thinking.

But anyway, thanks for the clarification for this thing now I know what am I gonna do with this mixin safe. One more thing why in your terms in the review campaign you've mentioned that anyone can use throwaway number, right? Why? It seems that there is risk when we use mixin safe?

Op I tried to download the Signal Messenging App and this is warning I got from it.
https://www.talkimg.com/images/2023/07/19/ZDe7v.png
This is what most people are trying to avoid because they are afraid that virus might infect their mobile device to destroy their already installed wallet.

And also the inclusion of bitcoin core in desktop or laptop and Mornin Key App and Ledger Wallet App for Android Version is making the process cumbersome. Why can you programme it for one device use? Now what will happen to those who are not using phone or those who are not using phone?

As you said, the service is not for everyone but you still need everyone for the service. So make things easy for us to use.

A few wallets are now supporting part of miniscript, but they don't have full support, they usually only allow some simple predefined templates. I will look into Bluewallet to have a test.

Throwaway number is ok for a test. But if you like the product and decide to use it for your coins, it's recommended to use a real number though. By mentioning throwaway number, it's not a recommendation, just to emphasize that we don't want people's phone number, we make the product to use phone numbers because it's the most adopted authentication method for general public.



It's better for most people to download apks from their app stores, usually Google Play, FDroid, or something, then those apk warning won't appear. This is not an app thing, it's the Android.

Mixin Messenger itself is the easiest wallet to use already, with good real mixing capability as the name suggested :D

One device use means single point of failure, Mixin Safe is just designed to avoid this issue, so It's possible to use it with a single device, but not in a recommended way.

One question about the member key aspects of this project, can the member be folks I know or I can meet any random guy and add them thorough the messenger app, the reason is because I have a very limited contact.

Haven't tried it out yet but I thought I should know about this aspect of the project although I think the project is cool because beleive me ,I know most bitcoin users always prefer storing their coins in CEX even if they are fully aware of the vulnerability but mixin safe seem simple enough and the multi sig aspect of it makes it somehow cool and safe even if one losses their private key.

Thank you for the praise  :D

For the members key, if you just wanna try the service, you may choose anybody, even yourself is enough. We recommend the members to be managed by trusted members, or by two different phones, so that you won't lose access of the members key.

Where is the multisig and private key functionality? I don't see it anywhere in the app.

I'd like to see how the 2-of-3 multisig is stored.

I have seen this project in the service board running a review campaign. I have also seen that many people have applied to the review the project. But it appears that this project is not a familiar one, but it has a good security feature. I remember when I first set up a 2-2 multi sig wallet, it wasn't a straight forward thing but I achieved it.
I have interest in this project and I will like to use it. I don't know if someone like o_e_l_e_o has studied this project. He has a way of explaining difficult things in a simple manner. I will be glad if he can respond to this.

Meanwhile, Op you did well by offering a review campaign. That is the only way to make the community acquinted with the project.

You can check our website for technology details and send a transaction from your Mixin Safe to see the multisig in action.

https://blockstream.info/tx/038a366e35ce50a7315b42f9139f19f868f481212ba9fc814e08a09bdd39a57e?expand

The link above is a transaction sent from one Mixin Safe address, as you can see the witness script shows two signatures used to unlock a timelockec 2-of-3 multisig script.


Thank you. Mixin Safe is a new project started this year, when I asked about Bitcoin script questions https://bitcointalk.org/index.php?topic=5441806.0

However Mixin Messenger is a project with lots of users and has been running for 6 years.

I haven't studied this in depth, but as far as I can tell it works as follows.

Mixin Safe is a 2-of-3 multi-sig.
There is one key held by you, the owner key.
The second key is held by your family/friends/colleagues/other trusted contacts, called the members key.
The third key is held by Mixin Safe themselves, but is timelocked for a year, called the recovery key.

You can spend coins using your key and the key held by your trusted contacts with their approval. If you lose your key, or your trusted contacts lose their key, you can recover your coins after one year with the key you do still have and the recovery key.

---

I would also say that I will never use such a product, for a couple of reasons. Personally, I do not want a third party involved in my storage, and I certainly don't want to be paying a third party to be involved in my storage. I also highly value my privacy, and don't want a third party being able to see all my holdings and transactions. I know there is a market for such products given the recent Ledger Recovery nonsense, but that market is not me.

However, on poking about the website a bit more I have one main concern, and it revolves around the members key. How does it work exactly? It is a multi-sig embedded in a multi-sig? Is it SSS? How do the threshold number of members come together in order to recreate their key? Can I pick the threshold? Your pricing model says you charge $20 per transaction(!). How can you enforce this when I am supposed to be able to access my key and the members key without you? If the members truly did hold this key, then I can recover my multi-sig to any wallet and make transactions without paying your fee, no? Something doesn't add up.

It's the CMP-MPC protocol from Fireblocks, so there is no private key for the members key, and it has never existed. But n members hold some shares, they can sign the message with their share and combine the signature to form the final signature.

Technically and actually you can do all of this for free. What we charge is that we make a tool for you to easily do all these multisig and MPC stuffs easily. We sell wallet software, just like people sell wallet hardware, you can manage your private key without the hardware.

---

Mixin Safe is completely different from Ledger Recovery, they are trying to backup your private key, Mixin Safe never gets access to your private key. What we promote is multisig+timelock, the ultimate technology in Bitcoin, to help people preserve their coins without single point of failure.

I see. And they do all this through Mixin Messenger, right? Can they do it through any other piece of software, or it has to be your software?

My understanding is that the whole network is dependent on your XIN altcoin and its nodes, of which there are only 20-30? What happens when your network goes down? Does Mixin Messenger go offline? How does the average user (i.e. one who cannot clone github repos or compile software themselves) manage to recreate the members key and access their coins?

Technically they can use any software to do the CMP-MPC, and even if all the nodes go down, it's technically possible to do the process to access the members key. And all these process doesn't rely on any altcoins, and members should have no knowledge about any altcoins.

Mixin Messenger may go offline and that has never been the case since 2017, and it serves hundreds of millions of E2EE messages everyday.

Our service is to make all this technically possible process easier for average user, when you are trying to think about the backup plan when our service is gone, the plan is not to let the users develop software, it's to provide another software to help them. A decentralized system allows a new software to do the job, unlike a centralized system rug.

An average user can't even use Bitcoin Core to manage multisig and timelock, that's why we provide the service and sell it at a price.

In summary, everything could go offline, and in past 6 years, Mixin Messenger never did that. The software doesn't rely on altcoins. The coins can always be recovered even if our system is completely offline.

OK for messages, but during that period, did Mixin messenger have any relationship with private keys and crypto addresses that hold some value?
I want to say that messaging is not as attractive for abuse as wallets. Once a significant amount of coins are connected to your service, more unethical persons will appear and try to open your system. For example, hackers always prefer to attack a system where there is some value than where the reward is just a bunch of text.

All our systems don't hold private keys, and we have a long history of 6 years, and lots of users, with around 20000BTC are managed through our services. I understand any systems could have bugs, but a long history without security incidents and open source could at least prove something.

Emphasis mine, and that's my concern. It's technically possible to set up this inheritance and recovery type of multi-sig arrangement yourself, but as you correctly point out, it is beyond the skill set of the vast majority of average users. It will also be beyond their skill set to recover their coins if your service disappears, and that's a very dangerous situation to be in. And you are not incentivized to release a tool to allow them to do so, since then they can easily bypass your pricing model.

You are essentially hoping that some unknown developer will be kind enough to develop a tool to allow users to recover their coins, for free, in their own time. That's a big assumption.

At first, Mixin Safe makes bitcoin multisig+timelock conveniently usable for average users, otherwise they have no other choices.

Second, we have been running for 6 years, that's long enough, we have no incentive to go offline.

Finally, even if we are offline, many developers or companies should be incentive enough to develop new tools. Imagine Mixin Safe can attract customers to pay $1000 per year, why no other companies want to do this? If we have 1000 customers, a new company can easily have 1000 customers to use their service.

As I said, I don't like miniscript^[1], but why was Timelock chosen and why exactly at least 1 year? Also, the phrase at least may mean for more than a year.
If we assume that the use is for the heirs, it is possible after the members return the key with the recovery key and be able to withdraw the money without the consent of the owner key. Therefore, here we cannot apply it as a model for the heirs (it may be a good service if it is linked to biometric indicators that activate a lock for a period of 6 months from the date of death of the owner key holder)

I hate to say it but centralized solutions or trust in heirs are the logical ways to solve the problem of the death of the bitcoin owner.


[1] https://bitcointalk.org/index.php?topic=5459839.msg62556275#msg62556275

The lock means to limit the ability of the recovery key, the timelock duration can be set on a per safe basis, 1 year is just a default setting. And for the test service, this duration is only 3 days.

I agree with on the logical ways. That's what Mixin Safe is doing, provides a good service to do the inheritance in the logical way. You add your trusted people to the safe, setup the trusted inheritance key manager, in a multisig and timelocked way, and easy to manage, and everybody is able to master it.

Hi, I'm one of the reviewers in your Review Campaign, I have to ask whether you are shouldering the 2 USD payment for creating a safe? I don't mind paying for it myself but I have to make sure that there's an option that you will be able to shoulder the payment. I'm currently checking it right now and that's the only part that I'm stuck.

Thanks o_e_l_e_o, after the extended discussion between you and Op, I have gotten a clear hint of how the project works.

---

What do you mean by shouldering the payment of 2 USD. If you are accepted for the review campaign, btc upto 0.003 or so would be sent to you and that will be enough to shoulder whatever payment and also compensate your efforts.

I agree with you. Initially, I was quite shocked to see a pricing to even use the safe at all (more details are in the review), but perhaps in a few days, once I get over this surprise, I might create a safe and see how it goes.

*The total costs will actually be more than $2 since there's a network fee that is deducted from all outgoing transactions from the wallet/safe, that is significantly larger than $2, but it should not be higher than about $20 or so from my experimenting.

See:

The network fee apparently only applies to the wallet transactions, not to the safe.

---

Anyway, I'm having trouble getting $10 worth of bitcoins out of the Safe. I can approve the transaction with the app, but I can't for the life of me get the PSBT to sign on Bitcoin Core so that I can give it the "final approval".


The first key is my public key, the second key I assume belongs to my Mixin Wallet and the third is probably owned by the network, so it seems that the timelock will not help me in any case.

I wish you had set this up with Testnet first...

Sorry to hear this  :(

You lost the private key in your Bitcoin Core? Or any errors that prevent you from using Bitcoin Core to sign the PSBT? And you need both the private key wallet and script wallet to sign the PSBT, and follow the guide in correct order https://support.mixin.one/en/article/how-to-use-bitcoin-core-to-approve-transactions-74l0ro/

In anyway, if you can't do it with Bitcoin Core, go to the Recovery section, and start a recovery with Members Key using Mixin Messenger.

The timelock here means to prevent us from using the Recovery key during the lock time. And that Recovery can only work after the timelock expired as shown in the website.

However, if you have lost both of your Bitcoin Core and Mixin Messenger, then the wallet recovery is impossible in anyway, because the 2-of-3 multisig.

Don't you think it's hypocritical to call your product decentralized respecting, and requiring your presence at the same time? Neither does Coinbase has incentive of going offline, but shit happens. Shouldn't the average user be able to do this alone, with their family member, when your service shuts down?

Also, I'm sharing the same thoughts with dkbit98 and examplens. What's the phone number for? In your website, it says "Social recovery with phone number and PIN". Is it compulsory? I don't want to give my real phone number, and I neither want to give a temporary that isn't mine, because then the third party can recover the wallet.

I'm preparing the review, so I'm trying to figure out what's wrong.

Here we want to make sure there is no bug of the system. Like for Bitcoin itself, we just discuss the blockchain technology, the implementation, the product itself. We are not trying to raise debate over PoW good or bad for environment.

Everyone has their own argument over any product, let's just focus on the development aspect for now.

But we don't need to discuss this anymore, I think all these questions are already in the previous discussions in this topic.

Can you find a solution to substitute "Mixin Messenger" with a more well known platform? You say you use it to create the wallet... but will Electrum not do the same thing?

It is about time that someone figure out a more user-friendly method to use Multisig and timelock features. In any way, I will monitor and follow this thread... it has potential to be one of the good solutions in the Bitcoin space.  ;)

It just needs to be more decentralized and Open-source for transparency.... preferably without revealing your private telephone number.   :P

I thought I would post a few things here that happened after a mead a review about a week back

Especially this parts;

Why does the time lock automatically set to 4 days or is it just a default for testing purposes?


So the Bitcoins finally appeared in the address I had provided during the time when I created a new recovery, but still I went back to my safe dashboard and no details about my recent transaction like transaction ID and address where the bitcoins had been withdrawn to. I think this is really very important for record purposes. Imagine if the locktime is about let say 100 days, there isn't away one is going to have the address in mind after that long except if they just copied it somewhere.

Ideally you would be able to use any Web3-enabled wallet supporting, I dunno, a protocol like "WalletConnect", but the problem with this approach is that most of these wallets only work with ETH-like coins.

Its just a consequence of using TIP for authentication, but I believe any other identifier would work with the underlying algorithm besides phone numbers. Same goes for PINs - it could actually be any string of characters, but since it's a mobile app, it's easier to show PINs I guess.

Regarding the timelock, it's by default 4 days for the test purpose. It's possible to set it before creating the safe, but we didn't show the option on the website.

For recovery transactions, the website has improved a lot to show more details. It was not that good a week ago. And as always, you can find all transactions about your Safe address in a Bitcoin explorer.





No other wallets have the support for these bitcoin features yet. And the most important thing is we are trying to provide a decentralized solution to people that are used to traditional financial apps and centralized exchanges. Electrum will never provide the same user experience as Mixin Messenger does.

And all Mixin apps are open source since day one, the first commit is six years ago. https://github.com/MixinNetwork

Mixin Messenger is also pretty known I think  ;D

I have installed both Mornin key and Mixin messenger, but in the Mixin app I'm incapable of creating a wallet. When I open up the app, I get the following message:


When I'm entering the (correct) PIN, error "PIN incorrect" pops up:


Has anyone experienced this before? I have tried to uninstall, and reinstall it but it still persists.

From the screenshots it looks like you have tried to set up a PIN and interruppted somehow, and now you need to continue that process with the old PIN you have tried to set.

But it makes a good point to let a new user to choose a new PIN though. But for now, you must use the old PIN, even if it's failed.

I don't have a second PIN. The PIN I entered was just one, and nothing interrupted the process. It's curious how no one else experienced this.

Edit: I just downloaded it from another source, and it worked. The properly working apk I just downloaded is mixin-400309.apk.

I reviewed this project recently. At the time of upgrading the plan, i send the trx from the exchange and the minimum TRX the exchange allowed was more than the worth of 2$, so some extra TRX were sent. At the time of review, i did not claim my extra trx back to my Mixin Message wallet but later (after a day or so)  i tried to check if this process really works.

So here is my  experience. I got my TRX refund instantly. However i do not understand the role of EPC and how it can be a surety to avoid assets lost through Mixin Wallet ?


https://i.ibb.co/YBnmBXf/1.jpg   https://i.ibb.co/mJR2RqN/2.jpg  https://i.ibb.co/JqcV0NM/3.jpg      https://i.ibb.co/2NsCdv4/4.jpg


The whole procedure for a refund is mentioned here. https://help.mixpay.me/en/articles/7063792-how-to-get-a-refund

I know there are too many different names involved in using Mixin Safe, but MixPay is a third party app on Mixin Messenger. They issues EPC for you so that you can verify your Mixin Messenger PIN while doing something. So you need to transfer EPC to them to get back the refund. In that procedure you proved that you knew the PIN, otherwise if they just sent back your TRX and you didn't know the PIN at all, then the money is lost.

And these small amount of TRX can't be transferred out of of Mixin Messenger because it doesn't even cover the withdrawal fee. So it's recommended to use it inside Mixin Messenger or MixPay.

MixPay is supported online in many places, like https://www.coinsbee.com/en/

I haven't tried it, but is there a limited number of PIN attempts and for example what happens after 5 incorrect attempts in a row?
If there is no other recovery method, the app should not lock. Enabling an unlimited number of attempts is again not a good solution from a security point of view.

Yes, it is. Security that relies on the limit of attempts isn't true security. You have unlimited attempts to break a Bitcoin private key. You have unlimited attempts to break into someone's password-protected wallet. Both are very secure. On the other hand, the PIN in Mixin is not secure, as I have already said in my review (https://bitcointalk.org/index.php?topic=5460259.msg62694460#msg62694460), because there are less than a million different combinations.

Here we don't argue about the choice. Just focus on the project itself. No perfect security.

I realize this when i was using the mixin safe for the first time as we are not used to it before but now i don't feel anything difficult at all and its all on my finger tips. Think for a moment a person's first time configuring a meta mask wallet and adding a Binance chain to the meta mask. He will be confused the first time configuring if he had never used the meta mask before.

The same thing with the mixin app, use it for few times and then one may feel it is easy to use it.

Just like many others, I also recently reviewed the MixinSafe product (if you are interested, you can check out my review here (https://bitcointalk.org/index.php?topic=5460259.msg62725844#msg62725844)). So, I figured it is a good idea to give this discussion a little bump.

So, from my point of view, going through the whole thing has been a bit tricky. Honestly, without a step-by-step guide or a video to show the ropes, I can totally see newbies running into a few issues. I get that the software is still in the testing phase, but I think they could make the whole process much smoother.

For example, when someone's making their first safe, they could set up a step-by-step wizard. It would walk them through everything and give a detailed explanation for each step.

I agree , thank you both. There is a lot to improve, and I believe the idea of multisig+timelock is the way to real safe decentralized Bitcoin custody for general public.

As far as I have noticed, the biggest number of complaints is precisely the lack of instructions and somewhat weaker navigation. That was my conclusion, among other things. However, I have to agree with noormcs5, after some use of the application, it seems that everything is clear and simple.
The addition of info hints would make it much easier for newbies to use the platform.


It looks like you will have to have another review campaign to test changes and integrated improvements  :D

They may or may not have another review campaign. But right now they have got a lot of reviews, around 100 I think, and it is now time for them to read and analyze each one of them, see what are opinions of the people, what things they have done well in their product and what features needs to be improved.

If they focus on the details and upload new improved changes to their Mixin Safe ecosystem, it will further become a good product.

Yes, but not just that. I guess educating people, explaining what your product does is a key to success. According to some feedback, some people don't really understand what this product is and what are the use cases. In case of MixinSafe, I guess many think that it's a mixer, probably because of the name, they think it's "mixing safe" where safe is an adjective. But in fact it's a safe wallet with mixing capabilities "Mixin" which is a brand name and "safe" as a safe deposit box in a bank (a noun). In any case, wouldn't it be better to come up with a more clear name and description of the service? Like Mixin Wallet for example?

At one side you said it is not a mixer and while on the other hand, you said, it's a wallet with mixing capabilities  ???

Do you mean to say that we can mix our coins through this wallet and may not need a external mixer ?

No, Mixin does not have coin mixing capabilities in their wallet or Mixin Safe service. This is not the primary purpose of the service. I do not know if serveria.com tested the service or not, but he probably reached the wrong conclusion based on the service's name.



There is already a Mixin Wallet integrated into the Mixin Messenger App. Mixin Safe is a standalone service.

The name of the safe reflects the name of the parent company "Mixin Ltd" from Hong Kong.

They do not provide bitcoin mixing service for people who want to mask the origin and destination of their coins, do not get it confused.

Mixin safe source (https://safe.mixin.zone/start)

Perhaps a video tutorial that can be easily viewed on their website would be a good idea to better guide newbies into using and navigating through the app/service. also, I just want to add that on their website they have something called "schedule a demo" From what I understand if you schedule a demo, one of their "professional Bitcoin wealth managers" will show you how to use "a completely decentralized custody suite to manage your Bitcoin.".

I totally agree with the idea of dropping some info hints or a video tutorial on their website – that could really help out the newcomers. Plus, considering this service is still in beta, they will probably make some UI improvements to make it smoother and more user-friendly. Betas tend to start a bit rough around the edges, but with user feedback, they usually get polished over time. So, chances are this platform will get even more user-friendly and attractive to a wider crowd as it evolves.

Well, apart from any video tutorial, they can also link this thread  Mixin Safe - Decentralized Bitcoin Custody Solutions | Review Campaign (https://bitcointalk.org/index.php?topic=5460259.0) on their official site. There are almost 100 reviews on that thread and each one explains in detail how this Mixin Safe works and feedback from all those users.

For anyone who is new to Mixin safe, that is a very informative thread to read before actually using the Mixin safe.

I believe they already have a step-by-step tutorial that will guide their client in creating the account. It can be found here: https://safe.mixin.one/start

The site also has the add-on information on the same page through the Learn More link.  I believe with the given step-by-step guide, the new client won't have a problem following the instructions except if the client himself has a comprehension problem.  And there is where the support chat enters since customers can ask questions if they encountered any confusion or problem.

Warning everyone that Mixing Networks suspended services after database hack involving $200 million, so temporarily they suspended deposit and withdrawal services!
SlowMist is investigating this hack, and I am thinking if only coins got stolen or personal information of customers (phone numbers, email addresses) are also exposed.
This is how ''safe'' cloud services are, and this is how ''decentralized'' this  network is.  :P

Official Mixin tweet:

https://twitter.com/MixinKernel/status/1706139175018529139

I had this notification, I like that the Mixin group were prompt to notice the attack and send out notifications to users of the app to know about why the deposit and withdrawal services have been suspended temporarily. It will reduce the tension that would have been experienced if users had noticed it without a prompt notification for the reason.

I am looking to see the announcement by the mixin team. These are kind of experiences that make a project stronger

What ??? Database? Google Cloud Provider? blockchain security company?

Is the scheme they showed different from what is happening, or is the word decentralization not accurate? Isn’t there supposed to be no single point of failure?

I thought the vulnerability was in miniscript, which still appears to be in the development stage, but I was shocked after reading the reason for the hack.
Is the 200 million customers’ money? Are people serious about saving all this service?

How does "we're hacked, you can't withdraw" reduce worries?

It will not eliminate worry, but people can know what is happening instead of remaining in the dark.

The whole point of this "Mixin Safe" was that the recovery key held by Mixin themselves was only usable after a 90 day timelock, and that the owner of the safe could use the 2 keys available to them to move their funds at any time. Therefore this hack, loss of funds, and suspension of withdrawals and deposits should not affect Mixin Safe in any way. If it does, then someone has been lying at some point. Can anyone who is actually using Mixin Safe verify they can still access their coins?

Also, does someone want to explain how a "decentralized network" can have a single centralized database stored on Google's servers? I did point out earlier in this thread how basing this whole thing on a centralized altcoin was a bad idea, but no one seemed to care: https://bitcointalk.org/index.php?topic=5459401.msg62581204#msg62581204

Looks like they are going to launch another centralized shitcoin in order to cover the losses: https://www.theblock.co/post/252716/mixin-network-founder-says-just-half-users-assets-are-safe-after-200-million-hack

Isn't "decentralized" just a buzz word for 99% of the companies that use it? I generally take it with a grain of salt.

Yup. I've been saying this for years:


This is also true of other terms such as "trustless" and "private/anonymous", and very worryingly now apparently "open source" as well. My point was more that even when you directly point out how services are in fact none of the things they claim to be, people just don't seem to care that they are being lied to their face and will continue to use those services, often ending in disaster.

That surprises me that people are using this Mixin Safe to store their cryptocurrencies and 200 million is not a small amount.



It is a usual thing that if any exchange/wallet is hacked, they may immediately block the withdrawal services to prevent further loss or people trying to withdraw everything that is left.

However, this is not an exchange and i thought this is a decentralized wallet and hence there should be practically no chance of hacking the funds/wallets unless the private keys of the wallets are stored with them.

It was a matter of time until this happened. Mixin is (or was?) one the worst Bitcoin companies when it comes to security. Everything was so much complicated without any reasoning given. At the time I used it to write a review, I just knew this wasn't going to work good, but it turned out that they were having about $400 million? How come they.

Yeah... We are talking about a company that used 10 domain names (https://bitcointalk.org/index.php?topic=5460259.msg62691162#msg62691162) for their services. I doubt the multi-sig feature existed on every single of them. I was able to spend bitcoin once, in one of their apps without any approval IIRC.

---

Edit:
FTFY.

I don't think the 200 million dollars came from "Mixin Safe", it's the "Mixin Network" that lost $200 million. According to https://safe.mixin.zone/, they're managing more than a billion dollars. That puts the losses around 20%, and my guess is that includes customer funds.

That didn't age well.

200 million gone, jeez the last couple of months has been rough on our crypto companies...

Talking of Mixin Safe, I want to believe this is an air-tight product especially since it's built around multisig and looking at the processes involved in getting to our coins...a hacker needs enough keys to be granted access i.e OWNER key/ MEMBERS key..

But seeing the discussion here alleging  Mixin Safe is safe, but why hasn't the mixin ecosystem adopted/integrated the multisig features all round to guarantee security?? Perhaps this is only for the end-users but inhouse its a different on this...

It is certainly the user's money, although real facts can be manipulated here.
In fact, I am most interested in whether these funds were time-locked. If they are, this hack completely devalues their service's meaning and the whole story.

The 200 million is definitely partly or all customers' money, otherwise they wouldn't have paused the withdrawals and yeah, it's 2023 and people are still too foolish to keep all their money and life savings in custodial centralized exchanges/services. They never totally learned anything from evens as recent as the FTX or Celsius network scandals

I hope the mixin safe team took notes when a lot of members were not comfortable with how the services operated. Registering using phone numbers, the mixin messenger app centralized nature etc. maybe the hack will be an eye opener.

This, btw is the biggest crypto theft of 2023 up to date! What really happened? Perhaps someone from Mixin Safe can comment and clear things up? I really hope that's not money laundering or management running away with funds!  ::)

So halting withdrawals and the soothing words are only meant to prevent a bank run? I'd take my money out as soon as possible, before someone else takes it and there's nothing left.

In the article I linked to above (https://www.theblock.co/post/252716/mixin-network-founder-says-just-half-users-assets-are-safe-after-200-million-hack), the CEO said that only half of users' deposits would be unaffected. So yes, users' funds have been lost, and Mixin Network are now insolvent.

Why would they be? I don't know of any centralized exchange or service (which Mixin Network clearly is, despite claims to the contrary) which timelocks their own funds. They need access to their funds to process withdrawals. It is user funds in Mixin Safe which are supposed to be timelocked. (I've still not seen anyone say if they can actually access their funds, though. Was nobody actually using Mixin Safe?)

You can ask of course why the funds were stored on a Google cloud server or why they weren't protected with multi-sig, but I don't think they would ever be timelocked.

As far as I know, they only recently came to the forum and most of the forum users heard about them for the first time then. It is certainly still new to Bitcointalkers.
They have their own messenger applications, I believe that's where most of the discussion about the actual problem is.


Well, I was more focused on this with the question, were the hacked funds protected with multi-sig or time-locked?

Ok, no reason for the coins to be timelocked I agree, but I though that such considerable amounts (1/5 or 1/2 of all funds controlled by them) are being kept in a secure cold wallet. Losing funds from hot wallets makes me feel I'm back in 2013 or something.  ;D

They paid 100 users to use and review their service. Did not a single one of these users continue to use the service afterwards? That's a pretty big red flag.

If they had been, then it is highly unlikely they would have been hacked. By all accounts, they were simply in a hot wallet, and a hot wallet stored in the cloud, no less.

Why? It happens on a near enough weekly basis. This hack is what, not even two days old, and already we've had another hack with Huobi losing $8 million in ETH. All centralized exchanges are the same. Rather than spend time, money, and resources to implement good security protocols, they play fast and loose with the security of your coins and the security of your data because they don't give a shit if you end up losing everything, as long as they line their pockets in the process.

I saw no reason to use this after my review (https://bitcointalk.org/index.php?topic=5460259.msg62647863#msg62647863). TL;DR: The privacy policy is a nightmare, the 6 digit PIN security is questionable, the withdrawal fees are very high (50 to 8800 times the on-chain fee), the overall feeling was confusing. The claims (1 million dollar transaction volume on average from each of the 1 million users) unbelievable. Lots of buzz words, but no information on how to recover funds. I don't want social contacts for emergencies. Even normal withdrawals were very complicated, and after testing the whole thing feels custodial.

I see no reason why anyone would ever use this:

Because of the scale, the amount of coins stolen. So far this is the biggest Bitcoin theft in 2023. Of course, you can't avoid hot wallets they are necessary to operate normally (and companies are losing these relatively small amounts from time to time) but keeping 1/2 or 1/5 of entire customers' funds in a hot wallet doesn't look like a good idea (unless of course you don't want them to be stolen for some reason).  ???

Yeah it's decentralized but we contacted google for help. Hahah

We are so decentralized but we store customers Private keys on google cloud, if this is not an inside job then I don't know what is it. Rugpull! Nothing was hacked.

I understand you are wearing their signature and you worry only about your payment, but your comment is nothing else than a pathetic excuse :P

We don't know any details until they release it, but I remember when I was testing their service I found out that wallets that hold coins are centralized.
I am not surprised that hack like this happened, but I am really surprised with amount of money they lost, $200 million would seriously affect even the biggest centralized exchanges.

This is what I wrote in my Mixing review:
https://bitcointalk.org/index.php?topic=5460259.msg62661917#msg62661917

PS
Not your keys, not your coins, and stick to good old multisig setup.

Even though those 100 users who review their service did not continue to use it afterwards but everyone of them (expect a few) review their service top notch and excellent  ???

If the Mixin Safe Service was not trustable, had flaws then why people did not highlight in the review ? I must say it is a wrong behavior for most of the reviewers to review "Good" only (Maybe they got the money from the company so its hard to say bad words about them)

Many paid reviews are like that. It's so obvious when reading those reviews.

I didn't personally take part in the review campaign, but I did read some of those reviews from several reputable members. I didn't find anything particularly bad about them, and most review campaigns tend to be that way.

You should understand that  these reviews are coming from regular users, not security wizards doing expert-level audits. They usually focus on the user experience, how things feel, and not so much on digging out potential flaws or security loopholes that hackers could exploit. I mean, let's use some common sense here. If the company itself wasn't aware of the security flaw that ultimately led to the hack, how in the world could the end users have possibly known about it? 

And who's saying that Mixin wasn't trustworthy? I'm not defending, but as far as we know, they got hacked; it's not like they made off with their users' funds in some sort of scam. Besides, the review campaign focused on a specific service the company provides, Mixin Safe. However, as far as I can tell, it's just one of the newer additions within the broader Mixin ecosystem. We don't know that this specific segment has been compromised in the hack.

We all agree that Mixin was a very complicate to use and from the first use, I truly thought that since this service was too complicated and had many security steps, it would actually be one of the most secure platform. The setup process was too complicated, especially for a newbie but after that, it was okay, still, they could structure their web architect in a better way to make one major platform instead of three one. But there is a thing that I think about, first of all I couldn't imagine if it was that easy to hack them when users were pushed to had multiple security layouts and then, how were there so many users using this complicated platform? It's too complicated to be used by hundreds of thousands of people.

You're overlooking Mixin Messenger (https://messenger.mixin.one/), which comes with an integrated crypto wallet and supposedly has over million users. Like I mentioned earlier, we don't have confirmation that the Mixin Safe service is part of the hack.

Mixin is evidently a sizable company, and their services have gained popularity in Asia. Just because we might not be familiar with it doesn't mean it can't have millions of users in the Asian market.

The company should have known that anything stored online is prone to hacking, and how do they keep keys of that amount of money online, in the cloud. I agree that the users who did the review didn't know about this flaw anyway, if not anyone who knows what they are doing would have written about it. The major issues or flaws raised by many reviewers during the review campaign was ambiguity, zero privacy and that the service was custodial, and i think that is enough for anyone who wants to make up their mind about using the service or not through reading reviews made.
I am not accusing them of a rug-pull either, but we don't know if they were hacked or not, they told us that they were hacked and there is no way for us to verify that information.
From what was said by the founder Feng Xiaodong^[1] they lost 50% 100% of customers' money, but they would refund 50% through issuing bond tokens out of thin air for the victims to claim, and this bond tokens would be repurchased by the platform in the future. I don't think that's going to happen, and i believe Mixin network may be insolvent right now.

[1] https://www.cryptotimes.io/mixin-network-founder-admits-50-assets-are-safe/

The fact that they kept $200 million of other people's money in a hot wallet is what makes them not trustworthy. If a bank loses their customers' money, I don't trust them. The same goes for any other company.

That sounds a lot like what a large exchange did in the past. Who's going to buy made up "bond tokens" of an insolvent company hoping they won't lose more money in the future?

We couldn't review the service backend. That's where they got hacked.


If they lost all of the money and not just half of it, that's even worse. It means that all of those authentication systems that were meant to keep crooks out of user accounts were bypassed and they went through the back door.

Almost all reviews pointed to the complexity of using the Mixin service. At the same time, we are talking about the users of this forum, who are mostly familiar with Bitcoin transactions. Although it was not realistic for many testers from the forum that someone would use this service, nevertheless, they held more than $200 million

Of course, they are not trustworthy now! I was talking about the time when forum members were doing those reviews. At that point, there was no way for people to predict this or uncover security flaws from their end.

My point: it was a custodial service, and custodial services get hacked all the time. Losing your funds is undeniably terrible, and I sympathize with those who are affected. However, some of the responsibility also rests with the users themselves. Why do we keep repeating "not your keys..." here?

---

It was a different service. Mixin Safe has been reviewed by users on this forum. However, from what I understand, Mixin Safe hasn't actually been hacked. On the other hand, Mixin Messenger (which includes an integrated crypto wallet) had over a million users. My hunch is that the wallet that got hacked is linked to their custodial wallet service within Mixin Messenger.

They are 100% insolvent right now:


Insolvent simply means they are unable to pay all their debts. If they can only afford to cover 50% of the losses, then it means they do not have enough to pay all their customers all the money they are owed. They cannot pay their debts, and therefore they are insolvent.

It worked for Bitfinex. The only reason their centralized shitcoin UNUS SED LEO even exists was to bail them out after they were hacked for 100,000+ bitcoin back in 2016. And today it has a market cap of over $3 billion. Bitfinex have of course suffered further hacks since then, but now they just print more Tether out of thin air to cover up their losses instead of launching more shitcoins. And I don't need to tell you just how widespread Tether is.

There is no shortage of people who will buy whatever centralized shitcoin Mixin create to bail themselves out.

Correct me if i am wrong. Mixin Safe is actually a Wallet, a sort of MultiSig wallet where you need two keys to spend the funds and one of the key is stored with the Mixin team themselves and it is time locked.

My concern is that It was not an exchange where funds are sorted and hacker access them, It is only a wallet and it was decentralized too (private keys with the users only) (don't know if it was open or closed source), so this means that hacker managed to get all the private keys?  In theory, that is impossible  ???

I was not enthusiastic about the idea, and I saw that the system was complex and difficult to understand for the average user, let alone a beginner, but I was really surprised that there were 100 members who had conducted reviews for this service. I did not read any of them, and I do not know how they were able to understand these complexities.

But after 100 members participated in that review campaign, I began to believe that it was a good service and that the problem was me.


I am still surprised that customer deposits reach one million dollars. not $200 million

Well no one would have thought that things would turn out like this but hey wait, even though the members and the users who use this service didn't anticipate this, the Mixin Safe owners did put a warning message every time you logged in the mixin safe.

https://i.ibb.co/GPS4Qfc/Caution.png

Here they clearly state that do not store $1000 of your assets in here, so if all the users follow this, not a single individual loss should be greater than 1000$.

I've seen several incorrect posts by now. To be clear: Mixin lost $200M, not Mixin Safe.

As far as I've seen, only Mixin Network is mentioned and within that, there are different groups of services. Mixin Safe, MixPay, Mixin Wallet, Mixin Messenger maybe something else. Apart from the statement "Mixin Network's cloud service provider was attacked by hackers", I have not seen anything more detailed about which part was the subject of the attack

Yeah they all definitely belong to the same person/entity. It's yet unclear though which part of their network got hit or which app had the vulnerability which lead to such a tragic outcome. I also haven't seen any official press release or statement by Mixin group employees. Mixin Safe was in beta I believe but still they will at least have to change name/rebrand if they're planning to develop it further.

Why is it so hard for you to understand that there are tons of people who will still buy it despite the fact that company is insolvent? Look, everything depends on how you lie to people and believe me, a lot of people will look at their bond tokens like the best opportunity to invest in an innovative (they will wrap their product as innovative and a lot of people will believe it) company. Mixin also will offer them best terms to attract as many people as possible to sell them.
It's easy, you and me won't buy it but billions of people will because people lack critical thinking. You know what? When people ask medical questions to google, they aren't looking for Mayoclinic links, they visit the first link that Google shows them and this first link can be a website of snake oil salesman.

It wasn't really that complex, the set-up process was way long and annoying, that's all, once you were signed up, it was normal to use but nothing really attractive. The way messenger, wallet, key and other apps were connecting with each-other was definitely one of the worst one can see.

Some will buy due to a "lack of critical thinking," while others will see it as a promising investment opportunity. People frequently profit from risky ventures; there's nothing new about it.

The way I see it, Mixin has three major institutional investors, including Blockchain R&I, LongMen Fund, and INBlockchain. Li Xiaolai, the owner of INBlockchain, alone reportedly has a net worth of around $3.5 billion. I doubt they'd be willing to let their investment go to waste so easily, regardless of the hack.

I too would not say that the process was difficult and if it really provided the purpose to safeguard your coins, then it's worth it, even if it is a lengthy process.

Also, remember if you make any air-gapped device / cold storage, the process is complicated to sign the transactions offline and all this other stuff. So, it is more about if the solution is trustworthy people are ready to spend the money and also spend the time learning it, unfortunately after this hack, no one should be using Mixin services anymore.  

 Mixin CEO Begs Hackers To Return Funds and Take $20m as bug rewards (https://bitcointalk.org/index.php?topic=5468422.msg62914536#msg62914536)

That'll still be 10% of all user funds gone forever and really $20 million should not be the amount of bug bounty you give to someone. Even Theymos does not give out such huge amounts for bitcointalk security.

And if the hacker is an organized crime figure, it's no use pleading. It will fall on deaf ears.

A loss of $20 million is still 10 times less than $200 million.
If the hackers agree to such an offer, it probably means that they are not criminally responsible for this hack. Sounds fair.
At some point they will have to take this loss on themselves, obviously, The Mixin team believes that their platform is worth much more than $20 million, in this way, they want to take responsibility for the resulting damage.

Mixin Messenger was the part of review because many people used it in combination with Mixin Safe as part of their multisig setup, including me, this was clearly mentioned in official campaign rules.
They just forked open source Signal messenger and added centralized coin storing that was connected with cloud service.
I probably still have keys somewhere but I didn't run Messenger to see if it's even working now.

Product is different, but company and owners are obviously the same.
If micr0s0ft or apple get hacked and lost all their money it will affect all of their products.

---

It was a good idea for some people that used temp phone numbers afterall ;)

True, the company is still responsible for the hack and the loss of money. It's just that some people mistakenly associate this incident with the Mixin Safe service, which, if I'm not mistaken, is still in beta and not that widely used.


No doubt about it. I would always use a fake phone number for things like that if I could.

The difference is that Mixin Safe is supposed to be non-custodial. If that's true (which I haven't been able to verify) it shouldn't be affected by the hack.

Why wouldn't it be affected by the hack since it is custodial and the Mixin network holds the keys and obviously stores them in the cloud? Mixin safe is custodial that's for sure, there is no private key or seed phrase to any "safe vault" that you create.

Sorry, I forgot the word "non"-custodial. I've edited my post.

That's the shitty part indeed, and it's what makes it really hard to believe it's non-custodial. The user doesn't have much more than a phone number and 6 digit PIN to recover their funds, and they didn't say how you can recover it.

This is how;

"You will be asked periodically to help you remember it."

Until now my little Bitcoin left in my Mixin messager is still reflectiing  with no option to withdraw. I'm 100% sure what I have there is just virtual numbers.

Ps: coins left after the review.

Think the other way around.
You don't spend 20 million, you get back 180 millions, even half of it and you're still from this moment gaining 100 million to your balances!

There is one thing I'm surprised about and it's indeed strange for me I'm the only one thinking this, but isn't it a bit weird that indeed they had this huge amount of funds around? For a service that really went big in the last years and was a bit unattractive to the masses for its complexity, I'm quite amazed of the amounts stolen. We have exchanges that didn't have that much on balances in their life so and it's a different type of business altogether.

Anyhow, reading this topic now, some of those quoted aged worse than bull milk!

So you can confirm that it is currently impossible to withdraw coins from this apparent "decentralized, non-custodial" Mixing Safe?

So I take it they never released this tool they promised to release after I identified this big red flag?

Mixin Wallet is integrated into the Mixin Messenger App. Mixin Safe is a standalone service. I remember that, when I was doing the review, those two services were not connected to each other. I had to make a deposit from Mixin Messenger to Mixin Safe and then transfer the coins back.

Nope! This is the pop up message!

"Server under maintenance "

It's still a wonder to me how an unknown entity can have $200 million in a hot wallet when even the largest exchanges don't have that much in a hot wallet. Wasn't the project in beta, and deposits of more over $1000 were not allowed? Well wish them the best.

The promise was for you to be able to recover your funds after a timelock expires, but they didn't explain how to do it. Even worse: if it's set up the way I think it is, they too would be able to have 2 out of 3 keys by the time the timelock expires.

The CEO stated that the timelock will only expire if the vulnerabilities are found and fixed - in other words, users can only get their funds back if the hackers refund some of the money, which I doubt will happen.  This will culminate in the creation of some form of debt token that will be distributed to users in order to compensate for loss.

Particia EX did precisely that when they got hacked last year.

I admit I don't understand the technical details of how it works, and it was quite complicated, but my assumption was that the timelock is something that can't be changed once it's set. I assumed it was based on cryptography, but judging by your comment it's completely centralized.
That confirms what I knew already: don't trust things you don't understand :) It reminds me of the "ETH DAO smart contract" where the only person who understood how it works was called "the attacker".
Keep it simple, keep your own keys :)

In which jurisdiction is this even legal? Shouldn't they file for bankruptcy if they're insolvent, isn't that the legal way to handle this?

Where did you read such statement? Honestly, all I've read is that they stated their services will be reopened "once the vulnerabilities are confirmed and fixed". That makes sense.


I don't know where Igebotz got that from, but I don't think that's true. According to media reports, during a live briefing on September 25th, Mixin's founder, Xiaodong Feng, stated that they would compensate users "up to 50%" for the stolen assets, with the remainder being distributed to users as "tokenized liability claims" that Mixin would eventually repurchase "with its future profits".

I think they already sense that they won't be able to find hackers, seize money and get it back, so, instead of 100% financial loss they try to negotiate with hackers to make it 10% financial lose with the hope that hackers will get scared, return 90% of stolen money, prioritize their safety and walk away with $20 million. But I guess this is a lure and the chase of hackers will not stop after this deal (recent example: Putin and Prigozhin). So, personally I think that hackers will refund nothing, probably knew what they were doing and life will continue.

Why would anyone use a third party to hold their keys? And this was supposed to be what exactly, an easy target for "hackers"?  By the time people realize not to trust their money with none other than banks, I'd be long gone, universe would be long gone, meaning people will continue to do this.  Bitcoin is a currency and a bank, if you want to give your funds to third parties for whatever reason, give them to banks and if banks don't offer such services, maybe they have a good reason.


This will keep on happening as it has several times in the past, simply because they don't want to listen to the warnings.

The bank is also a third party, and they control your money when you trust them with it, take note that banks are also involved in fractional reserve scam. Nevertheless, the banking system is a more established institution than centralized exchanges or crypto businesses like mixin network, so your money is probably safer in a bank than with such services.
BTC is not a bank, when you use BTC you ought to be the bank yourself and hold your own keys. If you want self custody of your money, store your keys yourself, not your keys, not your coins.

lol, "compensate" ?
I love how they always use stupid wording like this, trying to pose like they are in control, they are the ones taking the hit, and they will suffer one century in pain but will make everything up for their customers!

It's no compensation, compensation is when you take something and give something in return, this is just taking half of the money away!
Imagine how a robber would testify in court and argue that he took only one TV and the jewelry so has already compensated the victim by letting him have his fridge and socks!!!

https://twitter.com/MixinKernel/status/1709869557287178402

again, lol


deposits and withdrawals, quite optimistic, I am willing to bet on a 1000:1 ratio between the two

Lol Tell us more, it seems you know more than the rest of us - You're merely reading the lines, whereas I'm deciphering the meaning. They're not going to compensate anyone, and the only thing you'll probably see in your balance are some shady tokens. No way the owner compensating anyone out of his own pocket..

These days when an entity get hacked both the owners and the customers bears the loss, no fund insurance policy.

Keep your socks on, I'm not here to defend Mixin or anything, and I don't work for them either. I'm just sharing the info I come across. You said, "The CEO stated..." and I simply asked, "Where did you read such a statement?"

Also, you mentioned "timelock," so I assume you're referring to Mixin Safe. It's already been said multiple times in this thread - it's a different service! The Mixin Safe service has never been suspended or affected by the hack, as far as I know. If you have different information, please share.

To quote LoyceV: