Bitcoin Forum

The coin-eating bug discussed on reddit today, and perhaps even more so, the dev's negligent and downright silly response towards it has been appalling.  IMHO security of funds and private keys should be the top priority of any wallet software.  The prominent link to multibit from bitcoin.org puts users at risk and should be discontinued immediately, at least until this is resolved.  

Discussion of the infamous bug:
http://www.reddit.com/r/Bitcoin/comments/22gt4r/major_mulitibit_bug_btc_gone_it_cost_me_all_of_my/

Thank you for posting this, I'm moving to Electrum.

Maybe ypu can briefly explain what NOT TO DO if you are using Multibit to prevent other users losses.

I support op's motion as I had trouble with MB that no noob should go through, too.

I just read the thread on reddit. i had no idea Multibit had such a bug  :o

i tried Multibit at one time and didn't like the layout, so went with Electrum. Is the bug fixed in the latest release or is the dev still working on it?

I agree Jim should have been more helpful. I am pretty sure as the move to MultibitHD they said they would support some major bug fixes to the classic version, this sounds like a rare but major bug. I think jim should be more hopefully and honestly if you need to do something, you can put the code down for three days and get some lights for your house come on we aren't north korea.

I would have multi-bit removed from the bitcoin.org page. Also as Java developer I didn't see any code for multi-bit HD I would gladly help them if they are that stressed out. I don't have much free time but I know bitcoinj very well.

Had 2 wallets in Multibit, sent coins from the 1st to the 2nd.

Now half of the coins have disappeared.

And I can tell its gonna be a nightmare to get help from the dev.

Back to Electrum, after a 7k loss :(

WOW! This is real old stuff! Old stories. Old complaints. Aired here and on reddit time and time again. And all resolved by the Multibit team to the satisfaction of thousands and thousands of users. It's unfortunate stuff like this happens. But it happens with Multibit, happens with Coinbase, happens with Electrum, happens with Blockchain, happens with every wallet service. It's unfortunate; but FUD really doesn't help, folks. The venting is often misguided and always toxic. If you have problems, just state them fully and carefully here, and you'll find plenty of voices willing to walk you through them, if possible.

Could you post some kind of supporting evidence?

I have transferred coins within a wallet on Multibit before, it looked weird on the transaction history but did not have any issues with the change address.

Because this is a 2 months' old thread and may be the bug was fixed. Besides, the bug doesn't happen all the time.

I've definitely used multibit quite a bit without issue.  I also have my keys printed out and stored in a safe place.  I need to look through that reddit, but what's not clear to me is:

1) is the bug something that 'eats your coin' as in sends it so some null address or something?  or does it just corrupt your wallet, etc?  If the latter, I'm not so worried since I have backups of all the  keys.

2) is this resolved?  If it is, can OP modify the thread name, it's kinda alarmist to leave it up if there's not a current issue anymore.

The bug was related to incorrectly importing Blockchain.info keys. If you have never imported anything then you have nothing to worry about. Also, it was fixed in the latest release.

According to the release notes the issue has been resolved.

I see, well I do often import my keys.  That is, from time to time I install multibit or another wallet on a computer and import my keys to do transactions.  I'm going to be sure to update my multibit before I use any old installs.  Also, looking through that reddit, i wondered if it was because the op created like 500keypairs before using them, maybe filling some presized array, idk.

IMHO, passing keys around from an installation on one computer to another, or one wallet to another, is always more precarious than sending coins from one wallet to another via the blockchain. I would never import a key except for disaster recovery. It's too inexpensive to send balances over the blockchain, and much less fraught with potential problems. A little paid in transaction fees goes a long way toward peace of mind.

What's the precarious part?  I don't fully understand.

I have my wallet in an encrypted text file that i have on a flash stick.  I also have that file decrypted and printed on paper as a back up.  So, I can decrypt the wallet file and then import it.  Anyway, as far as i can tell, even if the import goes wrong on a particular wallet software, I can just try again with better software or double check the installation or something.  I'm sure there's something I'm missing.

What about a person who actually needs to potentially spend his bitcoin from two (or more computers) but has no real way of knowing in advance when they would need this.

An example of this would be someone who owns a small business and could have to send coins from home or from the office at any given time. It would be cheap to send coins from one address to another one time but this cost would add up if this had to be repeated every day 2 (or more times per day). 

As much as all of us would like to use our MultiBit as much as possible, I guess I'd suggest this situation might better be handled by a secure online wallet -- which would hold whatever balance was needed in both or all locations.  Or, one could carry his/her single MultiBit wallet on a portable device to carry with them.

From the dictionary: Precarious..
a :  dependent on chance circumstances, unknown conditions, or uncertain developments
b :  characterized by a lack of security or stability that threatens with danger

You might be fine, sed -- though that decrypted paper backup is a point of risk. You're possibly having to back it up often [at least every time to add coin to the wallet], and juggling/keeping track of/disposing of decrypted paper files introduces some real risk in the equation.

But again.. just stating an opinion here.. I think most users would be better served sending coins from one wallet to another via the blockchain, rather than doing the export/import of keys procedure for coin transfers.

A mobile device could potentially be stolen/lost, even if the point of the theft of the device is not to steal the bitcoin they would be significant risk.

Online wallets carry their own risk that is separate from using MultiBit in this manner. More risk? I am not sure

Everything in life has a risk. Even if someone secures their bitcoins in the most effective way, they can't rule out that they might have an accident tomorrow, leaving the coins unspendable if only they know about how to retrieve them (passwords, cold storage location, etc).

The problem with online wallets is when they actually know your private keys. They could one day just decide to spend them without your consent. As far as I know, Blockchain.info encrypts the keys so that they are only known in the browser at the time the user logs in, and never by Blockchain.info themselves.

I think R2D221 is right - it's about knowing the risks of the different wallet solutions.

For example, desktop wallets can all be compromised by malware and a key logger (which is why we want to support Trezor in MBHD as that's a tougher target for attackers to compromise).

If you are storing _serious_ amounts of money then I'd suggest using an offline solution such as Armory rather than MultiBit and having a dedicated computer with the offline data that is ONLY used for that.

Well if I had "serious" amounts of money, I wouldn't want to trust my keys to potential hardware failure.  So I have a printout of my keys which I can then use to import to any wallet I feel like using.

I really feel like this is the most "secure" solution.  Having a couple of hard-copies of your keys means they're safe from online theives, and let's be honest, even if you had a problem with burglary, it's unlikely that the burglers are going to recognize the value of a bitcoin private key even if they do run across the paper, they are looking for other types of stuff.

Why is Armory better in this case?

My post was about trying to minimize risk, not eliminate it.

Yes I bailed on multibit months ago.  It is just too flawed and got tired of it losing my BTC, even though I eventually recovered it.

It happened more than once?  Are you just trolling or is this for real?