stolen from wallet or technical problem?

[wwortel]

Since a few days, and after having switched to a current version of bitcoind, my wallet has lost the indications of confirmations that it had before on the transaction that happened since a year ago. Older transaction do still show confirmations. Listing all transactions in the wallet and adding all movements in a spreadsheet, there should be a  positive of 0.1 BTC, as was the case before a few days ago. But  'getbalance' for all the accounts in the wallet now gives 0.0
Tried a few transaction IDs on blockchain.info and there they do show confirmations. Have done reindex and rescan, no effect. Most outgoing payment transactions that have zero confirmation in the wallet on blockchain appear to come from other accounts than are in the wallet although the destinations and amounts do correspond. Is that normal?
An example of the latest transaction. From the wallet itself:
{
  "amount": -0.05903700,
  "fee": -0.00002260,
  "confirmations": 0,
  "trusted": false,
  "txid": "58350d73a085a4929a923a3c48575ad2624e439019175e93ed0d57114627435b",
  "walletconflicts": [
  ],
  "time": 1479225750,
  "timereceived": 1479225750,
  "bip125-replaceable": "unknown",
  "details": [
    {
      "account": "account_id",
      "address": "1PPZH8QBzNKnJojuDo1aC2mvPrDPRjCtPF",
      "category": "send",
      "amount": -0.05903700,
      "vout": 1,
      "fee": -0.00002260,
      "abandoned": false
    }
  ],
  "hex": "0100000001f4dbfb7e97477a91fff01485c3872d8a9b9a1ee8d0acd1ab67437cf751f7b42b00000 0006a473044022042bd7acd2848711435235eaed1f4f8055a803a28ba22b27a208f472f6f9aa52b 02206bd59451026cbbd8be15f5fce558d1f40b94f36abe998a2005b337c9fd2d6f780121032d741 a4afbd8f836e13c099b14b163b865a68512708a22ae4a6691215e60089dfeffffff0214fcba0000 0000001976a91432171e4585e5b026aedbc5d0138123f2a09d369c88ac54155a00000000001976a 914f596dcde98636076eb67e4dd466a6e23d781157488ac09b30600"

From Blockchain:
1DjCip12RxzjckipFunsCEZc4X3vzr1UbZ  ==> 15ZrUsnSHmnKNcbnFtDaF9qzNMgh16pfaH 0.12254228 BTC
                                                                ==>  1PPZH8QBzNKnJojuDo1aC2mvPrDPRjCtPF 0.059037 BTC
Summary
Size    225 (bytes)
Received Time    2016-11-15 16:02:34
Lock Time    Block: 439049
Included In Blocks    439051 ( 2016-11-15 16:05:57 + 3 minutes )
Confirmations    1279 Confirmations
Relayed by IP    52.16.252.109 (whois)
Visualize    View Tree Chart
Inputs and Outputs
Total Input    0.18160188 BTC
Total Output    0.18157928 BTC
Fees    0.0000226 BTC
Estimated BTC Transacted    0.059037 BTC
}

Account 1DjCip12RxzjckipFunsCEZc4X3vzr1UbZ is not one of my wallet though.

There are 14 transactions in the wallet like this, zero confirmation indicated in the wallet, but with confirmations on blockchain. Transactions before these 14 are OK.

Is there a way to recover my 0.1 BTC ?

[DannyHamilton]

Lets start with some definitions so we both talk about the same thing without confusing each other.

You are using bitcoind which is A WALLET.  A wallet is something that stores all your private keys.  Often wallet software also provides additional features such as displaying some (or all) of the addresses that can be generated from those private key, and allowing you to create and track transactions.

1PPZH8QBzNKnJojuDo1aC2mvPrDPRjCtPF is NOT a wallet, and it is NOT an "account".  It is a bitcoin address.  Your wallet generates these addresses from the private keys that it stores.  There is exactly 1 address for each private key.  If your wallet has 15 addresses, then it has 15 private keys. Wallets don't always show you ALL of the addresses that  they have.  Sometimes wallets generate additional "hidden" addresses for internal use, and don't tell you about them.

That being said, it looks like your wallet has somehow become un-synchronized with the blockchain.  I'm not sure how that could happen, but I'm willing to help you investigate this a bit.

Since you state that transactionID 58350d73a085a4929a923a3c48575ad2624e439019175e93ed0d57114627435b IS a transaction of yours, I assume that:

• 2bb4f751f77c4367abd1acd0e81e9a9b8a2d87c38514f0ff917a47977efbdbf4 is yours sending 0.019769 BTC to 12ZrLaS5YJpeZAsaRBYENdEN7SbNWMn5xc
• e76bde930d1a080e808d3d333cda4e2aa8ae6ba84f58fd506997cfd689c8cd1d is yours sending 0.032483 BTC to 1EYsv6Ze7KDMonnK12TKAqsrXMekfi7C3W
• a972fc44fc680f9ae08945cf534e3af0c8620fcc68cd1bd019c8588b57eb2c4d is yours sending 0.089844 BTC to 1KJgdx11jvoTVAaUXdf6TEj885zGjtpNcu
• 0581fe5259ae65efd2ad98f3e2f8881a11429520b17df12333d78a30eda665e4 is yours sending (or receiving) 0.32394308 BTC to 15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1

Are any of these transactions confirmed in your wallet?  If so, which ones?  Is that last address (15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1) an address that you see as yours in your wallet.

Additionally, can you please run the following command in your wallet, and post the results here:

Code:

getinfo

That command won't return anything private or security related, so it is safe to share the results publicly.

[wwortel]

first: thanks for your willingness to help and sorry for my inaccurate use of terminology.
Results from getinfo:
{
  "version": 139900,
  "protocolversion": 70015,
  "walletversion": 60000,
  "balance": 0.00000000,
  "blocks": 259724,
  "timeoffset": -3,
  "connections": 35,
  "proxy": "",
  "difficulty": 112628548.6663471,
  "testnet": false,
  "keypoololdest": 1394294721,
  "keypoolsize": 101,
  "unlocked_until": 0,
  "paytxfee": 0.00010000,
  "relayfee": 0.00005000,
  "errors": "This is a pre-release test build - use at your own risk - do not use for mining or merchant applications"
}
(this is momentary situation; currently bitcoind is restarting from scratch and getting the blockchain loaded again)
As there is enough space on disk I have set the old /usr/.bitcoin folder aside. Comparing the first 70 or so block000nn.dat, new to old, none of them seem to be equal (just compared md5sums); weard.

Have been able to get all private keys from the wallet for all addresses the wallet lists for the accounts it contains. So therefore have left the wallet alone for now, assuming that the problem is in the local database and not in the wallet. But your list of four transactions makes me wonder ...

As to transaction 58350d73a085a4929a923a3c48575ad2624e439019175e93ed0d57114627435b , indeed done from my wallet.
The first two in your list of four I do find listed in my wallet; dates 13 Sep 2016 and 25 Jun 2016.
The third is not my wallet sending but actually receiving; the address shown is a local address , not the 1K... Ncu
The fourth is unknown in my wallet. Asking the wallet 'gettransaction 0581...5e4'  yields: error code: -5 error message: Invalid or non-wallet transaction id

Am puzzled.

 

[wwortel]

In addition, according to the wallet:
third transaction is not only receiving but also a different amount, 0.23389908,  not 0.089844.
'getaccount 15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1'  returns without a reply, so appears not to be a (secret) address in my wallet.

[achow101]

As there is enough space on disk I have set the old /usr/.bitcoin folder aside. Comparing the first 70 or so block000nn.dat, new to old, none of them seem to be equal (just compared md5sums); weard.

Not weird at all. Bitcoin Core writes blocks to the disk as it receives them so the order that blocks are written to the disk is not the same from download to download.

In addition, according to the wallet:
third transaction is not only receiving but also a different amount, 0.23389908,  not 0.089844.
'getaccount 15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1'  returns without a reply, so appears not to be a (secret) address in my wallet.

Accounts in Bitcoin Core are not the same as addresses. Addresses are not automatically added to accounts with the same name as the address. Accounts are also deprecated, so you should stop using them.

What happens if you run listtransactions?

[wwortel]

Thanks for explaining that the enumeration in the names of the block files is just the order of reception and not a specific block.

used the 'getaccount' command line because 'help' states:
== Wallet ==
....
getaccount "bitcoinaddress"
....

On 'listtransactions' it just gives the last 10 transactions, the last in the list being the most recent one one that I already gave in my initial question. 'listtransactions <accountname> 40 0' gives all of them for that account.
All confirmations are =0 now, also the older transactions that earlier still showed confirmations, but that is normal I guess as the blocks database is rebuilding.

[achow101]

Thanks for explaining that the enumeration in the names of the block files is just the order of reception and not a specific block.

used the 'getaccount' command line because 'help' states:
== Wallet ==
....
getaccount "bitcoinaddress"
....

Sorry, I misread your previous post, I thought you were doing getbalance.

To check if an address is in your wallet, run validateaddress <address> where <address> is the address you want to check. There will be a field labeled "ismine". If it is true, the address is part of your wallet.

On 'listtransactions' it just gives the last 10 transactions, the last in the list being the most recent one one that I already gave in my initial question. 'listtransactions <accountname> 40 0' gives all of them for that account.
All confirmations are =0 now, also the older transactions that earlier still showed confirmations, but that is normal I guess as the blocks database is rebuilding.

According to your previous getinfo, you are not synced yet, so your wallet does not know whether the transactions have been confirmed. You need to be fully synced for it to know.

[wwortel]

{
  "isvalid": true,
  "address": "15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1",
  "scriptPubKey": "76a9143485f5490462064fbf723e2ac365c3be8e5b104788ac",
  "ismine": false,
  "iswatchonly": false,
  "isscript": false
}

So the address you suggested to check is NOT in my wallet.

[DannyHamilton]

{
  "isvalid": true,
  "address": "15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1",
  "scriptPubKey": "76a9143485f5490462064fbf723e2ac365c3be8e5b104788ac",
  "ismine": false,
  "iswatchonly": false,
  "isscript": false
}

So the address you suggested to check is NOT in my wallet.

Correct. It looks like I went too far back up the chain of transactions in my analysis of the blockchain.  The 15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1 address apparently is not yours, and the 0581fe5259ae65efd2ad98f3e2f8881a11429520b17df12333d78a30eda665e4 transaction was not sent to you or from you.

It looks like the person that does have the address 15nicYvCaeZM4jwYxPPi3NZKQqNWiJovF1 used that address to receive 0.32394308 bitcoins on 2015-12-15.  Then they sent 0.089844 of those bitcoins to you on the same day at your address of 1KJgdx11jvoTVAaUXdf6TEj885zGjtpNcu.

So, it doesn't sound like your wallet has lost any addresses or transactions at all.  We won't know for certain until it is done synchronizing the blockchain.  Let us know when that's done and we can investigate some more if necessary.

[wwortel]

thanks.
Has 'getinfo' an entry that indicates that the block chain has been fully retrieved, and/or the wallet supposedly synced? Or must one check with info from the internet on the # of blocks?

Your blockchain analysis: 1KJgdx11jvoTVAaUXdf6TEj885zGjtpNcu is not an address in my wallet either.

[DannyHamilton]

Your blockchain analysis: 1KJgdx11jvoTVAaUXdf6TEj885zGjtpNcu is not an address in my wallet either.

I understand. I apologize for the confusion. I made some assumptions based on your original post. Lets wait for synchronization to finish, then we'll stop guessing and see if we can figure out what is actually happening.

Has 'getinfo' an entry that indicates that the block chain has been fully retrieved, and/or the wallet supposedly synced? Or must one check with info from the internet on the # of blocks?

If the "blocks" value is higher than 440400 then you are close enough to synchronized that all you past transactions should be found and confirmed.

To find the current blockheight, you could run:

Code:

getpeerinfo

and look for the maximum "startingheight" value among the results.

I think you might also be able to run:

Code:

getblockcount

and get the same result, but I can't remember if that returns the height of the blockchain according to peers, or if it returns the blockheight of your blockchain.

[achow101]

If the "blocks" value is higher than 440400 then you are close enough to synchronized that all you past transactions should be found and confirmed.

To find the current blockheight, you could run:

Code:

getpeerinfo

and look for the maximum "startingheight" value among the results.

I think you might also be able to run:

Code:

getblockcount

and get the same result, but I can't remember if that returns the height of the blockchain according to peers, or if it returns the blockheight of your blockchain.

Just use getblockchaininfo. It will return the blockchain info that your node currently knows. It will tell you the current block height in the field labeled "blocks".

[wwortel]

tnx, getblockchaininfo gives 'blocks' (in local data base) and 'headers' (equal to last block # as published on blockchain.info); my system is now on 2/3 of getting a fresh block chain loaded.
Keeping fingers crossed that my wallet will return to the positive balance it had.

[shorena]

tnx, getblockchaininfo gives 'blocks' (in local data base) and 'headers' (equal to last block # as published on blockchain.info); my system is now on 2/3 of getting a fresh block chain loaded.
Keeping fingers crossed that my wallet will return to the positive balance it had.

Blocks is how many blocks are fully verified,
Headers is how many headers of blocks are verified.

If headers matches the max value found for startingheight in peerinfo[1] you should be fully synced soon.


[1] e.g. via: bitcoin-cli getpeerinfo | grep startingheight | grep -o [0-9]* | sort -n | tail -1

[wwortel]

Have not been back yet because my VPS provider started complaining about excessive HDD R/W rates caused by bitcoind starting from scratch and disconnected the server.
Have now arranged for some more RAM (may be it was excessive swap memory use with 512 MB RAM) but it is quite tedious to get everything fully synced again.
As of now:
  "chain": "main",
  "blocks": 351233,
  "headers": 441299,
  "bestblockhash": "00000000000000000fd906a46b219d6ac23bb8b398673b3b71cd7a3a510862ff",
  "difficulty": 49446390688.24144,
  "mediantime": 1428482166,
  "verificationprogress": 0.4964225443011787

All recent 2015/2016 wallet transactions still at 0 confirms, those from 2014 at > 50.000 confirms

[wwortel]

Finally, after having moved the incomplete blockchain to another VPS, it has completed and, yes, all transactions in the wallet have gotten confirmed again.
So the original problem has been a corruption of the database.

Building and verifying the block chain from scratch is a monumental task for a Virtual Private Server. The space and traffic are not the issue; it is the extremely intense R/W to disk that causes problems and is relatively slow. Bot on a VPS with 2GB RAM and on the current one with 4 GB Ram, quite soon bitcoind started using swap space. Typical disk R/W were around 40 MB/s.
I add a picture with three interesting graphs that show the process.http://dorpstraat.com/pictures/VPS_24hours.png.
The server is currently not doing any other task of substance but bitcoind (with wallet, without Qt, and now a Dec 4 2016 bitcoind version compiled against BerkeleyDB 5.3 as I had read somewhere the 4.8 might contribute to memory leakage) 

From left to right
* retrieving 80% of the blockchain via rsync from the other VPS that cannot handle the disk R/W intensity,
* many hours of getting the chain current and of verification with the wallet showing gradually more confirms on recent transactions
Note the extremely high R/W to disk
* normal operation, disk R/W has reduced to reasonable levels.
 
Thanks for your help and suggestions and I hope something can be done to make this process of catching up less disk intensive.