Coinbase Wallet - Is my $ lost because I pressed this one button (dangerous)?

[dadbody00]

I have been a user of Coinbase and Coinbase Pro for years, so when I decided to try a Wallet with them I think my gravest error was perhaps being too comfortable with the brand and services -- and it cost me $15,000...and growing...

It began with excitement to try Uniswap.  I looked at the wallets that could link and there I saw one by Coinbase.  Great.  They have been my loyal crypto bank for years.  So I excitedly downloaded the App and created a wallet.  It asked me to create a user ID, a pin, plus another thing I could "Save for Later."  I plowed ahead and the wallet worked well.  It used my biometrics to open and close and transfers happened almost instantaneously between my CB acct and the Wallet, like Coinbase Pro does.  It seemed like another great product that linked my accts together and I was in good hands.  So I transferred more funds into it.  And then I transferred more funds...

Until one day after my iPhone auto-updated, when I tried to open my Wallet it asked me to create a new Wallet or use a back up.  Back up?  I touched my thumb to the pad again. Why isn't it opening like usual?  My stomach started to sink.  Is this Keys and Back Up thing they now want, could that possibly be, the seemingly random action that I was able to click past and "Save for Later" when first setting up my account?  I think you know where this is going.

I am not totally unfamiliar with Seed Keys.  I had a Nano Ledger in the day and that product made you very aware of your Seeds.  It was impossible to even begin to use the product without them.  I used Trust Wallet and it made me go through an entire process of re-arranging the Seed words before I could even proceed with the account, all helping me as a consumer understand the significance and importance of the process and making sure I did not proceed carelessly.

Upon realizing that Coinbase was not one of the aforementioned quality providers of Seeds, I started to have a panic attack and after convo with tech friend decided to restore my iPhone to before the update.  (Note: While restoring iPhone I had to "Save for Later" about a half dozen actions like Siri, Apple Wallet, other add-ons and extras like we often see).  Once updated, I waited for the apps to load.  Then I held my breath and first tried Coinbase main app.  It opened automatically with my fingerprint.  Bingo.  Then I tried Coinbase Pro.  It also opened with my fingerprint.  I was feeling hopeful!  So I confidently tried Coinbase Wallet... and it loaded..for a moment...before flashing an error message:  "Failed to retrieve keys, please sign in again (Error Code -25300).  Two buttons overlayed above my account that show values updating in real time: Sign Out or Retry.  I have "Retried" a hundred times but it just flashes the same message. 

I can't get past the error message yet I can see my coins in the wallet, the values updating in real time, as a reminder of how much I failed my family and myself, and about how much Coinbase failed me.  In trying to protect the sacred Keys from some villain in a virtual world, they failed to protect me, the long-standing customer, an average person prone to digital overload in the real world.

I wrote Coinbase promptly and they kindly told me they would transfer me to a Specialist.  After several days I got a copy and pasted email of the same canned fine print from the website about how the Seed Keys are my sole responsibility and essentially that my funds are gone.  What Seed Keys, I said?  You never showed them to me.  Literally.  I don't know where they resided in the app.  I submit that is a problem.  As I long time customer of Coinbase, I am very disappointed and believe that my trust in the company is partially what emboldened me to press "Save for Later."  It was like buying a trusted name brand.  It is why I chose their wallet in the first place.  I know we can point fingers and say, welcome to crypto, dummy!  Or...you are an idiot!  Trust me, I know!  But I can't help but think how easily Coinbase could have and should have protected people like me with better processes that are at least up to industry standard.

One problem is I sincerely don't believe Coinbase cares about me or my business.  If they did, they would have put more than five seconds into making sure this cannot happen so willy-nilly.  As an example, even when you delete an account from Google Authenticator it says it is holding onto it securely for 48 hr hours.  And I can't even proceed into some exchanges without setting up 2FA and authenticating all my credentials simultaneously.  Yet CB allowed me to unknowingly hand over the keys (excuse me, throw away the keys) by pressing "Save for Later" and an auto-Apple Update... while providing the illusion through a pin and biometrics that I was secure.

Long story short (too late)...Is there any possible way to retrieve the keys or do a workaround since my phone pretty much opens it up but just can't get past the error message?  Is there any action at all to take?

Moreover, I want Coinbase to make sure they fix this issue by adopting industry standards with protocols for Seed Key distribution so it never happens again to anyone else.

Any ideas toward any of these is very welcome!

"Save for Later"

[1714988192]

1714988192

[1714988192]

1714988192

[PrimeNumber7]

You may be able to access your old keys/seed if if you can access your old backups from your iCloud account.

Based on your story, I don't think your beef is with Coinbase, I think your beef is with either apple or with Uniswap.

[nc50lc]

Based on your story, I don't think your beef is with Coinbase, I think your beef is with either apple or with Uniswap.

The thing that's wrong in their implementation of a "non-custodial" wallet is to let the user create and use a wallet without backing-up the seed phase.
After creating the wallet you'll have the option to select "later" on those important matters like "backup recovery phrase".
Other mobile/online wallets do this but it's usually tied with an account username and password to access the encrypted copy in their server even if the seed phrase wasn't backed-up.
"Good wallets" wont even let the user create the wallet without copying the phrase and confirming the backup.

So I confidently tried Coinbase Wallet... and it loaded..for a moment...before flashing an error message:  "Failed to retrieve keys, please sign in again (Error Code -25300).  Two buttons overlayed above my account that show values updating in real time: Sign Out or Retry.  I have "Retried" a hundred times but it just flashes the same message.

Some restored files in your phone must be corrupted and it's a common thing in file recovery.
It's a non-custodial wallet so the corruption might have affected your keys that were saved in the device.

I don't use iPhone but try to contact your "friend" if he can make a backup of your phone, some keys may still be somewhere in the app's data, the problem is finding out where to find them.

[Pmalek]

It's a sad story, and although I agree with what you and nc50lc said about the possibility of saving the seed for later, ultimately, it was you who was careless and didn't take proper care of your sensitive information. You went with convenience instead of security. The secure way to do it would be to make multiple copies of your recovery phrase and store them in different locations. After that, you could have tried to restore your wallet to see if you wrote down the seed correctly and it's recovering the correct addresses.

The fact that Coinbase can't help you to recover your seed is exactly how the system is set up to be. Imagine if customer support representatives had access to seeds, what would be the point of Bitcoin and a non-custodial wallet?

I hope you will find a way to recover your money and never make shortcuts like you did with the seed phrase.   

[HCP]

Ouch. It was painful to read that...

Sadly, a not uncommon occurrence... users skipping through setups, eager to play with their bitcoins (perhaps a little too eager?)... not reading everything perhaps as well as they should... perhaps not taking the time to understand exactly what it is they're doing... or how the wallet/app works

Roll forward a little bit and some unforeseen event occurs (hardware failure, OS update, lost phone etc)... and suddenly, they're looking for information that they skipped over


Being your own bank affords some great freedoms... but also demands some great responsibilties... Crypto can be really unforgiving of "minor" mistakes.

[dadbody00]

Thanks all for taking the time read this.  Sincerely.  And I appreciate the feedback and insight.

I have recently been able to get back into my Wallet and connect it to my Coinbase account, and scroll through coins, and see my values etc...but the Seed phrase still won't show.  It is unclickable.   And the Wallet times out with transactions (even to my Coinbase account which it lets me link to with 2FA) so something is still off.  And in the end, the Seed phrase has yet to have ever been provided to me.  And if that is the one and only fail safe for a product that seems like it knows ahead of time it will lose your private keys on your device, then it must be better executed.

Trust Wallet does a good job.  I checked that out.  It makes Coinbase look like a con job.  In fact, the more research I have done the more negligent and dangerous I find the Coinbase product to be.  I believe they even slapped their brand name on someone else's Toshi Wallet which is always a sign.

I too would like to make very shitty products and then blame the customer for his stupidity and ignorance, but this isn't a microwave.  This is potentially people's financial lives.  Why not just make absolutely sure you actually give the buyer the key and he has them in his hand before you ride off into the sunset.  Don't leave it in the grass and motion to it.  Don't mumble.  If he knew they were there and he was going to get locked out, don't you think he would take them???  Physically show it like other companies do.  Produce it in reality rather than wishful thinking.  Is that too much to ask?  It is common sense and required in every other industry.  And if you really want to get a gold star do what the other companies do and have them re-arrange the Seed or something just to be extra sure he saw it.  But to never ever show it.  To bury it in the backend and then have it grayed out?   It is not a question of the consumer being "too" eager to use a product.  Maybe I was but people aren't going to change.  The shitty app design is what needs to change.

In the end, I think Coinbase is the eager and careless party rushing a reckless product that lacks common sense and is below industry standards.  With any financial service product comes great responsibility and the "blame the customer" model is a poor business trajectory.  Especially when so solvable.

Coinbase never showed the Seed phrase and therefore never provided it before the app crashed.  That is a problem.

[PrimeNumber7]

Based on your story, I don't think your beef is with Coinbase, I think your beef is with either apple or with Uniswap.

The thing that's wrong in their implementation of a "non-custodial" wallet is to let the user create and use a wallet without backing-up the seed phase.
After creating the wallet you'll have the option to select "later" on those important matters like "backup recovery phrase".
Other mobile/online wallets do this but it's usually tied with an account username and password to access the encrypted copy in their server even if the seed phrase wasn't backed-up.
"Good wallets" wont even let the user create the wallet without copying the phrase and confirming the backup.

It is really not possible to confirm the user has backed up the seed-phrase beyond forcing the user to check a box saying they have done so. A user could screenshot a seed, or copy it into a notepad document to help them "confirm" their seed is backed up.

While I do agree that user should backup their seeds before using their wallet to hold any substantial amounts of coin, I am not in favor of forcing people to do anything. IMO it would be superior for a wallet to educate users as to the importance of backups and let them make their own decisions. I'm sure there are lots of situations in which people will 'test' wallet software with smaller amounts of coin to see how they like the UI, and might not be inclined to make a serious effort of backing up their seed. Allowing for the "later" option for when a seed will be backed up (along with a stern warning) might result in some additional wallets being backed up.

[nc50lc]

-snip-

It is really not possible to confirm the user has backed up the seed-phrase beyond forcing the user to check a box saying they have done so. A user could screenshot a seed, or copy it into a notepad document to help them "confirm" their seed is backed up.

I have tested a lot of wallet and those types usually have a "confirmation page" next to the window where the seed phrase is displayed.
There, the user will have to paste some words (2-4) in random positions to confirm that the user did backup the phrase and to check if the backup is correct.

For the trouble of backing up, forcing people to backup IMO has more advantages than disadvantages; people familiar with non-custodial wallets will surely back it up regardless whether it's forced or not, then people who have no idea of a seed phrase will be forced create a backup before they can create a wallet, the issue in the OP wouldn't have happened if this was the case.
Educating the user is good but not all people read what's written in the notes, if the backup procedure is "forced" and they can't proceed, they may as well read what's written in the warnings.

For "testing purposes", I'll just copy paste it to a txt file for easy access, it's not too much of a hassle.

[dadbody00]

These are all great thoughts. 

I don't like forcing a user to do too much either.  I don't even necessarily like the idea of forcing someone to digitally backup the wallet.

BUT I DO think they need to have "shown" the words "on screen" at some point to consider it delivered.  (especially if they don't require the other stuff we talked about). 

I was NEVER ever shown a Seed phrase and therefore believe I was never provided it in my opinion. It is like selling a house without physically producing the keys and then blaming the buyer when he gets locked out five seconds later.  That is absurdly dangerous and not very hard to change.

Also I re-tested the acct opening process on my wife's phone and we both were in agreement that having it say "backup" to cloud without really knowing what they are talking about is kind of weird and confusing for some.  I didn't even know what that meant.  Back what up?  The application?  My iPhone is already backing up through the cloud.  Why do I need their backup?  That is not a completely irrational thought.  I have to give an account name, a pin, it uses my biometrics... but none of it mattered.  None. 

You can't sell expensive properties without providing the keys.  Coinbase failed to provide them.  They hid the Seed words as far as I am concerned in a backend menu.

As is, it is a very dangerous financial services application for general use to the public.  They need to know this and do better.

[nc50lc]

As is, it is a very dangerous financial services application for general use to the public.  They need to know this and do better.

Leaving a 1-2 star review to their app with similar context to your post is usually enough to get Coinbase's attention.
Most of the time, developers respond to reviews with low rating.

[o_e_l_e_o]

In the end, I think Coinbase is the eager and careless party rushing a reckless product that lacks common sense and is below industry standards.

You've pretty much just summed up Coinbase's entire business model. If it attracts new users to their platform, they don't actually care about how well it does (or does not) function.

Educating the user is good but not all people read what's written in the notes, if the backup procedure is "forced" and they can't proceed, they may as well read what's written in the warnings.

Agreed. TrustedCoin on Electrum is a great example of this. It spells out quite clearly when you make a new wallet that you will be charged a fee for to use the service. The entire text you have to agree to is 4 very short paragraphs - it can be read in under 30 seconds - and yet we have endless users not understanding why they have been charged a fee and starting new threads complaining about it. Please do not read instructions, even when it comes to their financial security, but if you make a page that they cannot progress past without confirming their seed, then they will at least read what they are supposed to do.

I don't even necessarily like the idea of forcing someone to digitally backup the wallet.

This would be a terrible idea. The whole point of seed phrases is to not back them up digitally. Writing them down on paper and keeping them offline is far more secure. Any wallet which forces you to back things up to a cloud server or otherwise digitally should be avoided at all costs.

[PrimeNumber7]

-snip-

It is really not possible to confirm the user has backed up the seed-phrase beyond forcing the user to check a box saying they have done so. A user could screenshot a seed, or copy it into a notepad document to help them "confirm" their seed is backed up.

I have tested a lot of wallet and those types usually have a "confirmation page" next to the window where the seed phrase is displayed.
There, the user will have to paste some words (2-4) in random positions to confirm that the user did backup the phrase and to check if the backup is correct.

For the trouble of backing up, forcing people to backup IMO has more advantages than disadvantages; people familiar with non-custodial wallets will surely back it up regardless whether it's forced or not, then people who have no idea of a seed phrase will be forced create a backup before they can create a wallet, the issue in the OP wouldn't have happened if this was the case.
Educating the user is good but not all people read what's written in the notes, if the backup procedure is "forced" and they can't proceed, they may as well read what's written in the warnings.

For "testing purposes", I'll just copy paste it to a txt file for easy access, it's not too much of a hassle.

If you copy a seed into a text file (that may not even get saved), you are not really backing up your seed. I do the same thing when I am deciding if I want to use a different wallet software.

If a wallet knows that you have not backed up your seed, it can warn you about the risks associated with not having backups until it believes you have created a backup. If a user were to fool the software they created a backup with a text file for example, there would be no reason for the software to continue bugging the user to create a backup.

Someone who keeps $100 in their phone wallet to use to buy lunch might understand the risks associated with not having backups, and not create them because of the amounts involved. However, if they were to later send thousands of dollars worth of coin to that wallet for whatever reason, they would probably want to have backups, but the fact they never created a backup might get overlooked.

[nc50lc]

For "testing purposes", I'll just copy paste it to a txt file for easy access, it's not too much of a hassle.

If you copy a seed into a text file (that may not even get saved), you are not really backing up your seed. I do the same thing when I am deciding if I want to use a different wallet software.

"Pasting it to a txt file" is a reply to the "test" part, it's pretty obvious given the text "For testing purposes". A note about not actually backing up the seed in that case is unnecessary.

For the other parts, I've already posted my opinion.

[HCP]

For the record... Coinbase wallet asks if you want to create a backup when you set up a new account

"Take 2 minutes to back up your wallet, and never risk losing your money."



Tapping backup takes you to the "Recovery Phrase" window... with a (!) Not backed up warning at the top... your 12 words and the text:

These 12 words are the keys to your wallet. Back it up on the cloud or back it up manually. Do not share this with anyone

And then provides 2 options:
- Back up on Google Drive (I assume because this is Android version, not iOS)
- Back up manually

I can't take screenshots, because the app doesn't allow screenshots on the recovery phrase windows for security reasons If you don't complete the process by either backing up to the cloud, or backing up manually (which requires that you re-enter all the words in the correct order), it shows the following in the settings menu:


You get the (!) warning symbol next to the "Recovery Phrase" option... Tapping that options takes you to back to the Recovery Phrase window as above.

I should point out that if you click "later" (or the 'x') to close the backup popup... then close and re-open the app, you get the "Don't risk your money" pop-up again.


What do people think?

- not enough? Should the app just go straight to the "Recovery Phrase" window and refuse to let the user use the app without completing the backup process at least once?
- Just right? It offers the backup option at startup, but also gives the "Later" option if you're willing to accept the risk of not having a backup and reminds you to backup later if you haven't.
- Too much? nagging popups are annoying and unnecessary!

[dadbody00]

My response is... No, not enough. 

I simply pressed "Later" not understanding what they were asking and then transferred money and then the app crashed and I lost what is now $20,000.

My massive error was not properly understanding what Backup meant.  Back what up?  My iPhone is already backing up through the cloud.  Why would I need their stupid backup?  I had to give an account name, a pin, it uses my biometrics... but none of it mattered.  None.   

Why not simply show the words/keys before letting someone transact.  Or why not say, "If you lose these Seed words, you lose all your money?"

One button/misunderstanding at the very beginning should not cost $20,000.  It coulda cost millions.  Would that be okay?

Coinbase needed to show me the Seed words before letting me transact.  They did not.  They never showed me any Seed Phrase and therefore never provided it.  Burying something in Settings is completely irresponsible.  Just show the words UP FRONT. 

Whatever they did failed me.  Did it not?  Am I just an idiot and deserve to lose all my money because I missed a button?  Are all the other people who it has happened to also just so stupid they deserve?  There should be 0% chance of someone never seeing the Seed words.

[dadbody00]

To answer your question...Should the app just go straight to the "Recovery Phrase" window and refuse to let the user use the app without completing the backup process at least once?

YES.  It is called providing the password.  If there is a magic word to a vault, you tell the customer the magic word.  Why would you not?  Is there someone out there who doesn't want to know the magic word to the vault?

I plan to file a lawsuit against Coinbase go through their Arbitration process.  Who knows how that will go down but I truly feel cheated of common sense.  And it also irks me that I chose to use Coinbase's wallet because they were my trusted crypto bank.  I wish I just used Trust Wallet now obviously.  Would have saved me a lot of money and headache.

Just tell the customer the magic word before you lose the keys to the vault.

[o_e_l_e_o]

You get the (!) warning symbol next to the "Recovery Phrase" option... Tapping that options takes you to back to the Recovery Phrase window as above.

I should point out that if you click "later" (or the 'x') to close the backup popup... then close and re-open the app, you get the "Don't risk your money" pop-up again.


What do people think?

Definitely not enough. Every other good wallet I have used which uses seed phrases displays them by default on set up and requires the user to confirm them on the next screen. If the user copies and pastes or uses some other method to avoid writing down the seed phrase, than that is entirely their fault and they cannot argue they were not given adequate notice or warning. But not displaying the seed phrase by default, allowing the back up to be skipped and still have full use of the wallet, and not providing future reminders other than a small "!" in the settings menu is not enough in my opinion. If they aren't going to display the seed phrase by default when you create the wallet, then I would expect something like a notification screen every time you open the app or a banner at the top visible at all times saying that you have not backed up the wallet.

Coinbase market their wallet as an easy to use solution for non-technical minded users who may feel uncomfortable using a more technical wallet. These users may be entirely unaware of the importance of seed phrases, as in OP's case. Giving them the option to skip the only way to recover their coins is unacceptable.

[HCP]

But not displaying the seed phrase by default, allowing the back up to be skipped and still have full use of the wallet, and not providing future reminders other than a small "!" in the settings menu is not enough in my opinion. If they aren't going to display the seed phrase by default when you create the wallet, then I would expect something like a notification screen every time you open the app or a banner at the top visible at all times saying that you have not backed up the wallet.

errr... that's exactly what it does... you even quoted that part

I should point out that if you click "later" (or the 'x') to close the backup popup... then close and re-open the app, you get the "Don't risk your money" pop-up again.

If the user copies and pastes or uses some other method to avoid writing down the seed phrase, than that is entirely their fault and they cannot argue they were not given adequate notice or warning.

How is showing 12 words and getting the user to re-enter them "adequate notice or warning" compared with:

"Take 2 minutes to backup your wallet, and never risk losing your money"

IMO, the real issue, as someone mentioned earlier, is education... if someone doesn't understand that they need a backup of a wallet because iCloud backup isn't a magic bullet... they're probably not likely to realise how important the 12 word backup is anyway... and that's when people take screenshots, or email them to themselves, or scribble it on an easily lost post-it/notepaper so they can "just get past this stupid dialog and start using the app" etc... and then they just end up losing money further down the line.

It's certainly a shitty situation... and I've done it myself... granted, only a tiny fraction of the amount lost here... so I was lucky and learned the lesson "cheaply".


@dadbody00, best of luck with the arbitration... and I hope this experience hasn't totally put you off crypto.

[o_e_l_e_o]

you even quoted that part

Oh lol, I misread as "you don't get the "Don't risk...". My bad. So if you haven't made a back up, you get that warning every single time you open the app?

How is showing 12 words and getting the user to re-enter them "adequate notice or warning" compared with:

"Take 2 minutes to backup your wallet, and never risk losing your money"

Because forcing the user to re-enter the words on a new screen means they must have copied them somewhere. It might be somewhere inappropriate such as taking a screenshot, but it still forces them to make a copy in some format. Having a button which allows you to skip the whole process entirely is inadequate.

if someone doesn't understand that they need a backup of a wallet because iCloud backup isn't a magic bullet... they're probably not likely to realise how important the 12 word backup is anyway...

Surely this is all the more reason to force them to view the seed phrase and re-enter it on the next screen. If they don't know how important a seed phrase is, then giving them the option to skip over it entirely doesn't exactly help the issue.

[PrimeNumber7]

You get the (!) warning symbol next to the "Recovery Phrase" option... Tapping that options takes you to back to the Recovery Phrase window as above.

I should point out that if you click "later" (or the 'x') to close the backup popup... then close and re-open the app, you get the "Don't risk your money" pop-up again.


What do people think?

I think the user should be reminded to backup the seed until the software has confirmed the seed has been backed up. IMO, the importance of backing up the seed should be made more clear, as I can understand how a new user of bitcoin might not understand what this means and the implications of not backing up their seed.

This would remove the incentive for the user to 'fool' the software into believing they have backed up their seed, and would help educate newer users as to the importance of backups.