risks of sharing Watch-only wallets

[BitcoinivaX]

We will ignore the privacy issues. I am talking about the risks related to losing your money or accessing the private key.

I share my public key with a lot of untrusted third parties or unprotected devices. And the following questions arise in my mind:

If my computer contains viruses, is there a risk of modifying watch-only data and inserting a suspicious public key? I mean, scammer adds their address when I click deposit.

Incorrect new transaction sign request created. scammer will change my sign data request.

any other risks?

[1714077871]

1714077871

[1714077871]

1714077871

[1714077871]

1714077871

[ranochigo]

I share my public key with a lot of untrusted third parties or unprotected devices. And the following questions arise in my mind:

If you share your master public key, the BIP32 one, it can be compromised when an attacker has both that and one of the child private key generated from its corresponding master private key.

If my computer contains viruses, is there a risk of modifying watch-only data and inserting a suspicious public key? I mean, scammer adds their address when I click deposit.

Incorrect new transaction sign request created. scammer will change my sign data request.

I'm assuming you're talking about an air-gapped wallet setup? There is a reason why most hardware wallets also have a screen on the device itself so the user can check the address again to see if it has been changed. Otherwise, there is no real risk of exposing your addresses (or public keys), they are pretty much available publicly when you spend the coins anyways.

You cannot change the address of a signed raw transaction without invalidating it.

[pooya87]

Whenever you spend bitcoin you are revealing your public key and there is no security issue when doing so.

If my computer contains viruses, is there a risk of modifying watch-only data and inserting a suspicious public key? I mean, scammer adds their address when I click deposit.

Incorrect new transaction sign request created. scammer will change my sign data request.

When you want to make payments you normally use an address not public keys, and it is easy for a malware (commonly known as clipboard hijacker to modify that address while it is being copied).
This is why you have to double check everything before signing and before broadcasting it again.

If you share your master public key, the BIP32 one, it can be compromised when an attacker has both that and one of the child private key generated from its corresponding master private key.

Only if the derivation path doesn't contain any hardened index.

[ranochigo]

Only if the derivation path doesn't contain any hardened index.

Yep. Hardened derivation paths doesn't have master public keys, or am I wrong?

[pooya87]

Only if the derivation path doesn't contain any hardened index.

Yep. Hardened derivation paths doesn't have master public keys, or am I wrong?

They have, you just can't derive hardened child keys using them (you can however derived non-hardened children). Master public key is essentially the corresponding public key of the master private key plus the chain code.

[mocacinno]

I find the question a tad bit difficult to understand, and most aspects have already been answered...

I do have an alternative way to interprete your question that hasn't been fully answered. The way i look at (or interpret) your question is that you're afraid that if you share a watch only wallet, a hacker could insert his own address into said wallet and you'd be funding the hacker's address instead of your own.
This isn't a real problem... It would only work for a non-HD wallet without encryption (or with encryption but a weak password) that you've shared with a hacker, received back from the hacker, and then started using the wallet you received from the hacker instead of the original one.

If a hacker gets his hands on a watch-only wallet because you decided to share it, and modifies said wallet, he/she still has to convice you to start using said modified wallet instead of the original one... If you're gullible enough to do this, you're probably gullible enough to just share your seed phrase (not that i'm saying you're gullible, i'm just saying that every wallet is vulnerable if you over-share and have no clue as to what you're doing)

[o_e_l_e_o]

-snip-

The confusion might stem from poor terminology. A lot of people use "master public key" to refer to "account extended public key". This is why you can give your "master public key" to a service and yet still derive addresses as m/44'/0'/0'/0/0, for example, which shouldn't be possible given the hardened paths. In actual fact you giving your "account extended public key" at m/44'/0'/0', so the service in question only needs to derive unhardened paths at 0/0.

This isn't a real problem... It would only work for a non-HD wallet without encryption

Not necessarily. It may still be possible, depending on the wallet software being used, to edit a wallet file based on a master public key and insert malicious addresses in to it.

[mocacinno]

--snip--

This isn't a real problem... It would only work for a non-HD wallet without encryption

Not necessarily. It may still be possible, depending on the wallet software being used, to edit a wallet file based on a master public key and insert malicious addresses in to it.

True, i was thinking about one specific wallet implementation where this would be impossible and i might have overgeneralised. That being said, the attacker would still have to get his victim to use the edited wallet... In the OP's case this still seems like a non-issue... Who would give his watch-only wallet to somebody he/she doesn't know, receives it back from said person and then starts using it...

It might be an issue when the hacker gains access to a vulnerable operating system and is able to edit a watch-only wallet without the owner's knowledge. But even then, i think encryption would solve the problem in most cases.

[o_e_l_e_o]

Even if you edit the wallet file, i doubt you can tamper/modify the unsigned transaction which created by the software.

I'm not sure I follow. Why would an attacker need to edit an unsigned transaction?

If an attacker can insert their own address in to a watch only wallet, presumably they are hoping their victim either gives out the attacker's address to an exchange or other service to process a withdrawal, or the victim sends coins to the address from another wallet. Any transaction would be created at a later date to the address being inserted.

[NotATether]

If my computer contains viruses, is there a risk of modifying watch-only data and inserting a suspicious public key? I mean, scammer adds their address when I click deposit.

Incorrect new transaction sign request created. scammer will change my sign data request.

any other risks?

It is not possible to sign a transaction from a request using a watch-only wallet, and when you create watch-only wallets it can only contain the public keys and addresses which can be derived from its master public key, not some arbitrary public key.

So the answer is no (and the signing will fail anyway because your airgapped computer does not have the attacker's private key).