How can I validate the generated bitcoin address with my hardware wallet

[jeanluca]

I want to use Sparrow wallet (desktop) and Bitcoin Keeper (mobile). Now I don't want to trust them as anything can happen with these projects, so I use it in combination with hardware wallets (jade). This works like a charm.

If I want to receive bitcoin I click on the receive button and the software generates an address. My question is, how can I validate that this address belongs to my seed? Right now, in this whole receive part, the hardware wallet is not involved. I have not heard so far anyone about this, so maybe I miss something.

[BitMaxz]

I don't think there's a way to validate that address since your using hardware wallet unlike on Electrum you can verify it on the console using "ismine (address)".

I think the only way to know if the address is belong to your seed is by depositing and sending small amount.

[jeanluca]

receiving and sending doesn't mean that my seed is doing this. Sparrow wallet can fool me

[OmegaStarScream]

Sparrow wallet is a popular open source wallet, see here[1]. Everyone can check the source code, so they cannot really fool you. I can't comment on Bitcoin keeper as I'm not really familiar with it.

Upgrading to a hardware wallet is definitely recommended, but not for the reasons you mentioned. I would be more worried about malwares, phishing, etc. than the developers of the wallet.

[1] https://github.com/sparrowwallet/sparrow

[Charles-Tim]

I do not about bitcoin Keeper wallet.

You can click on 'addresses' to check the address on Sparrow wallet. You can see that on the image below at the left side.



Do not display your addresses, for privacy reasons.

I don't think there's a way to validate that address since your using hardware wallet unlike on Electrum you can verify it on the console using "ismine (address)".

I think the only way to know if the address is belong to your seed is by depositing and sending small amount.

Sparrow has the master public key while Jade is the cold storage. He should be able to see his address on the lists of addresses. There are up to 22 addresses there each.

[jeanluca]

If something is open source doesn't mean that people look at the code all the time, but I agree that it might help.
But even though Sparrow wallet shows address doesn't mean they are from my seed. I'm not sure if Jade also shows the from address, maybe it only shows the to address and the amount.

I think that it would make sense to be able to validate a bitcoin address with a hardware wallet

The only solution right now for me would be to use two different software wallets and compare the receiving addresses.
Or do you mean that I can see a list of receiving address on my Jade?

[Charles-Tim]

I think that it would make sense to be able to validate a bitcoin address with a hardware wallet

The only solution right now for me would be to use two different software wallets and compare the receiving addresses.
Or do you mean that I can see a list of receiving address on my Jade?

You can verify on Jade to know if an address is generated from the seed phrase that Jade generated you. This Blockstream guide is the answer to your question:

https://help.blockstream.com/hc/en-us/articles/20270907312665-Verify-receive-addresses-with-Jade-air-gapped

[Pmalek]

First of all, your Sparrow Wallet or other companion app must contain the master public key of your wallet. If you are using Jade as a stateless signer, then you must first load your seed into it from your SeedQR. After the seed is loaded, you will see a "Scan QR" option in Jade. Click on it to activate the camera. At the same time, find the address in Sparrow wallet that you want to verify and display its QR code. Scan this code with your Jade and the feedback should tell you that the address belongs to your wallet. Do this every time you want to send bitcoin to a new address that's part of your Jade's seed to be sure.

[jeanluca]

Thanks for all the feedback, that really helped! I have a last question:

Suppose I want to setup a wallet with 1 seed with Sparrow wallet. Now all can just work find. But what has happens now behind the scene in my hacked Sparrow wallet, is that it created a multi sig wallet, a 1-out-of-2 wallet. So I can use my seed just fine, but the hacker now also has access. Now I can validate the receiving address with my jade and it will tell me that it is valid but. Is there a way I can protect myself against this? Can I detect this? I can also imagine that something like this is possible if I create a multisig wallet.

Again, I can check receiving addresses using another software wallet. But is there a way to detect something is wrong without the extra software wallet?

[Pmalek]

Suppose I want to setup a wallet with 1 seed with Sparrow wallet. Now all can just work find. But what has happens now behind the scene in my hacked Sparrow wallet, is that it created a multi sig wallet, a 1-out-of-2 wallet.

To be honest, I didn't understand what exactly you are asking. So, let me try to cover some general points. You are not creating the wallet in Sparrow. Jade is creating it and generating your seed in an airgapped environment. Sparrow wallet (the hot wallet) doesn't know your seed, so you can't lose your bitcoin even if your Sparrow wallet got hacked.   

Again, I can check receiving addresses using another software wallet. But is there a way to detect something is wrong without the extra software wallet?

Something would be wrong if the address that Sparrow wallet displays in the interface can't be verified on your Jade with the correct seed phrase loaded in it. If Jade can't verify your address, then Sparrow isn't showing you an address which is part of your wallet or you have imported the wrong seed in Jade.

You need Sparrow or a different hot wallet if you are going to work with your Jade in airgapped mode. The hot wallet creates your transaction and broadcasts it to the network. The Jade (cold wallet) signs the transaction with its private key(s). Both are essential to the process.

[jeanluca]

Yes, I understand how that flow works. But still, if I setup a single sig wallet,  what would stop the software from creating behind the scene a multi-sig wallet with a 1 out of 2. Meaning I can still sign transactions with my jade as if nothing has happened, but the hacker can do the same with his seed. The question is, will the jade verify these addresses?

[Pmalek]

Who is the "hacker" in this scenario of yours? Is it a person representing Jade and Blockstream or a third party?
How would the hacker and/or Jade trick you into creating a fake single-sig, which is actually a multi-sig wallet, and grab one of the necessary signing keys? Jade is airgapped, remember.

The Jade will verify any address that is part of your wallet and connected to the seed loaded into it, regardless if it's an address from a single-sig or multi-sig wallet.
I am not sure why you believe that the device could maliciously create a multi-sig wallet and give the keys to someone else. You could ask the same about any other software or hardware wallet, why just Jade!?

[jeanluca]

Let me first try out what jade can do for me, so I will have a better understanding of the issue. After I come back!