Whoever Controls the Private Key Owns the Assets?

2022-07-11 17:26:57

When using crypto products such as wallets and exchanges, protecting the security of your assets is the No.1 priority. In “CoinEx Wallet Security Tips”, we will share some basic crypto know-how such as common scams, how to use crypto products safely, and blockchain security mechanisms from multiple perspectives to help you fully understand asset security and adopt enhanced protection measures.

 

Today’s crypto scam

 

In the crypto market, people often say that whoever controls your private key owns your assets. As such, we must take good care of our private keys. However, recently, many users have seen the following message in social media groups.

 

 

Upon reading the message, many users marvel at the stupidity of the guy who voluntarily offered his private key and are all set to collect the perk.

 

Here is the TRON address that corresponds to the mnemonic phrases above: TNCCpquVqxhLYsDPAckj7mTXFhQEHHwTvo. When checking the address through TRON’s block explorer, we can tell that the address does contain a large amount of USDT:

 

 

This is how many users would react: Wow, it is unbelievable that such a big holder would voluntarily offer his private key. I have to get the USDT out as soon as possible before someone else gets hold of them.

 

After importing the mnemonic phrases into Tronlink or CoinEx Wallet, users start making the transfer (all pictures below are for testing purposes). At this point, the wallet would notify them: Insufficient Bandwidth. The amount of TRX required for executing the transaction will be automatically deducted. Having noticed that the TRX balance in their wallet is insufficient, they transfer 20 TRX from an exchange account or another wallet. After all, compared with the USDT perk, the TRX fee seems minimal.

 

Having paid the TRX required, users quickly proceed to transfer the USDT contained in the address:

 

 

They then go through the exciting broadcast and confirmation period. As the transaction is packaged, users become ecstatic: this perk that’s worth hundreds of USDT is almost too good to be true. While wondering how they’ll spend the money, they check their wallet and notice that the transaction is still being confirmed. How’s that?

 

 

Ok, let’s refresh the page. Wait, why did the transaction disappear?

 

 

When users check the transaction via the blockchain explorer for the second time, they would notice that the transaction never exists, and that the balance of the address remains the same, except for the 20 TRX they paid.

 

 

So, what happened? Why can’t the USDT be transferred when users have the private key? At this point, users sense that there’s something wrong with the “perk” and try to get back their 20 TRX but fail, which makes them think: Is this a scam?

 

Review: the multi-sig TRX wallet

 

Why can’t we do anything about the tokens contained in the address even though we own the private key? Isn’t it true that whoever controls a private key owns the corresponding assets?

 

Here, we need to go into TRON’s tip6 protocol. A TRON account involves three kinds of permission, i.e. owner-permission, witness-permission, and active-permission. Moreover, the owner-permission and active-permission of a regular address are both the address itself.

 

Let’s check the permission of TNVQkFEsD9wCDcj3krvfT6rgZbBRyRDVWB, a typical TRON address, via the block explorer. Of course, you can also check the permission via the interface “wallet/getaccount” if you’re tech-savvy. As the picture below shows, its owner-permission and active-permission are both the address itself.

 

 

Let’s now take a look at the permission of the address we mentioned in the beginning: TNCCpquVqxhLYsDPAckj7mTXFhQEHHwTvo.

 

 

As can be seen from the above, this address is essentially a multi-sig address, and its owner-permission is not the address itself, but another address. As such, the address is controlled by another account, rather than its private key, which explains why users cannot take USDT/TRX from the account and engage in contract-related operations using the private key.

 

We now know how the scam works: the scammer used the USDT as the bait to trick users into paying the transaction fee (TRX).

 

Remember: there’s no such thing as a free lunch. Therefore, we should refrain from getting greedy and always stay on guard. Otherwise, you might end up falling victim to someone else’s seeming stupidity. Take good care of your wallets and cryptos and avoid transferring cryptos to any stranger.