Five Ways to Lose Money with Bitcoin Switch Addresses

Five Ways to Lose Money with Bitcoin Switch Addresses

Bitcoin can be coldly unforgiving of mistakes, and nowhere is this better demonstrated than with switch addresses. Albeit switch addresses provide a key privacy instrument, they can also lead to confusion, loss, or theft when not understood.

This article explains how to securely use one of Bitcoin's least understood features. It completes with a list of common pitfalls and ways to avoid them.

The Debit Card from Hell

Imagine paying for groceries with a debit card. The checker totals the amount due and you swipe your card as usual. However, you notice the payment terminal is asking for all of the money in your account.

The checker smiles, explaining that this is part of your bank's fresh prizes program. You have three options: (1) send the switch back to your current account; (Two) send the switch to a newly-created bank account; or (Three) say nothing and send the switch to the payment terminal company.

Counterintuitive? Confusing? Alarming? Many Bitcoin users are astonished to find eerie similarities inbetween this diabolical debit card and the way transactions seem to work.

Thinking about Bitcoin in terms of past practices with online banking and debit cards can lead to problems. Fortunately, an older payment method offers better insights into how Bitcoin works and why.

Bitcoin is Electronic Cash

The similarities inbetween Bitcoin and cash run deep. In his whitepaper, Satoshi Nakamoto even described Bitcoin as an “electronic cash system”. Understanding the close connection inbetween Bitcoin and cash is the key to understanding switch addresses.

Imagine needing to track different pools of paper bills, maybe as part of a collection drive. You might use envelopes to keep the bills physically separate from each other – a “cash envelope”.

A Bitcoin address can be thought of as the digital equivalent of a cash envelope.

A Bitcoin address as a digital “cash envelope”.

Like a cash envelope, an address can hold zero or more units of electronic cash. Instead of paper bills, Bitcoin uses the electronic equivalent – “unspent outputs”. The balance of any address can be found by summing the value of each unspent output it contains, just like the amount held in a cash envelope can be found by counting the values of all bills.

The purpose of the Bitcoin network is to enable the regulated transfer of unspent outputs inbetween addresses through transactions.

How Bitcoin Transactions Work

Imagine that Alice, who possesses an address containing one unspent output worth ten bitcoin (BTC), wants to pay Bob ten bitcoin. Alice moves the funds with a transaction sending her single unspent output to Bob‘s empty address. In doing so, Alice’s address balance falls to zero and Bob's address balance rises to ten bitcoin.

Alice pays Bob ten BTC, using her only unspent output. Alice‘s address balance falls by ten BTC. Bob’s increases by ten BTC. Alice may not re-spend the ten BTC.

After the transaction, Bob can give the unspent output he received from Alice to someone else. However, Alice will neither be permitted to take back the unspent output she transferred, nor will she be able to spend it again.

A few days later, Alice wants to pay Bob five BTC from an address containing a single output valued at ten BTC. Alice has a problem: she needs to pay Bob, but she doesn‘t want to give him the entire ten BTC. Alice wouldn’t be permitted to rip a $Ten bill in half to pay Bob $Five. Likewise, Bitcoin requires Alice to send the network her entire ten BTC unspent output – intact.

To resolve this dilemma, Alice uses a transaction that splits her payment, a feature fully supported by Bitcoin. One part of the transaction sends five BTC to Bob's address and the other comes back five BTC back to her own. In a similar way, Alice could break a $Ten bill at the bank into two $Five bills, providing one to Bob and keeping one for herself.

Alice pays Bob five BTC. Having no an unspent output in the correct amount, Alice splits the transaction into a five BTC payment to Bob and a five BTC switch payment to herself. Both Alice and Bob may now use their respective five BTC unspent outputs.

Over time, Alice's address accumulates unspent outputs from people who have paid her. Her address now contains unspent outputs valued at twenty BTC, ten BTC, and five BTC.

Once again, it‘s time for Alice to pay Bob – this time eight BTC. Alice creates a transaction that splits her ten BTC unspent output, sending eight BTC to Bob’s address and returning two BTC to her own as switch. Alice‘s address balance falls to twenty seven BTC and Bob’s address balance rises to eight BTC.

Alice pays Bob eight BTC. Her address doesn't contain an eight BTC unspent output, so she uses one valued at ten BTC, receiving the remaining two BTC as switch.

In the previous examples, Alice directed switch into the same address she spent from. Albeit this decision simplified accounting, it unluckily diminished Bob's privacy as well as her own.

Switch Addresses and Privacy

By design, every Bitcoin transaction remains permanently viewable in a global public ledger called the “block chain”. Privacy depends on the rigorous separation inbetween addresses and individual identities, a model referred to as pseudonymity.

Any observer capable of linking Bitcoin addresses to individual identities can begin to draw conclusions about money transfers inbetween people. Users make this job more difficult by sending switch to newly-created addresses.

To see why, imagine a transaction that sends funds from Address A to Address B. If switch is returned to Address A, the block chain clearly exposes that the person controlling Address A paid the person controlling Address B. The same reasoning holds if two or more addresses are involved. Any transaction involving Address A as a sender exposes the receiving address unambiguously.

Switch is returned to the sending address. The intended payee is unambiguous.

Should the identity of the person controlling either receiving or payment addresses become known, the identities of the other parties could become known as well.

Now imagine that Address A initiates a payment to B, but this time directs switch to a newly-generated switch address C. Without knowing which address receives switch, all we can deduce is that a transaction split Address A's balance inbetween Addresses B and C. The identity of the person controlling Addresses B or C may or may not be the same as the identity of the person controlling Address A. Given another transaction from Address C, the picture becomes even murkier. Which of the transfers represent payments and which represent the receipt of switch?

Switch is returned to a newly-created switch address. The intended payee is ambiguous.

An observer attempting to link private identities to addresses must gather more secondary information and expend more resources when all parties send switch to newly-created addresses.

Coordinating numerous addresses is a complicated task. Wallet software frees the user from the need to do this by hand.

Wallets and Switch Addresses

Albeit switch addresses play a key role in improving privacy, wallet developers can implement this feature in a number of ways. Four strategies are presently in use, each with its own implications for privacy and security.

  • Single-Address Wallets use a single address to receive both payments and switch. Extra addresses may added when a receiving address is by hand added, or a private key is imported. Examples include Blockchain.info and MultiBit.
  • Random Address Pool Wallets use a fixed-size pool of randomly-generated addresses. Switch is sent to the next available empty address, causing the creation of a fresh empty address to take its place. The best-known example is Bitcoin-Qt.
  • Deterministic Address Pool Wallets contain a practically infinite pool of deterministically-generated addresses. A subset of this pool contains addresses reserved for receiving switch. Examples include Electrum and Armory.
  • Hybrid Wallets use numerous strategies, depending on context. MultiBit, Mycelium, and Electrum are examples.

Let's now consider ways that misunderstanding switch addresses, combined with semi-manual address management, can lead to loss or theft of funds.

Preventing and Recovering from Switch Address Disasters

Incorrect use of Bitcoin switch addresses account for many cases of loss or theft of funds. Here are some disaster scripts and ways to avoid them.

1. Backup Failure

Alice uses Bitcoin-Qt. Understanding the importance of backups, she created an encrypted wallet backup long ago and stored it in a safe place. After making dozens of transactions with Bitcoin-Qt, Alice's hard drive crashed.

Alice bought a fresh hard drive and then re-installed Bitcoin-Qt on it. She then restored her wallet backup. To her horror, Alice discovered the restored wallet was empty.

Explanation: Alice generated enough switch addresses to overflow the original pool of 100. On the 100th spending transaction, Bitcoin-Qt moved Alice's switch (which happend to be her entire balance) into an address not in the backup. Restoring the backup only restored empty addresses.

Recovery: Even if a hard drive can't boot an operating system, individual files can still be recovered. Using data recovery contraptions, Alice may be able to salvage the Bitcoin-Qt wallet from the faulty hard drive, and with it her lost funds.

  • Count the number of manually-created addresses and spending transactions since your last backup. If this number is greater than about 80, back up again. Weekly backups might be enough for most users.
  • Set a very high value (e.g., Ten,000) for the -keypool option, either as a directive line parameter, or in the bitcoin.conf file.
  • Switch to a deterministic wallet.

Two. Failure to Monitor Switch Address

Bob uses Electrum to send infrequent bitcoin payments. Worried about possible theft, he desired a way to keep an eye on his bitcoin balance from one of his many devices.

Bob determined on blockchain.info to monitor address activity. Bob‘s Electrum wallet contained several addresses, but only one of them held bitcoin (0.Three BTC). Assuming this was the only address he’d be using, Bob pasted it into the blockchain.info search window and bookmarked the resulting page.

A few weeks later, Bob made a 0.Two BTC payment to Overstock from his Electrum wallet. After receiving his merchandise, Bob determined to check his balance with blockchain.info.

Disturbingly, Bob discovered that part of his Overstock payment was transferred to an unknown address. Thinking that his computer running Electrum had been compromised, Bob re-formated the hard drive.

Explanation: Albeit it may look to Bob as if an eavesdropper switched his transaction before it was sent to Overstock, he‘s instead watching the result of normal wallet operation. Electrum sent the switch from Bob’s transaction to one of its deterministically-generated switch addresses. This cleared the balance from the sending address, the only one Bob was monitoring.

Recovery: Electrum encourages the storage of its 12-word address generation seed in a safe location. Should Bob still have access to the seed, he can re-generate his old wallet and recover the switch from the Overstock transaction.

  • If using a deterministic wallet, create a watching-only wallet to monitor addresses.
  • If using Bitcoin-Qt, by hand update your list of see addresses after every payment, or switch to a deterministic wallet.

Three. Spending from a Paper Wallet

Carlos is a saver. Awhile back he bought twenty bitcoins at $Ten apiece, and then transferred them to a paper wallet he created at bitaddress.org. He didn't do anything with Bitcoin since then.

One day Carlos noticed a deal on fresh laptops at Overstock and determined to pay using one of his saved bitcoins. But Carlos had a problem: he needed to get his paper wallet into a software wallet to pay Overstock.

Carlos downloaded MultiBit and imported his paper wallet's private key. After paying Overstock, he exited the program.

Carlos was worried about leaving any trace of his private key on his computer, so he securely deleted MultiBit and its data directory. He then returned his paper wallet to its safe location.

After a few weeks, Carlos checked his paper wallet's balance. To his shock, the balance read zero. Nineteen bitcoins were sent to an unacquainted address on the same day as the Overstock payment.

Explanation: Carlos suspects foul play, but he's actually watching the result of normal wallet behavior. The nineteen missing bitcoins were sent to a switch address, leaving his paper wallet empty.

Recovery: In securely deleting the MultiBit data directory, Carlos lost any chance of recovering the missing funds.

  • Before deleting any hot wallet with an imported paper wallet private key, send the remaining balance back to a paper wallet.
  • Use a software wallet that will comeback switch back to the paper wallet. One example is Mycelium. Another is Blockchain.info through the “custom spend” option. Both approaches would come back switch to the paper wallet, albeit doing so degrades privacy.

Four. Sharing a Wallet

Dave runs Bitcoin-Qt on two computers, a laptop and a desktop in his garage. Wanting to use both computers to make payments, Dave copied a clean wallet.dat backup file from the laptop to the desktop.

After making many payments without a problem from both computers, Dave noticed something odd one day. His laptop wallet displayed a zero balance, but his desktop wallet showcased the correct balance.

Explanation: Dave‘s computer network was not compromised, nor did he uncover a bug in Bitcoin-Qt. Instead, his copy of Bitcoin-Qt running on the desktop used the last available pool address held jointly with the laptop. On his last transaction, Dave’s switch was sent to an address unknown to the laptop.

Recovery: Back up the wallets on both the laptop and the desktop. Export all private keys from both computers, and sweep them into a fresh wallet. If sharing wallets is critical, don't proceed using Bitcoin-Qt.

  • Don't use Bitcoin-Qt to share wallets among numerous computers. Use Electrum or Armory, which were designed specifically with this use case in mind.

Five. Theft from an Imported Paper Wallet

Frank received a paper wallet containing two BTC as a bounty at a company event. Anxious to see how Bitcoin works, he installed MultiBit and imported the paper wallet's private key. Not witnessing a need to keep the paper wallet, Frank threw it into the recycling bin at his office.

Over time, Frank depleted his Bitcoin funds. To re-fund his wallet, Frank bought an extra two BTC from Coinbase and then transferred them into his MultiBit wallet.

Shortly thereafter, Frank bought a set of sheets from Overstock for 0.1 BTC. Albeit this payment confirmed without issue, Frank noticed something odd. Without his approval, a 2nd withdrawal was made to an unknown address, emptying his wallet of the remaining 1.9 BTC.

Explanation: Albeit Frank was the victim of theft, the route of attack was not his computer or network. It was the paper wallet he threw into the recycling bin.

Unknown to Frank, the paper wallet was taken from the recycling bin by Eve, a dishonest coworker. Eve added the private key to a custom-made program that automatically detects deposits into a list of observed addresses, and then withdraws them instantaneously.

MultiBit, working as designed, used the imported paper wallet address to receive 1.9 BTC in switch from Frank‘s Overstock payment. Eve’s program noticed the transfer and instantly withdrew the funds.

Eve pulled off her heist without access to Frank‘s computer, or even skill of Frank’s identity. The plan worked because Eve know one of the private keys being used to receive switch in Frank's MultiBit wallet.

Recovery: Frank cannot recover the funds, nor is he likely to determine the identity of the thief.

  • Sweeping a paper wallet creates a normal transaction into an existing wallet address, depleting the paper wallet. The paper wallet private key is never again used by the wallet software. Unless you have a compelling reason to do otherwise, sweep paper wallets instead of importing them. This is especially significant for paper wallets that you did not generate yourself securely.

Partial Loss of Funds

Albeit the examples in the previous section resulted in accomplish loss of funds, the same mechanisms also permit for partial loss. These conditions were assumed, which may or may not hold at the time a switch address problem arises:

  1. The entire balance of a wallet resides at a single address.
  2. This single address contains one unspent output.

For example, a single address that receives numerous payments will contain numerous unspent outputs. Likewise, wallet balances can become distributed across numerous switch addresses as the user spends funds.

Imagine Alice's wallet contains two addresses, Address one and Address Two, with a total value of fifteen BTC. To make a six BTC payment, the wallet chooses a seven BTC unspent output from Address 1, receiving one BTC switch into Address Two. As expected, her wallet balance decreases to nine BTC.

Alice loses one BTC after restoring a backup in which a switch address was missing.

Then disaster strikes – Alice's hard drive fails. After installing a fresh hard drive and restoring her wallet backup, Alice notices something odd. Before the hard drive crash, her wallet balance was nine BTC. But the balance only read eight BTC after recovering the backup. Why does one BTC seem to be missing?

Alice was using a random address pool wallet, in which Address two was not contained in her original backup. Restoring the backup gave the appearance that Address two had “disappeared”, and along with it the one BTC spent output it contained.

In a sense, Alice was fortunate because she could have lost her entire wallet balance. On the other arm, without understanding switch addresses, Alice would likely be very confused about what happened to the missing one BTC. The same mistake could happen again.

Conclusions

When used correctly, switch addresses help prevent the identities and spending histories of Bitcoin users from being made public. But with this capability comes the potential for loss and theft. To avoid potentially costly mistakes, familiarize yourself with switch addresses and how your wallet software implements them.

Five Ways to Lose Money with Bitcoin Switch Addresses

Five Ways to Lose Money with Bitcoin Switch Addresses

Bitcoin can be coldly unforgiving of mistakes, and nowhere is this better demonstrated than with switch addresses. Albeit switch addresses provide a key privacy instrument, they can also lead to confusion, loss, or theft when not understood.

This article explains how to securely use one of Bitcoin's least understood features. It completes with a list of common pitfalls and ways to avoid them.

The Debit Card from Hell

Imagine paying for groceries with a debit card. The checker totals the amount due and you swipe your card as usual. However, you notice the payment terminal is asking for all of the money in your account.

The checker smiles, explaining that this is part of your bank's fresh prizes program. You have three options: (1) send the switch back to your current account; (Two) send the switch to a newly-created bank account; or (Three) say nothing and send the switch to the payment terminal company.

Counterintuitive? Confusing? Alarming? Many Bitcoin users are astonished to find eerie similarities inbetween this diabolical debit card and the way transactions seem to work.

Thinking about Bitcoin in terms of past practices with online banking and debit cards can lead to problems. Fortunately, an older payment method offers better insights into how Bitcoin works and why.

Bitcoin is Electronic Cash

The similarities inbetween Bitcoin and cash run deep. In his whitepaper, Satoshi Nakamoto even described Bitcoin as an “electronic cash system”. Understanding the close connection inbetween Bitcoin and cash is the key to understanding switch addresses.

Imagine needing to track different pools of paper bills, maybe as part of a collection drive. You might use envelopes to keep the bills physically separate from each other – a “cash envelope”.

A Bitcoin address can be thought of as the digital equivalent of a cash envelope.

A Bitcoin address as a digital “cash envelope”.

Like a cash envelope, an address can hold zero or more units of electronic cash. Instead of paper bills, Bitcoin uses the electronic equivalent – “unspent outputs”. The balance of any address can be found by summing the value of each unspent output it contains, just like the amount held in a cash envelope can be found by counting the values of all bills.

The purpose of the Bitcoin network is to enable the regulated transfer of unspent outputs inbetween addresses through transactions.

How Bitcoin Transactions Work

Imagine that Alice, who possesses an address containing one unspent output worth ten bitcoin (BTC), wants to pay Bob ten bitcoin. Alice moves the funds with a transaction sending her single unspent output to Bob‘s empty address. In doing so, Alice’s address balance falls to zero and Bob's address balance rises to ten bitcoin.

Alice pays Bob ten BTC, using her only unspent output. Alice‘s address balance falls by ten BTC. Bob’s increases by ten BTC. Alice may not re-spend the ten BTC.

After the transaction, Bob can give the unspent output he received from Alice to someone else. However, Alice will neither be permitted to take back the unspent output she transferred, nor will she be able to spend it again.

A few days later, Alice wants to pay Bob five BTC from an address containing a single output valued at ten BTC. Alice has a problem: she needs to pay Bob, but she doesn‘t want to give him the entire ten BTC. Alice wouldn’t be permitted to rip a $Ten bill in half to pay Bob $Five. Likewise, Bitcoin requires Alice to send the network her entire ten BTC unspent output – intact.

To resolve this dilemma, Alice uses a transaction that splits her payment, a feature fully supported by Bitcoin. One part of the transaction sends five BTC to Bob's address and the other comes back five BTC back to her own. In a similar way, Alice could break a $Ten bill at the bank into two $Five bills, providing one to Bob and keeping one for herself.

Alice pays Bob five BTC. Having no an unspent output in the correct amount, Alice splits the transaction into a five BTC payment to Bob and a five BTC switch payment to herself. Both Alice and Bob may now use their respective five BTC unspent outputs.

Over time, Alice's address accumulates unspent outputs from people who have paid her. Her address now contains unspent outputs valued at twenty BTC, ten BTC, and five BTC.

Once again, it‘s time for Alice to pay Bob – this time eight BTC. Alice creates a transaction that splits her ten BTC unspent output, sending eight BTC to Bob’s address and returning two BTC to her own as switch. Alice‘s address balance falls to twenty seven BTC and Bob’s address balance rises to eight BTC.

Alice pays Bob eight BTC. Her address doesn't contain an eight BTC unspent output, so she uses one valued at ten BTC, receiving the remaining two BTC as switch.

In the previous examples, Alice directed switch into the same address she spent from. Albeit this decision simplified accounting, it unluckily diminished Bob's privacy as well as her own.

Switch Addresses and Privacy

By design, every Bitcoin transaction remains permanently viewable in a global public ledger called the “block chain”. Privacy depends on the stringent separation inbetween addresses and individual identities, a model referred to as pseudonymity.

Any observer capable of linking Bitcoin addresses to individual identities can begin to draw conclusions about money transfers inbetween people. Users make this job more difficult by sending switch to newly-created addresses.

To see why, imagine a transaction that sends funds from Address A to Address B. If switch is returned to Address A, the block chain clearly exposes that the person controlling Address A paid the person controlling Address B. The same reasoning holds if two or more addresses are involved. Any transaction involving Address A as a sender exposes the receiving address unambiguously.

Switch is returned to the sending address. The intended payee is unambiguous.

Should the identity of the person controlling either receiving or payment addresses become known, the identities of the other parties could become known as well.

Now imagine that Address A initiates a payment to B, but this time directs switch to a newly-generated switch address C. Without knowing which address receives switch, all we can deduce is that a transaction split Address A's balance inbetween Addresses B and C. The identity of the person controlling Addresses B or C may or may not be the same as the identity of the person controlling Address A. Given another transaction from Address C, the picture becomes even murkier. Which of the transfers represent payments and which represent the receipt of switch?

Switch is returned to a newly-created switch address. The intended payee is ambiguous.

An observer attempting to link individual identities to addresses must gather more secondary information and expend more resources when all parties send switch to newly-created addresses.

Coordinating numerous addresses is a complicated task. Wallet software frees the user from the need to do this by hand.

Wallets and Switch Addresses

Albeit switch addresses play a key role in improving privacy, wallet developers can implement this feature in a number of ways. Four strategies are presently in use, each with its own implications for privacy and security.

  • Single-Address Wallets use a single address to receive both payments and switch. Extra addresses may added when a receiving address is by hand added, or a private key is imported. Examples include Blockchain.info and MultiBit.
  • Random Address Pool Wallets use a fixed-size pool of randomly-generated addresses. Switch is sent to the next available empty address, causing the creation of a fresh empty address to take its place. The best-known example is Bitcoin-Qt.
  • Deterministic Address Pool Wallets contain a practically infinite pool of deterministically-generated addresses. A subset of this pool contains addresses reserved for receiving switch. Examples include Electrum and Armory.
  • Hybrid Wallets use numerous strategies, depending on context. MultiBit, Mycelium, and Electrum are examples.

Let's now consider ways that misunderstanding switch addresses, combined with semi-manual address management, can lead to loss or theft of funds.

Preventing and Recovering from Switch Address Disasters

Incorrect use of Bitcoin switch addresses account for many cases of loss or theft of funds. Here are some disaster screenplays and ways to avoid them.

1. Backup Failure

Alice uses Bitcoin-Qt. Understanding the importance of backups, she created an encrypted wallet backup long ago and stored it in a safe place. After making dozens of transactions with Bitcoin-Qt, Alice's hard drive crashed.

Alice bought a fresh hard drive and then re-installed Bitcoin-Qt on it. She then restored her wallet backup. To her horror, Alice discovered the restored wallet was empty.

Explanation: Alice generated enough switch addresses to overflow the original pool of 100. On the 100th spending transaction, Bitcoin-Qt moved Alice's switch (which happend to be her entire balance) into an address not in the backup. Restoring the backup only restored empty addresses.

Recovery: Even if a hard drive can't boot an operating system, individual files can still be recovered. Using data recovery instruments, Alice may be able to salvage the Bitcoin-Qt wallet from the faulty hard drive, and with it her lost funds.

  • Count the number of manually-created addresses and spending transactions since your last backup. If this number is greater than about 80, back up again. Weekly backups might be enough for most users.
  • Set a very high value (e.g., Ten,000) for the -keypool option, either as a directive line parameter, or in the bitcoin.conf file.
  • Switch to a deterministic wallet.

Two. Failure to Monitor Switch Address

Bob uses Electrum to send infrequent bitcoin payments. Worried about possible theft, he desired a way to keep an eye on his bitcoin balance from one of his many devices.

Bob determined on blockchain.info to monitor address activity. Bob‘s Electrum wallet contained several addresses, but only one of them held bitcoin (0.Trio BTC). Assuming this was the only address he’d be using, Bob pasted it into the blockchain.info search window and bookmarked the resulting page.

A few weeks later, Bob made a 0.Two BTC payment to Overstock from his Electrum wallet. After receiving his merchandise, Bob determined to check his balance with blockchain.info.

Disturbingly, Bob discovered that part of his Overstock payment was transferred to an unknown address. Thinking that his computer running Electrum had been compromised, Bob re-formated the hard drive.

Explanation: Albeit it may look to Bob as if an eavesdropper switched his transaction before it was sent to Overstock, he‘s instead eyeing the result of normal wallet operation. Electrum sent the switch from Bob’s transaction to one of its deterministically-generated switch addresses. This cleared the balance from the sending address, the only one Bob was monitoring.

Recovery: Electrum encourages the storage of its 12-word address generation seed in a safe location. Should Bob still have access to the seed, he can re-generate his old wallet and recover the switch from the Overstock transaction.

  • If using a deterministic wallet, create a watching-only wallet to monitor addresses.
  • If using Bitcoin-Qt, by hand update your list of observe addresses after every payment, or switch to a deterministic wallet.

Trio. Spending from a Paper Wallet

Carlos is a saver. Awhile back he bought twenty bitcoins at $Ten apiece, and then transferred them to a paper wallet he created at bitaddress.org. He didn't do anything with Bitcoin since then.

One day Carlos noticed a deal on fresh laptops at Overstock and determined to pay using one of his saved bitcoins. But Carlos had a problem: he needed to get his paper wallet into a software wallet to pay Overstock.

Carlos downloaded MultiBit and imported his paper wallet's private key. After paying Overstock, he exited the program.

Carlos was worried about leaving any trace of his private key on his computer, so he securely deleted MultiBit and its data directory. He then returned his paper wallet to its safe location.

After a few weeks, Carlos checked his paper wallet's balance. To his shock, the balance read zero. Nineteen bitcoins were sent to an unacquainted address on the same day as the Overstock payment.

Explanation: Carlos suspects foul play, but he's actually witnessing the result of normal wallet behavior. The nineteen missing bitcoins were sent to a switch address, leaving his paper wallet empty.

Recovery: In securely deleting the MultiBit data directory, Carlos lost any chance of recovering the missing funds.

  • Before deleting any hot wallet with an imported paper wallet private key, send the remaining balance back to a paper wallet.
  • Use a software wallet that will comeback switch back to the paper wallet. One example is Mycelium. Another is Blockchain.info through the “custom spend” option. Both approaches would comeback switch to the paper wallet, albeit doing so degrades privacy.

Four. Sharing a Wallet

Dave runs Bitcoin-Qt on two computers, a laptop and a desktop in his garage. Wanting to use both computers to make payments, Dave copied a clean wallet.dat backup file from the laptop to the desktop.

After making many payments without a problem from both computers, Dave noticed something odd one day. His laptop wallet displayed a zero balance, but his desktop wallet demonstrated the correct balance.

Explanation: Dave‘s computer network was not compromised, nor did he uncover a bug in Bitcoin-Qt. Instead, his copy of Bitcoin-Qt running on the desktop used the last available pool address held jointly with the laptop. On his last transaction, Dave’s switch was sent to an address unknown to the laptop.

Recovery: Back up the wallets on both the laptop and the desktop. Export all private keys from both computers, and sweep them into a fresh wallet. If sharing wallets is critical, don't proceed using Bitcoin-Qt.

  • Don't use Bitcoin-Qt to share wallets among numerous computers. Use Electrum or Armory, which were designed specifically with this use case in mind.

Five. Theft from an Imported Paper Wallet

Frank received a paper wallet containing two BTC as a bounty at a company event. Impatient to see how Bitcoin works, he installed MultiBit and imported the paper wallet's private key. Not observing a need to keep the paper wallet, Frank threw it into the recycling bin at his office.

Over time, Frank depleted his Bitcoin funds. To re-fund his wallet, Frank bought an extra two BTC from Coinbase and then transferred them into his MultiBit wallet.

Shortly thereafter, Frank bought a set of sheets from Overstock for 0.1 BTC. Albeit this payment confirmed without issue, Frank noticed something odd. Without his approval, a 2nd withdrawal was made to an unknown address, emptying his wallet of the remaining 1.9 BTC.

Explanation: Albeit Frank was the victim of theft, the route of attack was not his computer or network. It was the paper wallet he threw into the recycling bin.

Unknown to Frank, the paper wallet was taken from the recycling bin by Eve, a dishonest coworker. Eve added the private key to a custom-built program that automatically detects deposits into a list of observed addresses, and then withdraws them instantaneously.

MultiBit, working as designed, used the imported paper wallet address to receive 1.9 BTC in switch from Frank‘s Overstock payment. Eve’s program noticed the transfer and instantly withdrew the funds.

Eve pulled off her heist without access to Frank‘s computer, or even skill of Frank’s identity. The plan worked because Eve know one of the private keys being used to receive switch in Frank's MultiBit wallet.

Recovery: Frank cannot recover the funds, nor is he likely to determine the identity of the thief.

  • Sweeping a paper wallet creates a normal transaction into an existing wallet address, depleting the paper wallet. The paper wallet private key is never again used by the wallet software. Unless you have a compelling reason to do otherwise, sweep paper wallets instead of importing them. This is especially significant for paper wallets that you did not generate yourself securely.

Partial Loss of Funds

Albeit the examples in the previous section resulted in finish loss of funds, the same mechanisms also permit for partial loss. These conditions were assumed, which may or may not hold at the time a switch address problem arises:

  1. The entire balance of a wallet resides at a single address.
  2. This single address contains one unspent output.

For example, a single address that receives numerous payments will contain numerous unspent outputs. Likewise, wallet balances can become distributed across numerous switch addresses as the user spends funds.

Imagine Alice's wallet contains two addresses, Address one and Address Two, with a total value of fifteen BTC. To make a six BTC payment, the wallet chooses a seven BTC unspent output from Address 1, receiving one BTC switch into Address Two. As expected, her wallet balance decreases to nine BTC.

Alice loses one BTC after restoring a backup in which a switch address was missing.

Then disaster strikes – Alice's hard drive fails. After installing a fresh hard drive and restoring her wallet backup, Alice notices something odd. Before the hard drive crash, her wallet balance was nine BTC. But the balance only read eight BTC after recovering the backup. Why does one BTC seem to be missing?

Alice was using a random address pool wallet, in which Address two was not contained in her original backup. Restoring the backup gave the appearance that Address two had “disappeared”, and along with it the one BTC spent output it contained.

In a sense, Alice was fortunate because she could have lost her entire wallet balance. On the other forearm, without understanding switch addresses, Alice would likely be very confused about what happened to the missing one BTC. The same mistake could happen again.

Conclusions

When used correctly, switch addresses help prevent the identities and spending histories of Bitcoin users from being made public. But with this capability comes the potential for loss and theft. To avoid potentially costly mistakes, familiarize yourself with switch addresses and how your wallet software implements them.

Five Ways to Lose Money with Bitcoin Switch Addresses

Five Ways to Lose Money with Bitcoin Switch Addresses

Bitcoin can be coldly unforgiving of mistakes, and nowhere is this better demonstrated than with switch addresses. Albeit switch addresses provide a key privacy device, they can also lead to confusion, loss, or theft when not understood.

This article explains how to securely use one of Bitcoin's least understood features. It completes with a list of common pitfalls and ways to avoid them.

The Debit Card from Hell

Imagine paying for groceries with a debit card. The checker totals the amount due and you swipe your card as usual. However, you notice the payment terminal is asking for all of the money in your account.

The checker smiles, explaining that this is part of your bank's fresh prizes program. You have three options: (1) send the switch back to your current account; (Two) send the switch to a newly-created bank account; or (Trio) say nothing and send the switch to the payment terminal company.

Counterintuitive? Confusing? Alarming? Many Bitcoin users are astonished to find eerie similarities inbetween this diabolical debit card and the way transactions seem to work.

Thinking about Bitcoin in terms of past practices with online banking and debit cards can lead to problems. Fortunately, an older payment method offers better insights into how Bitcoin works and why.

Bitcoin is Electronic Cash

The similarities inbetween Bitcoin and cash run deep. In his whitepaper, Satoshi Nakamoto even described Bitcoin as an “electronic cash system”. Understanding the close connection inbetween Bitcoin and cash is the key to understanding switch addresses.

Imagine needing to track different pools of paper bills, maybe as part of a collection drive. You might use envelopes to keep the bills physically separate from each other – a “cash envelope”.

A Bitcoin address can be thought of as the digital equivalent of a cash envelope.

A Bitcoin address as a digital “cash envelope”.

Like a cash envelope, an address can hold zero or more units of electronic cash. Instead of paper bills, Bitcoin uses the electronic equivalent – “unspent outputs”. The balance of any address can be found by summing the value of each unspent output it contains, just like the amount held in a cash envelope can be found by counting the values of all bills.

The purpose of the Bitcoin network is to enable the regulated transfer of unspent outputs inbetween addresses through transactions.

How Bitcoin Transactions Work

Imagine that Alice, who wields an address containing one unspent output worth ten bitcoin (BTC), wants to pay Bob ten bitcoin. Alice moves the funds with a transaction sending her single unspent output to Bob‘s empty address. In doing so, Alice’s address balance falls to zero and Bob's address balance rises to ten bitcoin.

Alice pays Bob ten BTC, using her only unspent output. Alice‘s address balance falls by ten BTC. Bob’s increases by ten BTC. Alice may not re-spend the ten BTC.

After the transaction, Bob can give the unspent output he received from Alice to someone else. However, Alice will neither be permitted to take back the unspent output she transferred, nor will she be able to spend it again.

A few days later, Alice wants to pay Bob five BTC from an address containing a single output valued at ten BTC. Alice has a problem: she needs to pay Bob, but she doesn‘t want to give him the entire ten BTC. Alice wouldn’t be permitted to rip a $Ten bill in half to pay Bob $Five. Likewise, Bitcoin requires Alice to send the network her entire ten BTC unspent output – intact.

To resolve this dilemma, Alice uses a transaction that splits her payment, a feature fully supported by Bitcoin. One part of the transaction sends five BTC to Bob's address and the other comebacks five BTC back to her own. In a similar way, Alice could break a $Ten bill at the bank into two $Five bills, providing one to Bob and keeping one for herself.

Alice pays Bob five BTC. Having no an unspent output in the correct amount, Alice splits the transaction into a five BTC payment to Bob and a five BTC switch payment to herself. Both Alice and Bob may now use their respective five BTC unspent outputs.

Over time, Alice's address accumulates unspent outputs from people who have paid her. Her address now contains unspent outputs valued at twenty BTC, ten BTC, and five BTC.

Once again, it‘s time for Alice to pay Bob – this time eight BTC. Alice creates a transaction that splits her ten BTC unspent output, sending eight BTC to Bob’s address and returning two BTC to her own as switch. Alice‘s address balance falls to twenty seven BTC and Bob’s address balance rises to eight BTC.

Alice pays Bob eight BTC. Her address doesn't contain an eight BTC unspent output, so she uses one valued at ten BTC, receiving the remaining two BTC as switch.

In the previous examples, Alice directed switch into the same address she spent from. Albeit this decision simplified accounting, it unluckily diminished Bob's privacy as well as her own.

Switch Addresses and Privacy

By design, every Bitcoin transaction remains permanently viewable in a global public ledger called the “block chain”. Privacy depends on the rigorous separation inbetween addresses and private identities, a model referred to as pseudonymity.

Any observer capable of linking Bitcoin addresses to private identities can begin to draw conclusions about money transfers inbetween people. Users make this job more difficult by sending switch to newly-created addresses.

To see why, imagine a transaction that sends funds from Address A to Address B. If switch is returned to Address A, the block chain clearly exposes that the person controlling Address A paid the person controlling Address B. The same reasoning holds if two or more addresses are involved. Any transaction involving Address A as a sender exposes the receiving address unambiguously.

Switch is returned to the sending address. The intended payee is unambiguous.

Should the identity of the person controlling either receiving or payment addresses become known, the identities of the other parties could become known as well.

Now imagine that Address A initiates a payment to B, but this time directs switch to a newly-generated switch address C. Without knowing which address receives switch, all we can deduce is that a transaction split Address A's balance inbetween Addresses B and C. The identity of the person controlling Addresses B or C may or may not be the same as the identity of the person controlling Address A. Given another transaction from Address C, the picture becomes even murkier. Which of the transfers represent payments and which represent the receipt of switch?

Switch is returned to a newly-created switch address. The intended payee is ambiguous.

An observer attempting to link individual identities to addresses must gather more secondary information and expend more resources when all parties send switch to newly-created addresses.

Coordinating numerous addresses is a complicated task. Wallet software frees the user from the need to do this by hand.

Wallets and Switch Addresses

Albeit switch addresses play a key role in improving privacy, wallet developers can implement this feature in a number of ways. Four strategies are presently in use, each with its own implications for privacy and security.

  • Single-Address Wallets use a single address to receive both payments and switch. Extra addresses may added when a receiving address is by hand added, or a private key is imported. Examples include Blockchain.info and MultiBit.
  • Random Address Pool Wallets use a fixed-size pool of randomly-generated addresses. Switch is sent to the next available empty address, causing the creation of a fresh empty address to take its place. The best-known example is Bitcoin-Qt.
  • Deterministic Address Pool Wallets contain a practically infinite pool of deterministically-generated addresses. A subset of this pool contains addresses reserved for receiving switch. Examples include Electrum and Armory.
  • Hybrid Wallets use numerous strategies, depending on context. MultiBit, Mycelium, and Electrum are examples.

Let's now consider ways that misunderstanding switch addresses, combined with semi-manual address management, can lead to loss or theft of funds.

Preventing and Recovering from Switch Address Disasters

Incorrect use of Bitcoin switch addresses account for many cases of loss or theft of funds. Here are some disaster scripts and ways to avoid them.

1. Backup Failure

Alice uses Bitcoin-Qt. Understanding the importance of backups, she created an encrypted wallet backup long ago and stored it in a safe place. After making dozens of transactions with Bitcoin-Qt, Alice's hard drive crashed.

Alice bought a fresh hard drive and then re-installed Bitcoin-Qt on it. She then restored her wallet backup. To her horror, Alice discovered the restored wallet was empty.

Explanation: Alice generated enough switch addresses to overflow the original pool of 100. On the 100th spending transaction, Bitcoin-Qt moved Alice's switch (which happend to be her entire balance) into an address not in the backup. Restoring the backup only restored empty addresses.

Recovery: Even if a hard drive can't boot an operating system, individual files can still be recovered. Using data recovery instruments, Alice may be able to salvage the Bitcoin-Qt wallet from the faulty hard drive, and with it her lost funds.

  • Count the number of manually-created addresses and spending transactions since your last backup. If this number is greater than about 80, back up again. Weekly backups might be enough for most users.
  • Set a very high value (e.g., Ten,000) for the -keypool option, either as a instruction line parameter, or in the bitcoin.conf file.
  • Switch to a deterministic wallet.

Two. Failure to Monitor Switch Address

Bob uses Electrum to send infrequent bitcoin payments. Worried about possible theft, he wished a way to keep an eye on his bitcoin balance from one of his many devices.

Bob determined on blockchain.info to monitor address activity. Bob‘s Electrum wallet contained several addresses, but only one of them held bitcoin (0.Three BTC). Assuming this was the only address he’d be using, Bob pasted it into the blockchain.info search window and bookmarked the resulting page.

A few weeks later, Bob made a 0.Two BTC payment to Overstock from his Electrum wallet. After receiving his merchandise, Bob determined to check his balance with blockchain.info.

Disturbingly, Bob discovered that part of his Overstock payment was transferred to an unknown address. Thinking that his computer running Electrum had been compromised, Bob re-formated the hard drive.

Explanation: Albeit it may look to Bob as if an eavesdropper switched his transaction before it was sent to Overstock, he‘s instead observing the result of normal wallet operation. Electrum sent the switch from Bob’s transaction to one of its deterministically-generated switch addresses. This cleared the balance from the sending address, the only one Bob was monitoring.

Recovery: Electrum encourages the storage of its 12-word address generation seed in a safe location. Should Bob still have access to the seed, he can re-generate his old wallet and recover the switch from the Overstock transaction.

  • If using a deterministic wallet, create a watching-only wallet to monitor addresses.
  • If using Bitcoin-Qt, by hand update your list of see addresses after every payment, or switch to a deterministic wallet.

Trio. Spending from a Paper Wallet

Carlos is a saver. Awhile back he bought twenty bitcoins at $Ten apiece, and then transferred them to a paper wallet he created at bitaddress.org. He didn't do anything with Bitcoin since then.

One day Carlos noticed a deal on fresh laptops at Overstock and determined to pay using one of his saved bitcoins. But Carlos had a problem: he needed to get his paper wallet into a software wallet to pay Overstock.

Carlos downloaded MultiBit and imported his paper wallet's private key. After paying Overstock, he exited the program.

Carlos was worried about leaving any trace of his private key on his computer, so he securely deleted MultiBit and its data directory. He then returned his paper wallet to its safe location.

After a few weeks, Carlos checked his paper wallet's balance. To his shock, the balance read zero. Nineteen bitcoins were sent to an unacquainted address on the same day as the Overstock payment.

Explanation: Carlos suspects foul play, but he's actually observing the result of normal wallet behavior. The nineteen missing bitcoins were sent to a switch address, leaving his paper wallet empty.

Recovery: In securely deleting the MultiBit data directory, Carlos lost any chance of recovering the missing funds.

  • Before deleting any hot wallet with an imported paper wallet private key, send the remaining balance back to a paper wallet.
  • Use a software wallet that will comeback switch back to the paper wallet. One example is Mycelium. Another is Blockchain.info through the “custom spend” option. Both approaches would come back switch to the paper wallet, albeit doing so degrades privacy.

Four. Sharing a Wallet

Dave runs Bitcoin-Qt on two computers, a laptop and a desktop in his garage. Wanting to use both computers to make payments, Dave copied a clean wallet.dat backup file from the laptop to the desktop.

After making many payments without a problem from both computers, Dave noticed something odd one day. His laptop wallet showcased a zero balance, but his desktop wallet demonstrated the correct balance.

Explanation: Dave‘s computer network was not compromised, nor did he uncover a bug in Bitcoin-Qt. Instead, his copy of Bitcoin-Qt running on the desktop used the last available pool address held jointly with the laptop. On his last transaction, Dave’s switch was sent to an address unknown to the laptop.

Recovery: Back up the wallets on both the laptop and the desktop. Export all private keys from both computers, and sweep them into a fresh wallet. If sharing wallets is critical, don't proceed using Bitcoin-Qt.

  • Don't use Bitcoin-Qt to share wallets among numerous computers. Use Electrum or Armory, which were designed specifically with this use case in mind.

Five. Theft from an Imported Paper Wallet

Frank received a paper wallet containing two BTC as a bounty at a company event. Impatient to see how Bitcoin works, he installed MultiBit and imported the paper wallet's private key. Not observing a need to keep the paper wallet, Frank threw it into the recycling bin at his office.

Over time, Frank depleted his Bitcoin funds. To re-fund his wallet, Frank bought an extra two BTC from Coinbase and then transferred them into his MultiBit wallet.

Shortly thereafter, Frank bought a set of sheets from Overstock for 0.1 BTC. Albeit this payment confirmed without issue, Frank noticed something odd. Without his approval, a 2nd withdrawal was made to an unknown address, emptying his wallet of the remaining 1.9 BTC.

Explanation: Albeit Frank was the victim of theft, the route of attack was not his computer or network. It was the paper wallet he threw into the recycling bin.

Unknown to Frank, the paper wallet was taken from the recycling bin by Eve, a dishonest coworker. Eve added the private key to a custom-built program that automatically detects deposits into a list of observed addresses, and then withdraws them instantaneously.

MultiBit, working as designed, used the imported paper wallet address to receive 1.9 BTC in switch from Frank‘s Overstock payment. Eve’s program noticed the transfer and instantaneously withdrew the funds.

Eve pulled off her heist without access to Frank‘s computer, or even skill of Frank’s identity. The plan worked because Eve know one of the private keys being used to receive switch in Frank's MultiBit wallet.

Recovery: Frank cannot recover the funds, nor is he likely to determine the identity of the thief.

  • Sweeping a paper wallet creates a normal transaction into an existing wallet address, depleting the paper wallet. The paper wallet private key is never again used by the wallet software. Unless you have a compelling reason to do otherwise, sweep paper wallets instead of importing them. This is especially significant for paper wallets that you did not generate yourself securely.

Partial Loss of Funds

Albeit the examples in the previous section resulted in accomplish loss of funds, the same mechanisms also permit for partial loss. These conditions were assumed, which may or may not hold at the time a switch address problem arises:

  1. The entire balance of a wallet resides at a single address.
  2. This single address contains one unspent output.

For example, a single address that receives numerous payments will contain numerous unspent outputs. Likewise, wallet balances can become distributed across numerous switch addresses as the user spends funds.

Imagine Alice's wallet contains two addresses, Address one and Address Two, with a total value of fifteen BTC. To make a six BTC payment, the wallet chooses a seven BTC unspent output from Address 1, receiving one BTC switch into Address Two. As expected, her wallet balance decreases to nine BTC.

Alice loses one BTC after restoring a backup in which a switch address was missing.

Then disaster strikes – Alice's hard drive fails. After installing a fresh hard drive and restoring her wallet backup, Alice notices something odd. Before the hard drive crash, her wallet balance was nine BTC. But the balance only read eight BTC after recovering the backup. Why does one BTC seem to be missing?

Alice was using a random address pool wallet, in which Address two was not contained in her original backup. Restoring the backup gave the appearance that Address two had “disappeared”, and along with it the one BTC spent output it contained.

In a sense, Alice was fortunate because she could have lost her entire wallet balance. On the other forearm, without understanding switch addresses, Alice would likely be very confused about what happened to the missing one BTC. The same mistake could happen again.

Conclusions

When used correctly, switch addresses help prevent the identities and spending histories of Bitcoin users from being made public. But with this capability comes the potential for loss and theft. To avoid potentially costly mistakes, familiarize yourself with switch addresses and how your wallet software implements them.

Five Ways to Lose Money with Bitcoin Switch Addresses

Five Ways to Lose Money with Bitcoin Switch Addresses

Bitcoin can be coldly unforgiving of mistakes, and nowhere is this better demonstrated than with switch addresses. Albeit switch addresses provide a key privacy contraption, they can also lead to confusion, loss, or theft when not understood.

This article explains how to securely use one of Bitcoin's least understood features. It finishes with a list of common pitfalls and ways to avoid them.

The Debit Card from Hell

Imagine paying for groceries with a debit card. The checker totals the amount due and you swipe your card as usual. However, you notice the payment terminal is asking for all of the money in your account.

The checker smiles, explaining that this is part of your bank's fresh prizes program. You have three options: (1) send the switch back to your current account; (Two) send the switch to a newly-created bank account; or (Three) say nothing and send the switch to the payment terminal company.

Counterintuitive? Confusing? Alarming? Many Bitcoin users are astonished to find eerie similarities inbetween this diabolical debit card and the way transactions seem to work.

Thinking about Bitcoin in terms of past practices with online banking and debit cards can lead to problems. Fortunately, an older payment method offers better insights into how Bitcoin works and why.

Bitcoin is Electronic Cash

The similarities inbetween Bitcoin and cash run deep. In his whitepaper, Satoshi Nakamoto even described Bitcoin as an “electronic cash system”. Understanding the close connection inbetween Bitcoin and cash is the key to understanding switch addresses.

Imagine needing to track different pools of paper bills, maybe as part of a collection drive. You might use envelopes to keep the bills physically separate from each other – a “cash envelope”.

A Bitcoin address can be thought of as the digital equivalent of a cash envelope.

A Bitcoin address as a digital “cash envelope”.

Like a cash envelope, an address can hold zero or more units of electronic cash. Instead of paper bills, Bitcoin uses the electronic equivalent – “unspent outputs”. The balance of any address can be found by summing the value of each unspent output it contains, just like the amount held in a cash envelope can be found by counting the values of all bills.

The purpose of the Bitcoin network is to enable the regulated transfer of unspent outputs inbetween addresses through transactions.

How Bitcoin Transactions Work

Imagine that Alice, who wields an address containing one unspent output worth ten bitcoin (BTC), wants to pay Bob ten bitcoin. Alice moves the funds with a transaction sending her single unspent output to Bob‘s empty address. In doing so, Alice’s address balance falls to zero and Bob's address balance rises to ten bitcoin.

Alice pays Bob ten BTC, using her only unspent output. Alice‘s address balance falls by ten BTC. Bob’s increases by ten BTC. Alice may not re-spend the ten BTC.

After the transaction, Bob can give the unspent output he received from Alice to someone else. However, Alice will neither be permitted to take back the unspent output she transferred, nor will she be able to spend it again.

A few days later, Alice wants to pay Bob five BTC from an address containing a single output valued at ten BTC. Alice has a problem: she needs to pay Bob, but she doesn‘t want to give him the entire ten BTC. Alice wouldn’t be permitted to rip a $Ten bill in half to pay Bob $Five. Likewise, Bitcoin requires Alice to send the network her entire ten BTC unspent output – intact.

To resolve this dilemma, Alice uses a transaction that splits her payment, a feature fully supported by Bitcoin. One part of the transaction sends five BTC to Bob's address and the other comes back five BTC back to her own. In a similar way, Alice could break a $Ten bill at the bank into two $Five bills, providing one to Bob and keeping one for herself.

Alice pays Bob five BTC. Having no an unspent output in the correct amount, Alice splits the transaction into a five BTC payment to Bob and a five BTC switch payment to herself. Both Alice and Bob may now use their respective five BTC unspent outputs.

Over time, Alice's address accumulates unspent outputs from people who have paid her. Her address now contains unspent outputs valued at twenty BTC, ten BTC, and five BTC.

Once again, it‘s time for Alice to pay Bob – this time eight BTC. Alice creates a transaction that splits her ten BTC unspent output, sending eight BTC to Bob’s address and returning two BTC to her own as switch. Alice‘s address balance falls to twenty seven BTC and Bob’s address balance rises to eight BTC.

Alice pays Bob eight BTC. Her address doesn't contain an eight BTC unspent output, so she uses one valued at ten BTC, receiving the remaining two BTC as switch.

In the previous examples, Alice directed switch into the same address she spent from. Albeit this decision simplified accounting, it unluckily diminished Bob's privacy as well as her own.

Switch Addresses and Privacy

By design, every Bitcoin transaction remains permanently viewable in a global public ledger called the “block chain”. Privacy depends on the rigorous separation inbetween addresses and private identities, a model referred to as pseudonymity.

Any observer capable of linking Bitcoin addresses to individual identities can begin to draw conclusions about money transfers inbetween people. Users make this job more difficult by sending switch to newly-created addresses.

To see why, imagine a transaction that sends funds from Address A to Address B. If switch is returned to Address A, the block chain clearly exposes that the person controlling Address A paid the person controlling Address B. The same reasoning holds if two or more addresses are involved. Any transaction involving Address A as a sender exposes the receiving address unambiguously.

Switch is returned to the sending address. The intended payee is unambiguous.

Should the identity of the person controlling either receiving or payment addresses become known, the identities of the other parties could become known as well.

Now imagine that Address A initiates a payment to B, but this time directs switch to a newly-generated switch address C. Without knowing which address receives switch, all we can deduce is that a transaction split Address A's balance inbetween Addresses B and C. The identity of the person controlling Addresses B or C may or may not be the same as the identity of the person controlling Address A. Given another transaction from Address C, the picture becomes even murkier. Which of the transfers represent payments and which represent the receipt of switch?

Switch is returned to a newly-created switch address. The intended payee is ambiguous.

An observer attempting to link private identities to addresses must gather more secondary information and expend more resources when all parties send switch to newly-created addresses.

Coordinating numerous addresses is a complicated task. Wallet software frees the user from the need to do this by hand.

Wallets and Switch Addresses

Albeit switch addresses play a key role in improving privacy, wallet developers can implement this feature in a number of ways. Four strategies are presently in use, each with its own implications for privacy and security.

  • Single-Address Wallets use a single address to receive both payments and switch. Extra addresses may added when a receiving address is by hand added, or a private key is imported. Examples include Blockchain.info and MultiBit.
  • Random Address Pool Wallets use a fixed-size pool of randomly-generated addresses. Switch is sent to the next available empty address, causing the creation of a fresh empty address to take its place. The best-known example is Bitcoin-Qt.
  • Deterministic Address Pool Wallets contain a practically infinite pool of deterministically-generated addresses. A subset of this pool contains addresses reserved for receiving switch. Examples include Electrum and Armory.
  • Hybrid Wallets use numerous strategies, depending on context. MultiBit, Mycelium, and Electrum are examples.

Let's now consider ways that misunderstanding switch addresses, combined with semi-manual address management, can lead to loss or theft of funds.

Preventing and Recovering from Switch Address Disasters

Incorrect use of Bitcoin switch addresses account for many cases of loss or theft of funds. Here are some disaster scripts and ways to avoid them.

1. Backup Failure

Alice uses Bitcoin-Qt. Understanding the importance of backups, she created an encrypted wallet backup long ago and stored it in a safe place. After making dozens of transactions with Bitcoin-Qt, Alice's hard drive crashed.

Alice bought a fresh hard drive and then re-installed Bitcoin-Qt on it. She then restored her wallet backup. To her horror, Alice discovered the restored wallet was empty.

Explanation: Alice generated enough switch addresses to overflow the original pool of 100. On the 100th spending transaction, Bitcoin-Qt moved Alice's switch (which happend to be her entire balance) into an address not in the backup. Restoring the backup only restored empty addresses.

Recovery: Even if a hard drive can't boot an operating system, individual files can still be recovered. Using data recovery devices, Alice may be able to salvage the Bitcoin-Qt wallet from the faulty hard drive, and with it her lost funds.

  • Count the number of manually-created addresses and spending transactions since your last backup. If this number is greater than about 80, back up again. Weekly backups might be enough for most users.
  • Set a very high value (e.g., Ten,000) for the -keypool option, either as a guideline line parameter, or in the bitcoin.conf file.
  • Switch to a deterministic wallet.

Two. Failure to Monitor Switch Address

Bob uses Electrum to send infrequent bitcoin payments. Worried about possible theft, he dreamed a way to keep an eye on his bitcoin balance from one of his many devices.

Bob determined on blockchain.info to monitor address activity. Bob‘s Electrum wallet contained several addresses, but only one of them held bitcoin (0.Three BTC). Assuming this was the only address he’d be using, Bob pasted it into the blockchain.info search window and bookmarked the resulting page.

A few weeks later, Bob made a 0.Two BTC payment to Overstock from his Electrum wallet. After receiving his merchandise, Bob determined to check his balance with blockchain.info.

Disturbingly, Bob discovered that part of his Overstock payment was transferred to an unknown address. Thinking that his computer running Electrum had been compromised, Bob re-formated the hard drive.

Explanation: Albeit it may look to Bob as if an eavesdropper switched his transaction before it was sent to Overstock, he‘s instead watching the result of normal wallet operation. Electrum sent the switch from Bob’s transaction to one of its deterministically-generated switch addresses. This cleared the balance from the sending address, the only one Bob was monitoring.

Recovery: Electrum encourages the storage of its 12-word address generation seed in a safe location. Should Bob still have access to the seed, he can re-generate his old wallet and recover the switch from the Overstock transaction.

  • If using a deterministic wallet, create a watching-only wallet to monitor addresses.
  • If using Bitcoin-Qt, by hand update your list of see addresses after every payment, or switch to a deterministic wallet.

Trio. Spending from a Paper Wallet

Carlos is a saver. Awhile back he bought twenty bitcoins at $Ten apiece, and then transferred them to a paper wallet he created at bitaddress.org. He didn't do anything with Bitcoin since then.

One day Carlos noticed a deal on fresh laptops at Overstock and determined to pay using one of his saved bitcoins. But Carlos had a problem: he needed to get his paper wallet into a software wallet to pay Overstock.

Carlos downloaded MultiBit and imported his paper wallet's private key. After paying Overstock, he exited the program.

Carlos was worried about leaving any trace of his private key on his computer, so he securely deleted MultiBit and its data directory. He then returned his paper wallet to its safe location.

After a few weeks, Carlos checked his paper wallet's balance. To his shock, the balance read zero. Nineteen bitcoins were sent to an unacquainted address on the same day as the Overstock payment.

Explanation: Carlos suspects foul play, but he's actually observing the result of normal wallet behavior. The nineteen missing bitcoins were sent to a switch address, leaving his paper wallet empty.

Recovery: In securely deleting the MultiBit data directory, Carlos lost any chance of recovering the missing funds.

  • Before deleting any hot wallet with an imported paper wallet private key, send the remaining balance back to a paper wallet.
  • Use a software wallet that will come back switch back to the paper wallet. One example is Mycelium. Another is Blockchain.info through the “custom spend” option. Both approaches would come back switch to the paper wallet, albeit doing so degrades privacy.

Four. Sharing a Wallet

Dave runs Bitcoin-Qt on two computers, a laptop and a desktop in his garage. Wanting to use both computers to make payments, Dave copied a clean wallet.dat backup file from the laptop to the desktop.

After making many payments without a problem from both computers, Dave noticed something odd one day. His laptop wallet displayed a zero balance, but his desktop wallet displayed the correct balance.

Explanation: Dave‘s computer network was not compromised, nor did he uncover a bug in Bitcoin-Qt. Instead, his copy of Bitcoin-Qt running on the desktop used the last available pool address held jointly with the laptop. On his last transaction, Dave’s switch was sent to an address unknown to the laptop.

Recovery: Back up the wallets on both the laptop and the desktop. Export all private keys from both computers, and sweep them into a fresh wallet. If sharing wallets is critical, don't proceed using Bitcoin-Qt.

  • Don't use Bitcoin-Qt to share wallets among numerous computers. Use Electrum or Armory, which were designed specifically with this use case in mind.

Five. Theft from an Imported Paper Wallet

Frank received a paper wallet containing two BTC as a bounty at a company event. Anxious to see how Bitcoin works, he installed MultiBit and imported the paper wallet's private key. Not watching a need to keep the paper wallet, Frank threw it into the recycling bin at his office.

Over time, Frank depleted his Bitcoin funds. To re-fund his wallet, Frank bought an extra two BTC from Coinbase and then transferred them into his MultiBit wallet.

Shortly thereafter, Frank bought a set of sheets from Overstock for 0.1 BTC. Albeit this payment confirmed without issue, Frank noticed something odd. Without his approval, a 2nd withdrawal was made to an unknown address, emptying his wallet of the remaining 1.9 BTC.

Explanation: Albeit Frank was the victim of theft, the route of attack was not his computer or network. It was the paper wallet he threw into the recycling bin.

Unknown to Frank, the paper wallet was taken from the recycling bin by Eve, a dishonest coworker. Eve added the private key to a custom-made program that automatically detects deposits into a list of observed addresses, and then withdraws them instantaneously.

MultiBit, working as designed, used the imported paper wallet address to receive 1.9 BTC in switch from Frank‘s Overstock payment. Eve’s program noticed the transfer and instantaneously withdrew the funds.

Eve pulled off her heist without access to Frank‘s computer, or even skill of Frank’s identity. The plan worked because Eve know one of the private keys being used to receive switch in Frank's MultiBit wallet.

Recovery: Frank cannot recover the funds, nor is he likely to determine the identity of the thief.

  • Sweeping a paper wallet creates a normal transaction into an existing wallet address, depleting the paper wallet. The paper wallet private key is never again used by the wallet software. Unless you have a compelling reason to do otherwise, sweep paper wallets instead of importing them. This is especially significant for paper wallets that you did not generate yourself securely.

Partial Loss of Funds

Albeit the examples in the previous section resulted in finish loss of funds, the same mechanisms also permit for partial loss. These conditions were assumed, which may or may not hold at the time a switch address problem arises:

  1. The entire balance of a wallet resides at a single address.
  2. This single address contains one unspent output.

For example, a single address that receives numerous payments will contain numerous unspent outputs. Likewise, wallet balances can become distributed across numerous switch addresses as the user spends funds.

Imagine Alice's wallet contains two addresses, Address one and Address Two, with a total value of fifteen BTC. To make a six BTC payment, the wallet chooses a seven BTC unspent output from Address 1, receiving one BTC switch into Address Two. As expected, her wallet balance decreases to nine BTC.

Alice loses one BTC after restoring a backup in which a switch address was missing.

Then disaster strikes – Alice's hard drive fails. After installing a fresh hard drive and restoring her wallet backup, Alice notices something odd. Before the hard drive crash, her wallet balance was nine BTC. But the balance only read eight BTC after recovering the backup. Why does one BTC seem to be missing?

Alice was using a random address pool wallet, in which Address two was not contained in her original backup. Restoring the backup gave the appearance that Address two had “disappeared”, and along with it the one BTC spent output it contained.

In a sense, Alice was fortunate because she could have lost her entire wallet balance. On the other mitt, without understanding switch addresses, Alice would likely be very confused about what happened to the missing one BTC. The same mistake could happen again.

Conclusions

When used correctly, switch addresses help prevent the identities and spending histories of Bitcoin users from being made public. But with this capability comes the potential for loss and theft. To avoid potentially costly mistakes, familiarize yourself with switch addresses and how your wallet software implements them.

Five Ways to Lose Money with Bitcoin Switch Addresses

Five Ways to Lose Money with Bitcoin Switch Addresses

Bitcoin can be coldly unforgiving of mistakes, and nowhere is this better demonstrated than with switch addresses. Albeit switch addresses provide a key privacy implement, they can also lead to confusion, loss, or theft when not understood.

This article explains how to securely use one of Bitcoin's least understood features. It completes with a list of common pitfalls and ways to avoid them.

The Debit Card from Hell

Imagine paying for groceries with a debit card. The checker totals the amount due and you swipe your card as usual. However, you notice the payment terminal is asking for all of the money in your account.

The checker smiles, explaining that this is part of your bank's fresh prizes program. You have three options: (1) send the switch back to your current account; (Two) send the switch to a newly-created bank account; or (Trio) say nothing and send the switch to the payment terminal company.

Counterintuitive? Confusing? Alarming? Many Bitcoin users are astonished to find eerie similarities inbetween this diabolical debit card and the way transactions seem to work.

Thinking about Bitcoin in terms of past practices with online banking and debit cards can lead to problems. Fortunately, an older payment method offers better insights into how Bitcoin works and why.

Bitcoin is Electronic Cash

The similarities inbetween Bitcoin and cash run deep. In his whitepaper, Satoshi Nakamoto even described Bitcoin as an “electronic cash system”. Understanding the close connection inbetween Bitcoin and cash is the key to understanding switch addresses.

Imagine needing to track different pools of paper bills, maybe as part of a collection drive. You might use envelopes to keep the bills physically separate from each other – a “cash envelope”.

A Bitcoin address can be thought of as the digital equivalent of a cash envelope.

A Bitcoin address as a digital “cash envelope”.

Like a cash envelope, an address can hold zero or more units of electronic cash. Instead of paper bills, Bitcoin uses the electronic equivalent – “unspent outputs”. The balance of any address can be found by summing the value of each unspent output it contains, just like the amount held in a cash envelope can be found by counting the values of all bills.

The purpose of the Bitcoin network is to enable the regulated transfer of unspent outputs inbetween addresses through transactions.

How Bitcoin Transactions Work

Imagine that Alice, who possesses an address containing one unspent output worth ten bitcoin (BTC), wants to pay Bob ten bitcoin. Alice moves the funds with a transaction sending her single unspent output to Bob‘s empty address. In doing so, Alice’s address balance falls to zero and Bob's address balance rises to ten bitcoin.

Alice pays Bob ten BTC, using her only unspent output. Alice‘s address balance falls by ten BTC. Bob’s increases by ten BTC. Alice may not re-spend the ten BTC.

After the transaction, Bob can give the unspent output he received from Alice to someone else. However, Alice will neither be permitted to take back the unspent output she transferred, nor will she be able to spend it again.

A few days later, Alice wants to pay Bob five BTC from an address containing a single output valued at ten BTC. Alice has a problem: she needs to pay Bob, but she doesn‘t want to give him the entire ten BTC. Alice wouldn’t be permitted to rip a $Ten bill in half to pay Bob $Five. Likewise, Bitcoin requires Alice to send the network her entire ten BTC unspent output – intact.

To resolve this dilemma, Alice uses a transaction that splits her payment, a feature fully supported by Bitcoin. One part of the transaction sends five BTC to Bob's address and the other comebacks five BTC back to her own. In a similar way, Alice could break a $Ten bill at the bank into two $Five bills, providing one to Bob and keeping one for herself.

Alice pays Bob five BTC. Having no an unspent output in the correct amount, Alice splits the transaction into a five BTC payment to Bob and a five BTC switch payment to herself. Both Alice and Bob may now use their respective five BTC unspent outputs.

Over time, Alice's address accumulates unspent outputs from people who have paid her. Her address now contains unspent outputs valued at twenty BTC, ten BTC, and five BTC.

Once again, it‘s time for Alice to pay Bob – this time eight BTC. Alice creates a transaction that splits her ten BTC unspent output, sending eight BTC to Bob’s address and returning two BTC to her own as switch. Alice‘s address balance falls to twenty seven BTC and Bob’s address balance rises to eight BTC.

Alice pays Bob eight BTC. Her address doesn't contain an eight BTC unspent output, so she uses one valued at ten BTC, receiving the remaining two BTC as switch.

In the previous examples, Alice directed switch into the same address she spent from. Albeit this decision simplified accounting, it unluckily diminished Bob's privacy as well as her own.

Switch Addresses and Privacy

By design, every Bitcoin transaction remains permanently viewable in a global public ledger called the “block chain”. Privacy depends on the stringent separation inbetween addresses and individual identities, a model referred to as pseudonymity.

Any observer capable of linking Bitcoin addresses to individual identities can begin to draw conclusions about money transfers inbetween people. Users make this job more difficult by sending switch to newly-created addresses.

To see why, imagine a transaction that sends funds from Address A to Address B. If switch is returned to Address A, the block chain clearly exposes that the person controlling Address A paid the person controlling Address B. The same reasoning holds if two or more addresses are involved. Any transaction involving Address A as a sender exposes the receiving address unambiguously.

Switch is returned to the sending address. The intended payee is unambiguous.

Should the identity of the person controlling either receiving or payment addresses become known, the identities of the other parties could become known as well.

Now imagine that Address A initiates a payment to B, but this time directs switch to a newly-generated switch address C. Without knowing which address receives switch, all we can deduce is that a transaction split Address A's balance inbetween Addresses B and C. The identity of the person controlling Addresses B or C may or may not be the same as the identity of the person controlling Address A. Given another transaction from Address C, the picture becomes even murkier. Which of the transfers represent payments and which represent the receipt of switch?

Switch is returned to a newly-created switch address. The intended payee is ambiguous.

An observer attempting to link private identities to addresses must gather more secondary information and expend more resources when all parties send switch to newly-created addresses.

Coordinating numerous addresses is a complicated task. Wallet software frees the user from the need to do this by hand.

Wallets and Switch Addresses

Albeit switch addresses play a key role in improving privacy, wallet developers can implement this feature in a number of ways. Four strategies are presently in use, each with its own implications for privacy and security.

  • Single-Address Wallets use a single address to receive both payments and switch. Extra addresses may added when a receiving address is by hand added, or a private key is imported. Examples include Blockchain.info and MultiBit.
  • Random Address Pool Wallets use a fixed-size pool of randomly-generated addresses. Switch is sent to the next available empty address, causing the creation of a fresh empty address to take its place. The best-known example is Bitcoin-Qt.
  • Deterministic Address Pool Wallets contain a practically infinite pool of deterministically-generated addresses. A subset of this pool contains addresses reserved for receiving switch. Examples include Electrum and Armory.
  • Hybrid Wallets use numerous strategies, depending on context. MultiBit, Mycelium, and Electrum are examples.

Let's now consider ways that misunderstanding switch addresses, combined with semi-manual address management, can lead to loss or theft of funds.

Preventing and Recovering from Switch Address Disasters

Incorrect use of Bitcoin switch addresses account for many cases of loss or theft of funds. Here are some disaster scripts and ways to avoid them.

1. Backup Failure

Alice uses Bitcoin-Qt. Understanding the importance of backups, she created an encrypted wallet backup long ago and stored it in a safe place. After making dozens of transactions with Bitcoin-Qt, Alice's hard drive crashed.

Alice bought a fresh hard drive and then re-installed Bitcoin-Qt on it. She then restored her wallet backup. To her horror, Alice discovered the restored wallet was empty.

Explanation: Alice generated enough switch addresses to overflow the original pool of 100. On the 100th spending transaction, Bitcoin-Qt moved Alice's switch (which happend to be her entire balance) into an address not in the backup. Restoring the backup only restored empty addresses.

Recovery: Even if a hard drive can't boot an operating system, individual files can still be recovered. Using data recovery devices, Alice may be able to salvage the Bitcoin-Qt wallet from the faulty hard drive, and with it her lost funds.

  • Count the number of manually-created addresses and spending transactions since your last backup. If this number is greater than about 80, back up again. Weekly backups might be enough for most users.
  • Set a very high value (e.g., Ten,000) for the -keypool option, either as a directive line parameter, or in the bitcoin.conf file.
  • Switch to a deterministic wallet.

Two. Failure to Monitor Switch Address

Bob uses Electrum to send infrequent bitcoin payments. Worried about possible theft, he desired a way to keep an eye on his bitcoin balance from one of his many devices.

Bob determined on blockchain.info to monitor address activity. Bob‘s Electrum wallet contained several addresses, but only one of them held bitcoin (0.Three BTC). Assuming this was the only address he’d be using, Bob pasted it into the blockchain.info search window and bookmarked the resulting page.

A few weeks later, Bob made a 0.Two BTC payment to Overstock from his Electrum wallet. After receiving his merchandise, Bob determined to check his balance with blockchain.info.

Disturbingly, Bob discovered that part of his Overstock payment was transferred to an unknown address. Thinking that his computer running Electrum had been compromised, Bob re-formated the hard drive.

Explanation: Albeit it may look to Bob as if an eavesdropper switched his transaction before it was sent to Overstock, he‘s instead witnessing the result of normal wallet operation. Electrum sent the switch from Bob’s transaction to one of its deterministically-generated switch addresses. This cleared the balance from the sending address, the only one Bob was monitoring.

Recovery: Electrum encourages the storage of its 12-word address generation seed in a safe location. Should Bob still have access to the seed, he can re-generate his old wallet and recover the switch from the Overstock transaction.

  • If using a deterministic wallet, create a watching-only wallet to monitor addresses.
  • If using Bitcoin-Qt, by hand update your list of witness addresses after every payment, or switch to a deterministic wallet.

Three. Spending from a Paper Wallet

Carlos is a saver. Awhile back he bought twenty bitcoins at $Ten apiece, and then transferred them to a paper wallet he created at bitaddress.org. He didn't do anything with Bitcoin since then.

One day Carlos noticed a deal on fresh laptops at Overstock and determined to pay using one of his saved bitcoins. But Carlos had a problem: he needed to get his paper wallet into a software wallet to pay Overstock.

Carlos downloaded MultiBit and imported his paper wallet's private key. After paying Overstock, he exited the program.

Carlos was worried about leaving any trace of his private key on his computer, so he securely deleted MultiBit and its data directory. He then returned his paper wallet to its safe location.

After a few weeks, Carlos checked his paper wallet's balance. To his shock, the balance read zero. Nineteen bitcoins were sent to an unacquainted address on the same day as the Overstock payment.

Explanation: Carlos suspects foul play, but he's actually witnessing the result of normal wallet behavior. The nineteen missing bitcoins were sent to a switch address, leaving his paper wallet empty.

Recovery: In securely deleting the MultiBit data directory, Carlos lost any chance of recovering the missing funds.

  • Before deleting any hot wallet with an imported paper wallet private key, send the remaining balance back to a paper wallet.
  • Use a software wallet that will comeback switch back to the paper wallet. One example is Mycelium. Another is Blockchain.info through the “custom spend” option. Both approaches would come back switch to the paper wallet, albeit doing so degrades privacy.

Four. Sharing a Wallet

Dave runs Bitcoin-Qt on two computers, a laptop and a desktop in his garage. Wanting to use both computers to make payments, Dave copied a clean wallet.dat backup file from the laptop to the desktop.

After making many payments without a problem from both computers, Dave noticed something odd one day. His laptop wallet displayed a zero balance, but his desktop wallet displayed the correct balance.

Explanation: Dave‘s computer network was not compromised, nor did he uncover a bug in Bitcoin-Qt. Instead, his copy of Bitcoin-Qt running on the desktop used the last available pool address held jointly with the laptop. On his last transaction, Dave’s switch was sent to an address unknown to the laptop.

Recovery: Back up the wallets on both the laptop and the desktop. Export all private keys from both computers, and sweep them into a fresh wallet. If sharing wallets is critical, don't proceed using Bitcoin-Qt.

  • Don't use Bitcoin-Qt to share wallets among numerous computers. Use Electrum or Armory, which were designed specifically with this use case in mind.

Five. Theft from an Imported Paper Wallet

Frank received a paper wallet containing two BTC as a bounty at a company event. Antsy to see how Bitcoin works, he installed MultiBit and imported the paper wallet's private key. Not observing a need to keep the paper wallet, Frank threw it into the recycling bin at his office.

Over time, Frank depleted his Bitcoin funds. To re-fund his wallet, Frank bought an extra two BTC from Coinbase and then transferred them into his MultiBit wallet.

Shortly thereafter, Frank bought a set of sheets from Overstock for 0.1 BTC. Albeit this payment confirmed without issue, Frank noticed something odd. Without his approval, a 2nd withdrawal was made to an unknown address, emptying his wallet of the remaining 1.9 BTC.

Explanation: Albeit Frank was the victim of theft, the route of attack was not his computer or network. It was the paper wallet he threw into the recycling bin.

Unknown to Frank, the paper wallet was taken from the recycling bin by Eve, a dishonest coworker. Eve added the private key to a custom-built program that automatically detects deposits into a list of observed addresses, and then withdraws them instantaneously.

MultiBit, working as designed, used the imported paper wallet address to receive 1.9 BTC in switch from Frank‘s Overstock payment. Eve’s program noticed the transfer and instantaneously withdrew the funds.

Eve pulled off her heist without access to Frank‘s computer, or even skill of Frank’s identity. The plan worked because Eve know one of the private keys being used to receive switch in Frank's MultiBit wallet.

Recovery: Frank cannot recover the funds, nor is he likely to determine the identity of the thief.

  • Sweeping a paper wallet creates a normal transaction into an existing wallet address, depleting the paper wallet. The paper wallet private key is never again used by the wallet software. Unless you have a compelling reason to do otherwise, sweep paper wallets instead of importing them. This is especially significant for paper wallets that you did not generate yourself securely.

Partial Loss of Funds

Albeit the examples in the previous section resulted in finish loss of funds, the same mechanisms also permit for partial loss. These conditions were assumed, which may or may not hold at the time a switch address problem arises:

  1. The entire balance of a wallet resides at a single address.
  2. This single address contains one unspent output.

For example, a single address that receives numerous payments will contain numerous unspent outputs. Likewise, wallet balances can become distributed across numerous switch addresses as the user spends funds.

Imagine Alice's wallet contains two addresses, Address one and Address Two, with a total value of fifteen BTC. To make a six BTC payment, the wallet chooses a seven BTC unspent output from Address 1, receiving one BTC switch into Address Two. As expected, her wallet balance decreases to nine BTC.

Alice loses one BTC after restoring a backup in which a switch address was missing.

Then disaster strikes – Alice's hard drive fails. After installing a fresh hard drive and restoring her wallet backup, Alice notices something odd. Before the hard drive crash, her wallet balance was nine BTC. But the balance only read eight BTC after recovering the backup. Why does one BTC seem to be missing?

Alice was using a random address pool wallet, in which Address two was not contained in her original backup. Restoring the backup gave the appearance that Address two had “disappeared”, and along with it the one BTC spent output it contained.

In a sense, Alice was fortunate because she could have lost her entire wallet balance. On the other arm, without understanding switch addresses, Alice would likely be very confused about what happened to the missing one BTC. The same mistake could happen again.

Conclusions

When used correctly, switch addresses help prevent the identities and spending histories of Bitcoin users from being made public. But with this capability comes the potential for loss and theft. To avoid potentially costly mistakes, familiarize yourself with switch addresses and how your wallet software implements them.

Related video:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *