I’ve been asked several times to provide a guide to storing MaidSafeCoin off the exchange, so here’s something people may or may not find useful.
You probably assume you can trust yourself more than the exchange. This is not always true. The process of moving coins to and fro the exchange is a simple but detailed process. If you mess it up it’s usually not recoverable. Poloniex (the major exchange for MAID) is reasonably trustworthy (you should do your own research and I’m not endorsing the security of any company or people in this post). Poloniex is owned by Circle. Poloniex currently stores about 122M MAID (about 27% of all currently available MAID). Point being, consider the risks of your own relatively basic understanding of security vs that of the exchange, and don’t just blindly trust yourself in preference to the exchange because someone said one or the other is better.
Follow the steps EXACTLY.
I will not provide support beyond this one single post. If you have problems they are your problems. I’m not a tech support person and will ignore you if you ask for help. Maybe some other people might help you if they’re feeling kind, but don’t bet on it. Please factor that into your risk assessment.
- Prepare your wallet securely
- Verify your wallet
- Transfer coins out of the exchange
- Transfer coins back to the exchange
Prepare your wallet
- Save the BIP39 tool (bip39-standalone.html) to your computer or USB stick. You might want to verify it using the signature.txt.asc file, but I realise this is beyond the capability of most users. If you use a bad copy of this tool you will lose your funds. Some ways things might go wrong:
- Obtaining the tool from an untrusted source.
- Leaving the tool on your drive where it could be modified, then the modified version is used again later.
- There may be an unknown bug in the tool.
- There may be a virus on your computer that modifies clipboard content or modifies content on disk or in memory or leaves the network active even when it appears to be turned off.
- If you know how to boot to a live linux, do that now, leaving the network disconnected. If not, simply turn off your network now (wifi, ethernet) and reboot. Leave the network off for this entire process.
- Open the local copy of BIP39 tool in your browser.
- Click ‘Generate’ or enter your own entropy.
- Enter a passphrase that you will remember. It’s more important that you remember it than anything else. It doesn’t have to be super secure, it just has to be easy for you to remember. If you forget this passphrase you will lose your funds.
- Write the words on a piece of paper using a pen. Do not write down the passphrase. Do not print the words. Do not save them to a file. Do not email them. These words should live only in the physical world, not the digital world. Make another copy on a second piece of paper and keep them both somewhere safe, preferably physically distant from each other. Maybe make a third copy if you have three secret locations. This paper is your funds and if you lose it you lose your funds. However if someone finds it they cannot access your funds using just the words, they also need your passphrase which they would have to guess.
- Keep everything else default (BTC coin, BIP44 tab, no BIP38 encryption)
- There will be a list of derived addresses - keep a note of the first address, the first 10 characters should be enough to ensure you can regenerate the address list correctly. This address should start with a 1. Do not use BIP49 or BIP84 or any derivation scheme that does not have addresses starting with a 1. This is because the omni protocol (which MaidSafeCoin uses) works best with ‘old-style’ bitcoin addresses starting with a 1.
- Now you have a secure wallet which consists of a mnemonic and a passphrase. The mnemonic is written down on paper which must be stored securely, the passphrase is in your head and should not be written down or stored.
- Leave the network disconnected. Close the browser. Move to the next step which is to verify your wallet.
Verify Your Wallet
- Your computer should still be offline. Keep it offline.
- Open a browser and load the BIP39 tool.
- Type in your mnemonic as written on the piece of paper. If there are errors shown by the tool, redo the previous steps and create a new wallet. If you have errors at this point seriously consider leaving coins on the exchange, since there are doubts about your attention to detail and ability to operate in a secure way. Don’t be discouraged though, you learned something about yourself and that’s fine! Better to learn the easy way than to lose your funds.
- Type in your passphrase.
- Check the address matches the one that was previously generated (you probably wrote down the starting characters somewhere in the previous steps).
- If it doesn’t match, double check your mnemonic and passphrase and again ask yourself if you’re confident enough to store coins yourself. The steps are simple but they demand a frustrating amount of precision and commitment.
- If the address matches, you have successfully verified that your wallet can be accessed. Congratulations! You’re ready to send funds to the wallet.
- Copy the first address to a file somewhere. This is the address you’ll send coins to. If the file containing your address is modified between now and when the coins are sent you will lose your funds because they will be sent somewhere other than your wallet. This is unlikely, especially with the network disconnected, but some caution is advised.
- Reboot your computer. You can turn network back on after the reboot has happened. I suggest also deleting bip39-standalone.html now. Next time you need it you can download it again and be confident it hasn’t been modified between uses.
Transfer coins out of the exchange
- Log in to the exchange.
- Navigate to their withdrawal form.
- Enter your address and the amount to withdraw.
- Click withdraw.
- After a while (maybe half an hour) you can see your address should have funds using a block explorer like omniexplorer.info, although bear in mind browsing this site may pose a privacy risk by linking your IP to that address. I consider this risk relatively minor but it’s worth being aware of.
- Congratulations, you now control those coins and they are off the exchange. If the exchange is hacked your coins will still be safe.
Transfer coins back to the exchange.
- This is complex.
- This step is the main reason not to remove coins from the exchange (the prior steps are very low risk compared to this one).
- Your private key (which allows the coins to be transferred) will be exposed to the internet for some short period, which poses a risk of loss of funds. If someone else gets the private key they can transfer your funds. The degree of risk is a bit like saving your credit card details to a file on your computer for a short while, except if something goes wrong there’s no way to reverse it.
- There are ways to do it without exposing your private key but that’s too complex for most people, and I think the risk of screwing that technique up are higher than the risk of your private key being stolen during the short time it’s exposed to the internet.
- If you don’t have a copy of bip39-standalone.html, get a copy now (and if you know how, verify it’s legitimate).
- Boot into live linux, or turn off the network on your computer and reboot leaving the network disconnected.
- Open the bip39 tool in a browser.
- Enter your mnemonic by typing in the words from the piece of paper, and enter your passphrase.
- The address list will be generated and should match where you sent your funds.
- Copy the private key of the address with your funds (it should start with the letter K or L). Save it to a file on your computer.
- Close the browser and reboot. The network should still be off.
- Once your computer has rebooted, turn the network back on.
- Load omniwallet.org - check it has https. You will be trusting this service not to steal your funds. Some people will not be satisfied with that risk. I suggest reading about omniwallet to judge that risk for your own needs. In the case omniwallet cannot be trusted, you should either trust the exchange or learn how to transfer omni funds using offline signing (very complex).
- Click create wallet.
- Make an account. This account is disposable and I suggest using a fake email such as firstname.lastname@example.org
- Click My Addresses > Add Address > Import Address With Private Key
- Copy and paste your private key.
- Copy some other bit of text to remove the private key from the clipboard.
- Follow the steps to import the private key.
- Log in to your exchange and get a deposit address for MaidSafeCoin.
- In omniwallet, navigate to the Send form.
- Paste the deposit address from the exchange. Double check the address matches the one in the exchange, since some viruses may hijack your clipboard and change the address.
- Enter the maximum amount possible, ie send all your coins to the exchange. The reason for this is because if you don’t send it all, the leftover amount will be sent to an address in your omniwallet, which is not going to be in your secure offline wallet! So send all the maidsafecoin to the exchange, even if you don’t intend to trade it all. Then send any remaining maidsafecoin from the exchange to your address once you’re finished trading.
- Send the coins from your wallet to the exchange.
- Wait for them to arrive at the exchange (may take a few hours).
- You may get an error when sending because some bitcoin must exist at the address to pay for the transaction. If this is the case you need to acquire some bitcoin and send them to your MaidSafeCoin address. This is not ideal but hopefully there’s enough bitcoin there anyhow to cover the cost. Because of this need for bitcoin to exist in that address there may be a lot of extra cost and delay when sending MaidSafeCoin to the exchange. The amount of bitcoin required cannot be known in advance and depends on the network conditions at the time the coins are being sent, as well as other factors such as the size of the transaction.
- Once the transfer is complete, delete the private key file off your computer.
These steps are for information only and I don’t provide any support to people using these steps. Do your own research before deciding. Be aware you may lose funds in extremely unexpected ways. Try to understand the risks, both the known and the unknown. Do not blindly listen to anyone on the internet, myself included.