Together with the increased interest in the Lisk project and also due to the rapid increase in the LSK token price, we would like to take the opportunity to remind our Lisk wallet users about the required actions for keeping their Lisk account safe and secure. As previously explained in a blog post back in 2017, each Lisk account needs to be initialized first for it to be fully secured.
The Current Situation
A Lisk account consists of a private key and a public key. The private key is derived from the passphrase generated when the account is created. The public key is generated from the private key which is then used to create a Lisk address associated with your Lisk account.
Every Lisk address is computed as a hash of the public key and can be seen as its abbreviation. Therefore, there can be multiple public keys that yield the same address, which we refer to as "address collision".
A collision attack means that someone with a different private key can send funds from an existing Lisk address. This attack can only happen to Lisk accounts that were not initialized. The initialization of an account means sending at least one outgoing transaction, which implies that the correct public key is then recorded on the blockchain. This action will make the account secure and collision-free, as the network will detect non-matching public keys.
In order to secure your Lisk account, the following steps are required:
1. Deposit a small amount of LSK tokens in your Lisk account.
2. Initialize your account by sending an outgoing transaction.
3. Only once the account is initialized, you should deposit a higher amount of LSK tokens.
Every newcomer withdrawing LSK tokens from exchanges to a new Lisk account has to do the initialization as soon as possible after the withdrawal by sending at least one outgoing transaction.
If you already have a Lisk account, make sure to sign in using your passphrase or with a hardware wallet, then send a transaction, (e.g. vote for delegates, register a delegate, balance transfer to yourself or someone else). After any one of these types of transactions has been executed, the account will then be initialized.
To ensure the safety of Lisk users, back in 2017 we added warning notifications in the official Lisk wallets, as seen in the image below.
The Solution is in Testing, Next Steps
In the short term, we strongly advise everyone to execute one transaction to ensure the Lisk account initialization process is completed. As we would like to avoid further funds being lost through address collision attacks, we decided to make some changes in the Lisk wallet for Desktop which include an enforced step to initialize the account, next to the already existing warning upon sign-in.
This Lisk account initialization enforcement comes with Lisk 1.28.0 for Desktop which will be released latest next week.
The current address format has the above mentioned shortcoming of low collision-resistance which affects the security of our users. To completely eliminate the problems it became clear that a new Lisk address system is required, and therefore a solution was proposed in the form of LIP-0018 (Lisk Improvement Proposal), which has already been implemented and is currently being tested on our Betanet.
With the new Lisk address being long enough, it is computationally infeasible to find a key pair that returns an already existing address. The change from the old to the new address system will be done seamlessly through our wallets once it is live on our Mainnet.
However, this change coming together with the Lisk Core 3.0.0 release means that all Lisk accounts will need to be migrated to the new address system. Only initialized Lisk accounts can be automatically migrated. For uninitialized Lisk accounts, the problem remains. Therefore, it’s urgent to take action. You have to initialize your Lisk account as soon as possible to also benefit from the automated Lisk account migration with the Lisk Core 3.0.0 release.
At Lisk.js 2021 we are going to announce more information about the release timeline of Lisk Core 3.0.0 and the complete elimination of the need to initialize your Lisk account.
Help us Spread the Word!
Since the address collision issue was identified, we informed our users through diverse means with regards to the mandatory steps required to secure their Lisk accounts. Therefore, we clearly explained the situation in a published blog post and we added warnings in the official Lisk wallets, with the main goal of informing everyone to initialize their Lisk accounts. Once the Lisk account is initialized, no one can change the public key and the address collision attack is prevented. Making the Lisk account completely secure.
Our community equally contributed to our efforts of informing users to initialize their Lisk accounts. Therefore, the reminders were sent around by core community members in multiple languages to ensure that every user understands the importance of this action of initializing their Lisk account.
Frequently Asked Questions
- How can I initialize my Lisk account?
To initialize your Lisk account, you have to send a transaction from your wallet. This can be any outgoing transaction, including voting for delegates, registering a delegate, but also a balance transfer to your own account. Once you send the transaction, your address will be initialized.
- How much does a transaction cost?
Sending a transaction will cost you only 0.1 LSK.
- If I use a hardware wallet, do I need to initialize my account?
Yes, all addresses regardless of which wallet is used, require you to make an outgoing transaction.
- How can I check if I am a victim of a collision attack?
To check if you have lost your funds through a collision attack, you can use Lisk Explorer to determine if your public key in the Lisk Explorer is different from the one in your wallet. If the public keys are different, then you are a victim of a collision attack because your account was not initialized.
- My account was not initialized and my LSK tokens are missing. Is there anything I can do to recover my funds?
No, unfortunately, your LSK tokens are lost and therefore they cannot be recovered. Given the decentralized and anonymous nature of our blockchain, we are not able to verify individual accounts (contact the owners of the uninitialized accounts), freeze wallets, retrieve passphrases, or issue refunds for victims.