Reclaiming a Lisk Account

This blog post explains which users may need to reclaim their Lisk account and how to do it.

By Lisk

19 Jul 2023

Post content head

On August 21, 2021, the Lisk Mainnet upgraded to Lisk Core v3.0.0. This brought many changes, one being a new address system. From that point on, uninitialized addresses have been required to make a special transaction, called a Reclaim Transaction, in order to use their accounts.

reclaim1.png

What is an Uninitialized Address?

Prior to the Lisk Core v3.0.0 upgrade on August 21, 2021, the Lisk network utilized a short address system. These addresses consisted of 1-20 numbers, followed by an L (ex: 12345678901234567890L). With this address system, an additional step was required to fully secure the address, which was to have at least one outgoing transaction of any type. This is because multiple public keys could yield these same short addresses.

The initialization of an account means sending at least one outgoing transaction, which attaches that public key to that address and records it on the blockchain.

Failure to do so could result in an “address collision”, meaning a total loss of funds for the user.

It is important to note that all addresses created AFTER the Lisk Core 3.0 upgrade on August 21, 2021 do NOT require this additional step, as the address system was changed.

What is an Address Collision?

An address collision happens when someone with a different private key can send funds from an existing Lisk address. Think of a private key being used as a path to get to a public key. In this case, there are multiple paths to get to a public key, and the first one to reach its destination gets the account.

For an address collision to occur, a user would have had to have sent funds to an address, never make an outgoing transaction, and later another private key makes that first outgoing transaction.

This could only happen to legacy Lisk accounts (those created prior to the Lisk core v3.0.0 upgrade) that were not initialized. This action made the legacy account secure and collision-free, as the network will detect non-matching public keys.

What is a Reclaim Transaction?

Since the Lisk Core v3.0.0 upgrade, uninitialized addresses require a “Reclaim Transaction”, rather than an outgoing transaction, in order to recover them. Please note that these accounts are still vulnerable to any alternate private key/passphrase that is able to reach the original address until reclaimed and the proper publickey is assigned.

Addresses created AFTER the Lisk Core v3.0.0 upgrade do NOT require this additional step, as the address system was changed.

Were Previous Security Warnings Given?

In 2017, a blog post was published to alert users about the importance of having at least one outgoing transaction. Then, in 2021, another blog post reiterated the same message, urging users to adhere to this requirement.

Warnings were also displayed at the top of the official Lisk wallets.

In addition to this, Lisk account initialization enforcement was introduced with Lisk Desktop 1.28.0.

When the address collision issue was identified, we informed our users through various channels in regards to the mandatory steps required to secure their Lisk accounts. We clearly explained the situation in a published blog post and we added warnings in the official Lisk wallets. Once the legacy Lisk account was initialized, no one could change the public key and the address collision attack was prevented. This made the legacy Lisk account completely secure.

We also consistently reminded users to initialize their accounts by regularly posting reminders on our social media platforms, such as:

Twitter (Help us spread the word!) Facebook Reddit Discord

Our community equally contributed to the efforts of informing users to initialize their Lisk accounts. Therefore, the reminders were sent around by core community members in multiple languages to ensure that every user understands the importance of this action of initializing their Lisk account.

Other Frequently Asked Questions

Do I need to reclaim my Lisk account?

Addresses that need to reclaim must meet all of the conditions below:

  • Created before the Lisk Core v3.0.0 upgrade on August 21, 2021
  • Did not have an outgoing transaction prior to then as well
  • Have no made a reclaim transaction since then

How can I reclaim my Lisk account?

  1. Download the latest version of Lisk Desktop.
  2. Send LSK tokens to your new account. Your new account address should be shown by Lisk Desktop.
  3. Once you have the LSK in your new account, send the reclaim transaction via Lisk Desktop. Your funds associated with the old address are then moved to the new address once the transaction is confirmed.

How much does a reclaim transaction cost?

With dynamic fees, very low, around 0.0014 LSK.

If I use a hardware wallet, do I need to reclaim my account?

Yes, regardless of the wallet used, all addresses that meet the conditions above will need a reclaim transaction.

How can I check if I am a victim of a collision attack?

You may use the Account Analyzer tool provided by Lisk Scan. By simply typing in your address, you can see if your address had a collision, or was reclaimed.

You may also use the Legacy Lisk Explorer to determine if your public key in the Lisk Explorer is different from the one in your wallet. If the public keys are different, then you are a victim of a collision attack because your account was not initialized.

My account was not initialized and my LSK tokens are missing. Is there anything I can do to recover my funds?

If your addresses suffered a collision attack, then no, unfortunately, your LSK tokens are lost and therefore they cannot be recovered. Given the decentralized and anonymous nature of our blockchain, we are not able to verify individual accounts (contact the owners of the uninitialized accounts), freeze wallets, retrieve passphrases, or issue refunds for victims.

Best thing you can do is to verify this is the case by using the Liskscan Account Analyzer or the Legacy Lisk Explorer.

My address still has the funds in it, but it says my address was reclaimed, which I did not do. What can I do?

Unfortunately, just as an address collision, once an address is reclaimed by another private key, you lose control of the wallet. Therefore, the funds are lost, even if they remain in the wallet.