User logging into account with social shows the wrong wallet address

vjgee · September 26, 2023, 3:12pm

Have you upgraded to the latest SDK version?

You need to share your implementation code for our team to check.

gareth · September 26, 2023, 3:14pm

Not yet no, but these are problems from existing users from a few months ago. We are looking to help them as they are trying to log directly into Tor.us as at the moment, they cant even access the wallets within your infrastructure, regardless of our system setup

Thanks

gareth · September 27, 2023, 9:15am

Hi @vjgee - we have checked all our personal and business accounts for emails relating to seed phrases and nothing is being sent out. When the user signs up, they should be receiving this email but there is no evidence of this so is there an error on your system to not send these out, or a trigger which needs to be used to send these out?

Thanks

gareth · September 27, 2023, 9:21am

To help narrow down the search, we have done some testing and this is one of the accounts used:

janvandenbroeck@yahoo.com
0xd6E1cCDD8b3777592dA63A70fF541A150885Ca19 is the account with recovery method janvdb.20@gmail.com

Screenshot 2023-09-26 at 2.04.48 PM982×1256 75.2 KB

Never received a recovery phrase email, but in your platform, you have a message saying it was sent to the gmail address. Looks like there is a bug on your end and these arent being sent out.

Thanks

vjgee · September 29, 2023, 4:15am

I will check this with our team and get back. There is no bug at our end since the phrase is always sent to the recovery email address provided the user opts for that. If he opts to download the phrase manually and does not make a note of it then that is an issue which we can’t control.

vjgee · October 7, 2023, 11:21am

@gareth Thanks for your patience.

Here is the information you asked for:

0xd6E1cCDD8b3777592dA63A70fF541A150885Ca19 - Phrase sent on 26-09-2023 to janvdb.20@gmail.com

0x06acBbdd0Fdd5A91f42707D44F364B2672b9b426 - Phrase sent on 26-06-2023 to fabian.fischer001@web.de

The rest of the below addresses do not have 2FA enabled, meaning no backup phrase has been setup yet:

0x1e7c0d34bcc5A9d95509606808AF5349D6CA93d8 google [25107gcz@gmail.com](mailto:25107gcz@gmail.com)

0x73B2737aB7e24d79BDBe537f623aa1a1A9365516 torus-auth0-email-passwordless [andi25107@hotmail.com](mailto:andi25107@hotmail.com)

0x9d0A60963456ee2f2F97C7Dc3bA3bDe3b44aA6Cf facebook 7253174784711094

0xb52470D1CDb1eAC71Ef069dB94D98A73AA207Ce9 torus-auth0-email-passwordless [fabian.fischer001@web.de](mailto:fabian.fischer001@web.de)

janvdb · October 9, 2023, 5:08pm

@vjgee thank you for the follow-up.

For the user 0x1e7c0d34bcc5A9d95509606808AF5349D6CA93d8 google 25107gcz@gmail.com. The wallet was created on 12 Jan 2023. When the user now logs in the same way, a request for a recovery phrase is prompted, stating that the Recovery Factor was sent to *andi25107@hotmail.com on 14/04/22 at 10:08 (see screenshot).

How is it possible that an email with a recovery phrase was sent 9 months prior to the wallet creation? As you mentioned a 2FA has not been set up yet.

janvdb · October 9, 2023, 11:04pm

@vjgee could you confirm if 2FA is set up for address 0xa0B5A70128B0b8E17289042F0D840d4e824Fc8a0?

vjgee · October 10, 2023, 4:14am

@janvdb I have forwarded your request to our team to check.

If you specify mfaLevel as none in @web3auth/no-modal , your users will only get two shares: a social share and a device share. However, if you enable multi-factor authentication (MFA) in the no-modal or modal SDKs, your users will receive these two shares plus an additional backup share. Are you able to check this in your implementation code?

We will be having a community call soon Web3Auth Community Call #4 · Zoom · Luma where you have can have your doubts clarified as well.

janvdb · October 16, 2023, 4:04pm

Hi @vjgee was your team able to check the issue?

janvdb · October 18, 2023, 4:32am

Hi @vjgee, Ill be joining the call later today. To summarize, these are the issues/questions that we are facing:

Issues - Detail

**Recovery Factor requested but users state email was never received **
All 3 users state that they never received an email. Are you sure this is not a bug? Can you confirm that all users have set up 2FA? Is there a way to trigger this again?

25107gcz@gmail.com logs in with Google:

Should be linked to 0x1e7c0d34bcc5a9d95509606808af5349d6ca93d8
15 April 2022: Recovery Factor allegedly sent to andi25107@hotmail.com but never received
As detailed above, how is it possible that an email with a recovery phrase was sent 9 months prior to the wallet creation? As you mentioned, a 2FA has not been set up yet.

Christian.erlenmayer@gmail.com logs in:

Should be linked to 0xb668fb73c319cfeb5757aa06febb316818e06be1 - what was the login method?
2 March 2023: Recovery Factor allegedly sent to christian.erlenmayer@web.de but never received

fabianfischeer@gmail.com logs in with Google:

Should be linked to 0x06acbbdd0fdd5a91f42707d44f364b2672b9b426
26 June 2023: Recovery Factor allegedly sent to fabian.fischer001@web.de but never received

janvdb · October 18, 2023, 4:33am

Clarify login method for following wallet addresses
4. cedric.forkel@gmx.de logs in:
Has 3 wallets - could you clarify how the sign in method for each one?

0x8552967a489d1c363921f983bb5e9917d6f4e569
0xe49afcaaea8b65a94f01fe4265d2ba7f7e7d4745
Should go to 0x34afb9a6b0c4426fafb7d62da1c635c83fdba9a1

brunobergareche@hotmail.com
Has 2 wallets - could you clarify how the sign in method for each one?

0x17f9921c39cfe7b12145b8b956ec1e6bfa4cbe2d
0xed7b1c315263126c2311d87118649a12ff96ecd8

janvdb.20@gmail.com
Has 3 wallets - could you clarify how the sign in method for each one?

0x52b5a16c89ceb8a290f2ba849595acc495697d62
0x30cf1b80b8f568354e710d8f5fac7ed393952682
0xa0b5a70128b0b8e17289042f0d840d4e824fc8a0 > google login
- Could you confirm if this user has set up 2FA?

Thanks in advance,
Jan

vjgee · October 18, 2023, 7:12am

Please discuss further on call as your implementation needs to be checked to get to the root of the problem than verifying the wallet addresses. Also, you users need to remember the login methods they use when they create the wallet.

janvdb · October 18, 2023, 1:42pm

Hi @vjgee, I have been trying to join the call this morning but it kept showing waiting for host to sign in. Could we please schedule a separate call to discuss the implementation?

janvdb · October 24, 2023, 9:15pm

@vjgee is there a chance we could schedule a call? It would really help us to find a solution for the issues we’ve been facing over the past months.

Also, was your team able to check this User logging into account with social shows the wrong wallet address - #22 by janvdb?

janvdb · October 25, 2023, 4:54pm

@vjgee - just to clarify, as this might not be clear from the previous communication:

The app is https://app.fantium.com/. Our codebase is using Torus, not web3auth. We don’t have @web3auth/no-modal in the codebase because we use '@toruslabs/torus-embed. We implemented Torus in accordance with the docs (https://docs.tor.us/wallet/api-reference/class).

vjgee · October 25, 2023, 5:39pm

Ok, thanks for providing this information. I have forwarded to this our team to check and will get back.

janvdb · October 31, 2023, 2:13am

@vjgee any update?

And just to confirm: this scenarios only apply when users have set up MFA?

vjgee · October 31, 2023, 2:16am

Can you share your complete implementation code?

janvdb · November 1, 2023, 1:23pm

@vjgee
“We want to turn off the 2FA for both users who have and who haven’t setup 2FA. We’re using the @toruslabs/torus-embed and we added the mfaLevel: ‘none' to the object which we pass into the torus.init({...})

This helped to disable 2FA for users who haven’t setup 2FA previously. But for users who have set up 2FA - prompting the 2FA remains triggered. Is there a way to turn off the latter?“