Cold walet - Keypool ran out, please call keypoolrefill first -

+2 votes

Can you please let me know how to generate new addresses in the cold wallet?
I just can't generate a new address in cold wallet.

Using the cold wallet client, if I enter getnewadress, I get this error:
$ Keypool ran out, please call keypoolrefill first .

Then, trying to run keypoolrefill, or keypoolrefill=1000 or keypool=100, I get this error:
$ Method not available in cold version of MultiChain.

-->On a fun fact, the keypool=<n> option is available in the cold wallet help menu.

I tried run the keypool command on a unlock cold wallet with walletpassphrase abcxyz, but same result, as trying to run command on hot wallet, where the command seems to work without any flaw but dosen't help on the cold wallet getnewaddress issue.


asked Oct 29, 2019 by Inzider
edited Oct 30, 2019 by Inzider

2 Answers

0 votes

Thanks for reporting this. It sounds like a bug that appears if you try to create too many keys. In the meantime you may be able to work around it by doing the following:


importprivkey [the private key output from the previous call]

Please let me know if that works.

answered Oct 31, 2019 by MultiChain
0 votes
An update from the team: It seems that the entire issue here is that the wallet is locked, and it is not related to a cold or hot node. If so then, yes, you should expect to have to unlock the wallet before adding new addresses.
answered Nov 1, 2019 by MultiChain
Hi, first, thanks for your answer.

Is there any way to run keypoolrefill on a locked cold wallet?


In fact, after some testing I realized that as soon as the wallet is encrypted, it flush the keypool. So then only one new address can be generated after this lock.

Using walletpassphrase psw 60 to decrypt makes the getnewaddress command available - allowing to generate multiple addresses.

Importing a createkeypairs with importprivatekey also work with the cold wallet unlock - only.

But... there is no way to run keypoolrefill on the cold wallet, so the only way to generate new address is by unlocking the wallet - destroying the prupose of this tool - security.
Can you please explain the security strategy here? I ask because as soon as a key is in the keypool, it is equivalent in terms of security as to having the address generated from that key in the wallet as well.

While the wallet is locked, it is unreadable to the node, so this is why it cannot be read from, or written to.
If someone hack the server and get the rcppassword for the cold wallet from multichain.conf, then all he need is to wait for the cold wallet to get unlock for getting a new address (since keypool been flushed at lock and cant be refill while wallet locked (!?) to access those private key whit dumpwallet filename.txt...  

From what I understood, the whole point of having a cold wallet and sign from it is to never expose the private keys. But here, each time wallet get unlock to run the getnewaddress command, it expose those keys - causing a security breach.

On BTC, you can run keypoolrefill on a locked wallet and the keypool dont get flush when you lock the wallet. This way you dont need to unlock it to run getnewaddress.

--> The real question here is how to get the keypoolrefill or not flush on a cold locked multichain wallet so I dont need to unlock it to create a new address?
First to clarify, the point of a cold wallet is to have the private keys stored on a computer which is not connected to the Internet. The unsigned transaction is transferred to the cold wallet computer in some way, then the signing takes place on that, then the transaction is brought back to the hot node for broadcast.

It sounds like you are looking for something different - a way to generate new private keys, add them encrypted to some file, and never decrypt them under normal circumstances.

If this is the case, can I recommend you develop some simple tool for managing private keys in the way you would like? You can use MultiChain's createkeypairs API (which generates brand new keys not based on the key pool), add the public address to the node using importaddress, use the private key for your transaction, and then encrypt the private key in your application and store it on disk.