SOS. Critical problem with ICPSwap!

SOS! One day, my friend logged into her ICPSwap account and discovered that she was redirected to a completely new and empty account, unable to access her previous account containing a significant amount of funds. The technical support staff is claiming that such a situation is impossible, stating that an Internet Identity can only be associated with a single address on ICPSwap. They have denied any responsibility.

I personally assisted my friend in setting up her Internet Identity and guided her through the token swapping process on ICPSwap. As an elementary school teacher, 650 ICP represents a substantial sum of money for her. We are being blamed for making a mistake, but we cannot comprehend what mistake we could have possibly made. When we were unable to log in on our usual device (which we had been using for the past three months on a daily basis), we simply switched to a new device and logged in using the 24 mnemonic phrase.

I am curious if their code contains any functionality that can trace which Internet Identity is linked to a specific address. If this feature exists, it would conclusively prove that my friend possesses only one Internet Identity and would absolve us of any blame. Please assist us, as this incident not only damages ICPSwap’s reputation but also undermines trust in the entire Internet Computer system. Thank you for your support!

I’ve been trying to help them on X for some time, but we couldn’t find a solution.
What’s been adviced:

• checking if old icpswap wallet still has funds - it does have them intact(in various tokens)
• checking if the same Internet Identity was used, they claim to have only one Internet Identity
• checking if the URL is original and indeed belongs to the icpswap, it seems to be legit icpswap

Curious as well, how could such thing ever happen.
Many of us store at least some portion of ICP/tokens on DEXes like icpswap or sonic…

Ideas?

Thank you Let4be. I am so stressed for the last few days. I wanted to help but it turned out made her lost money. I felt lucky cause if that happen to me, I would be devastated. Just moved all the tokens out from ICPSwap. Keeping those in nns wallets is safe?
All help in desperate situation is precious.

Apologies for the inconvenience caused to everyone.

Let us briefly explain the situation, @ChauDoan21165, please verify if what I’m saying is correct.

ChauDoan recommended a friend to experience the IC ecosystem and his friend, purchased a lot of SNS tokens on ICPSwap. We’re incredibly grateful for this support. His friend’s address (or the address generated by connecting their Internet Identity to ICPSwap) is:

kohfg-cwurv-fgds2-dy2im-7o4qf-mvktj-skuoj-oemuy-mf6t5-5rdd6-4qe
1b10558206448890541ad02104c7022899635d864b5f72205ce2699da5abe035

The address was running fine for several months until December 20th when ChauDoan asked the community Mod in the TG group about a balance display issue. At that time, the Mod wasn’t aware of the situation and suggested ChauDoan reconnect their wallet or try logging in using a computer or another device.

ChauDoan tried several methods. It wasn’t until December 22nd, after extended communication between ChauDoan and the Mod in the TG group, that we understood the whole scenario. It turned out that his friend encountered an issue: she logged in using her Internet Identity on an iPad (formerly a phone) and connected to ICPSwap, generating a new wallet address:

ukqu3-pjqtn-m4g4w-r5mra-kseuu-bpn36-fynja-j3hru-54tdc-i6g4e-5ae
4a3ed9d128a0749d21f0009aa868cb507ed4c0a7f37f7614bc788b0aad889339

ChauDoan suspected a technical issue with ICPSwap. The Mod explained that connecting an Internet Identity to different DApps within the IC ecosystem generates a unique address that remains unchanged. The team was informed, and team members tried multiple Internet Identities and even one created a long time ago, connecting to ICPSwap, and the addresses remained constant (some wallets even had ICP balances. If it were a new address, there wouldn’t be any ICP balance).

We thought that their friend either made a mistake in backing up the mnemonic phrase or created a new Internet Identity. This would make sense. Cause if the wallet address changes when connecting an Internet Identity to a DApp, it would jeopardize the assets of users within the IC ecosystem.

While the Mod explained this to ChauDoan, We also directly communicated with his friend many times over these two to three days. We inquired about the use of Plug, NFID wallets, the possibility of using NNS, creating multiple Internet Identities, modifications in mnemonic phrase backups, and how her nephew assisted in logging into the Internet Identity on the iPad, but unfortunately, no helpful information was obtained. ChauDoan’s friend insists there’s only one Internet Identity.

We’re stuck, and we also hope his friend can get his wallet back. Continue to support and experience the IC ecosystem!

And ChauDoan is under immense pressure. He wanted his friend to follow the promising IC ecosystem and reap the deserved benefits, indeed they encountered great news of the ICP surge, but encountered this bad issue.

We kindly seek ideas and suggestions from community members and DFINITY development team members to assist ChauDoan’s friend. Your support is highly appreciated!

Sorry, ChauDoan, NNS wallet is great. However, please be mindful not to transfer tokens to NNS, such as OGY, that haven’t yet been listed on the NNS.

This specific feature of Internet Identity to generate a new address/principal id pair for each application seems cool from a security point of view, but in practice it creates a lot of problems, especially for beginners. This is not the first or even the tenth time I have seen this problem with newcomers.

It is much more understandable and practical to use a single address/principal, as it is implemented on Ethereum (imho).

Hello,

based on my experience I’d as first recommend to ask the user to re-login to ICPSwap (best on the original device) using all available options.

It could have happened that (as it was early interaction with ICP ecosystem) the user simply didn’t notice which option selected (each would create or use different PID) - and as for subsequent logons to ICPSwap this is automatically triggered, without user having to recall the process, the right method might be just missed.

image1180×982 89.4 KB

Other option which I’m thinking about is to verify which DApp holds the above Principal ID and/or Account ID - if is it possible - that would either help to identify the right login method or will introduce new core topic for investigation (probably for DFINITY).

Thank you! It would be very helpful if the digital ID of the Internet Identity and its corresponding address could be confirmed.

I will answere you one by one:
1.
“ChauDoan tried several methods. It wasn’t until December 22nd, after extended communication between ChauDoan and the Mod in the TG group, that we understood the whole scenario. It turned out that his friend encountered an issue: she logged in using her Internet Identity on an iPad (formerly a phone) and connected to ICPSwap, generating a new wallet address:”
ICPSwap has problem since the day I was sitting next to her. I log in fine. She could not. Her phone keep spinning. I contacted you on that day after leaving her.
We think something wrong with the phone. We ask her nephew, an computer expert to try log in by her ipad using 24 mnemonic phrase. That was easy but the account was empty. We did not know that is a new address. When we chat with Terence, he let us know that is a new address.
2. “ChauDoan suspected a technical issue with ICPSwap.”
I am computer engineer and I am only one help her from start. I know she is not technical so I told her to screen shot her internet identiy and 24 mnemonic phrase on that day. I helped her to transfer icp from Binance to ICPSwap. We do not have any other wallet. I want to keep it as simple as possible for her cause I know this stuff very confusing for her.
3. “The Mod explained that connecting an Internet Identity to different DApps within the IC ecosystem generates a unique address that remains unchanged. The team was informed, and team members tried multiple Internet Identities and even one created a long time ago, connecting to ICPSwap, and the addresses remained constant (some wallets even had ICP balances. If it were a new address, there wouldn’t be any ICP balance).
You have such a weak argument. If that happen with your team members then the percentage of people have similar problem would be so high. This is a trusting issue here. You do not believe we have only one internet computer identity and that is our mistake.
I hope time will let you know more. I suggest you find the way to identify which internet computer identiy link to one address.
One proof that would make you reconsider is. Now she can use her old phone with the same internet identity to log in ICPSwap. I wonder if you can use one phone to log in two internet identity, then that would give her two lines of number as option to choose which ii she is using like: 229800 and 224567… for example.
Since that day, she has not changed anything with her old phone.
4.
“We thought that their friend either made a mistake in backing up the mnemonic phrase or created a new Internet Identity. This would make sense. Cause if the wallet address changes when connecting an Internet Identity to a DApp, it would jeopardize the assets of users within the IC ecosystem.”
This is not the case.
5.
“While the Mod explained this to ChauDoan, We also directly communicated with his friend many times over these two to three days. We inquired about the use of Plug, NFID wallets, the possibility of using NNS, creating multiple Internet Identities, modifications in mnemonic phrase backups, and how her nephew assisted in logging into the Internet Identity on the iPad, but unfortunately, no helpful information was obtained. ChauDoan’s friend insists there’s only one Internet Identity.”
This is not the case.

We never created Plug or NFID wallet.

I strongly believe that Dfinity should implement a feature that allows for the identification of the Internet Identity responsible for creating a specific address on ICPSwap. Just like how a bank can trace the source of funds and the account they are deposited into, this functionality would greatly enhance transparency and accountability within the system. By knowing the individuals who bring money into the system, it would provide a definitive way to confirm the accuracy of claims.

Just remember than NNS wallet can hold only SNS-listed tokens…

Anyone can create a token on ICP and various DEXes have different rules,

• on icpswap you can hold/trade ANY token
• on sonic you can hold/trade only white-listed tokens
• on nns wallet you can hold only tokens that are part of a DAO and went thru SNS

if you send a non supported token say to sonic or NNS wallet you will lose access to it.

@ChauDoan21165 to further support @ICPSwap and/or DFINITY with the help, can you confirm that this is the right/original Principal - Tokens and Token Transactions are correct?

Yes, that is my friend old address and those all her tokens with correct amount. We somehow feel better to know all tokens are there. Thank you!

I understand your concerns and the need to address the possibility of having two Internet Identities. However, I would like to present a logical argument to support our case. It should be apparent that the address created on ICPSwap would have been generated on the same day or possibly the day after we created the Internet Identity for her. The screenshot of the Internet Identity number and the 24 mnemonic phrase should indicate the date of creation. If, by accident, we had created a new Internet Identity and subsequently a new address on ICPSwap a few days ago, then that particular Internet Identity must have been accidentally created several months ago. In such a case, the screenshot would display an older date. Moreover, if we had used the new Internet Identity on the iPad and created a new address on ICPSwap, then why would her old phone with the old Internet Identity be able to log in to the new ICPSwap address? These points should be considered. From our perspective, there is no reason for us to fabricate such a complicated situation.

As a 3rd party, we don’t think ICPSwap intentionally did something that resulted in your loss.
So let’s find the problem. Can you find the address that has 650 ICP in it, perhaps this will help https://dashboard.internetcomputer.org/
Maybe start with your Binance address, or if you could provide a date+time and amount of ICPSwap trade, that will also be useful.

There is also this issue which may be related Upgrade agent-js to resolve a Chrome issue

Your staff, Terence wrote: “I once inquired about how her nephew managed and accessed her Internet identity, wondering if a new identity had been created, but I didn’t receive any helpful information: Cháu trai của tôi làm về máy tính rất thạo. Là người nhà tin cậy và đăng nhập dưới sự kiểm duyệt của tôi.”
What about screen shot of the II we created few months ago. In that case, we still access to the old address.

Of course, they never created this problem. This is technical issue. All the tokens are intact.

Ok, so

Authenticating using Internet Identity (few months ago) resulted in
kohfg-cwurv-fgds2-dy2im-7o4qf-mvktj-skuoj-oemuy-mf6t5-5rdd6-4qe

Later the same identity allegedly (22 Dec) resulted in
ukqu3-pjqtn-m4g4w-r5mra-kseuu-bpn36-fynja-j3hru-54tdc-i6g4e-5ae

II devs can check if any code changes could have caused it, give them some time to answer.
And please don’t post this in every twitter thread out there You will get a response asap

ICPSwap can also check if they changed their agentjs library and let us know when and what version changes there were

Did icpswap maybe change the internet identity domain to/from identity.ic0.app, identity.icp0.io or identity.internetcomputer.org?

I’ve seen threads before where this caused a change in identity.

Keep in mind, internet identity principals are tied to a domain and delegated. So an app using internet identity cannot suddenly change the identity a user has from their end.

The above chrome bug can probably cause issues seen here, if you have previously transferred tokens both into and out of the same account address without any issues, you can’t have been affected by the bug.