Support tells me my 15 ETH went to another user

They tell me my 15 ETH transfer from My Constant went to another user and is lost. Is this possible? Support says delays are possible but rest assured you won’t lose your funds. Now they say the 15 ETH is lost due to the transfer being timed out.

Which support told you that? Is the transaction on-chain?

That can’t be the whole story.

Hey Jamie. It is the whole story. First I sent .1 ETH from my constant to incognito a month ago, no problem. I sent prv many times to incognito. Then on April 22 I sent 15 ETH to incognito. Support said it timed out and the funds went to another user. I gave them the transaction hash, screenshot of deposit etc. Any advice I am at a total loss here?

The support of incognito told me my funds are gone to another user. I have the proof of the transaction hash and screenshot of the deposit. I sent .1 ETH previously with no problem. Any advice?

So the transaction log in the app shows a timed out but lists a specific deposit address…
And then if you search etherscan, for example, that wallet address shows you deposited 15 ETH to that?

How long before the timestamp in the app vs the time on chain? (1 hour difference, 1 day difference, 1 week difference?)

I think deposit addresses are re-used but I don’t know the cycle of how often they are re-used.

Marko. Here is the transaction hash. Maybe you see something I don’t. It looks like it was 2 days after the withdrawal.

After I got the shield address I immediately put that address into myconstant.

  1. The source withdrawal address is listed as “Binance 4” on Etherscan. Curious for a MyConstant withdrawal.
  2. The withdrawal from MyConstant/“Binance 4” to Incognito appears to have taken just 6 minutes: 0002-0008 UTC.
  3. The pETH minting appears to have take nearly 20 minutes: 0008-0027 UTC.
  4. The entire chain of transactions from MyConstant/“Binance 4” withdrawal to Incognito pETH minting took ~25 minutes. Giving OP a few minutes on the front end to generate the shield address on Incognito, open the appropriate page/link on MyConstant, copy & paste the address and confirm, a total time of 30 minutes seem reasonable and falls well within the time limits set by Incognito.
  5. If someone did receive a 15 ETH windfall they do not appear to have immediately moved the ETH off Incognito.
  6. I did not see any +/-15 ETH trades on the pDEX in the two days following the deposit. Many transactions in that period were for just under 1 ETH. That means it would take at least 15 pDEX transactions (if not more) to change 15 ETH into another asset(s) while remaining in the mean range of other pETH transactions on the pDEX.

I’m not sure why support would suggest the 15 ETH “went to another user and is lost”. It appears the ETH moved in a reasonable timeframe including the 20 minutes to mint on Incognito. Maybe somebody else sees something I don’t?

2 Likes

Mike here are the screenshots of withdrawal and timeout. Jeff

The second screenshots you’ve provided show timestamps that are a day + hour earlier than the timestamps of the ETH transactions.

MyConstant
image

Incognito
image

@Fly Were you in a different timezone then versus now (i.e. traveling)? If not, have you checked the date and time on your phone are accurate and/or not manually misconfigured?

Otherwise … maybe MyConstant provided you with the wrong withdrawal transaction? It’s odd that Etherscan labels the sender in the transaction MyConstant provided as “Binance 4”. I don’t think Binance is a custodian for MyConstant.

One would think the transaction would have no sender label given the “small” size of MyConstant and certainly not a label for unrelated business.

EDIT: From MyConstant’s Pricing and Service Times:

Occasionally, we have to source extra liquidity but try to process your order as soon as possible (please refer to our service times).

This very likely accounts for both the Binance tag on Etherscan AND the +1 day difference in timestamps. The 15 ETH were sourced directly from Binance to service the withdrawal within the posted service time of 1-2 business days:

image

Something seems slightly odd or off here between transactions, labels, timestamps and such. May be nothing or may be something. Just can’t put my finger to it.

I’m in Missouri and I wasn’t traveling. It sounds like My Constant delayed the transfer and Incognito is telling me the truth. It does seem odd that with only a two day delay the funds would use the same address going to a different user. Incognito said they use the addresses in a round robin fashion. I just don’t understand how the programming could be so inept. Thanks for looking into it Mike.

MyConstant serviced the withdrawal within their stated timeline: 1-2 days. 1 day actually. You initiated the withdrawal from MyConstant on 4/22 around 2300 UTC and it was completed on 4/24 at 0002 UTC. That’s barely 1 hour into the 1-2 day service window for a withdrawal of your amount.

Incognito shielding addresses have a limited window of 2 hours to deposit funds. Because you withdraw from MyConstant directly to Incognito, the withdrawal was never going to meet that timeline. That’s neither the fault of MyConstant or Incognito.

An intermediary address you control should have been the destination from MyConstant. Once the withdrawal was received to that intermediary address you would then generate a shielding address on Incognito and deposit to it using an appropriate amount of gas to ensure a quick transaction.

That said – there still isn’t any reason the funds can’t be credited appropriately. The transaction did complete successfully. Crypto assets are fungible. So even if the 15 ETH you deposited were credited out to the next 15 ETH worth of ETH deposits, that would still leave a 15 ETH surplus in the Incognito Vault.

Your deposit timing out because you didn’t use an intermediary address isn’t any different than a deposit timing out because of ETH congestion and/or too low of an ETH gas fee. The result is the same: the transfer deposit does eventually complete successfully, just outside of the stated time window. Other transactions have been delayed by a day due to congestion and/or low fees. Those deposits were credited with support’s help. I do not understand why your deposit transaction should be any different.

@duc can you shed any light on this situation? Why can’t these deposited funds be credited accordingly?

1 Like

Thanks so much for the correct description of the situation. To be honest, the shielding flow was a suboptimal design. I’ll be publishing a dedicated post for this in detail today.

4 Likes

Hey Mike. I read the response from duc. It seems like it was an attack that got my 15 ETH. Do you still think my ETH could be in the vault or do I just give up and try to make the money back from trading? Jeff

Unfortunately – from the information in duc’s post, that ETH was targeted in a novel malicious attack and then stolen.

I am truly sorry for your loss.

I’m very sorry someone lost funds. This is the first I’ve heard about it on incognito. One thing I wanted to clarify: Did the user send ETH within the 2 hour deadline or not?

Marko. I sent the 15 ETH immediately after I received the shield address. At the most 2 minutes. Jeff

When was it actually sent on the blockchain though and confirmed? (Requesting an exchange/custodial platform withdraw is not the same as when it’s actually interacting with the blockchain). Was it within the 2 hour window? The timeline to me is unclear.

When I checked etherscan the time was a day after I initiated the withdrawal.

Ahh, so the protocol acted like it was suppose to and you didn’t shield within the 2 hour period specified…but under previous circumstances the admins here have been able to intervene to manually retrieve those coins. I think this this is perhaps first time someone was ‘smart’ enough to keep requesting shielding addresses until they happened to capture your 15 ETH.

It’s always a sad day when we make mistakes with crypto…it’s pretty unforgiving when we humans attempt something outside of what the code allows. I’m happy to understand that the protocol operated without hack or exploit but I’m very sad to hear about your loss.