HD Wallets, XPUB and child private key leaksSo some generalisations on xpubs and current wallet providers.
- Ledger and Trezor wallets can create xpubs which can show all transactions of a wallet
- When a passphrase is added, this counts as a new set of private keys along with a new xpub
- The children public addresses created from sending/receiving bitcoin are bound only to the xpub from the mnemonic phrase + passphrase i.e. if you create a new passphrased wallet it will have a new xpub
- Children created by these wallets are not hardened
- If an xpub is leaked for a mnemonic phrase + passphrase, if you have any of the children's private keys, you can compromise the entire wallet linked to the xpub and all other children, hardened or non-hardened BUT the attacker will not be able to compromise any other meomonic phrase + paassphrase you have as it has a different xpub, and ultimately different children
My question, assuming the above is correct, it's becoming more commonplace for 3rd parties (i.e. tax tools) to make use of xpubs - I want to know how it's even possible to leak a childs private key on a trezor or a ledger as none of the outputs are able to leak these, unless I'm wrong.
Just want to make sure I'm not leaving myself too open.
Source: HD Wallets, XPUB and child private key leaks (https://bitcoin.stackexchange.com/questions/102616/hd-wallets-xpub-and-child-private-key-leaks)