Ok, I finally got HODL txs to work using your link to https://github.com/globaltoken/coinbin/commit/88f5eee6ad9114feb70c523ca7c834d99c106476

I had to change one line of code in coin.js though (line 1024 in my notebook editor after running https://dirtymarkup.com on it):


to this


I also had to push the tx elsewhere as the broadcast function failed for me.

These are minor bugs compared to the next one though.

I decided to create a tx for a large amount of BCC. I set everything up. Then I went offline to get my private key to sign it and discovered I can't sign offline. So I canceled the tx, and did some experiments.

It seems that if I try to sign while offline, I get an error message due to our javascript trying to reload the inputs during the signing. Specifically in r.getinputvalues routine. It will sign fine if I then go back online though (changing nothing else).

I don't remember this being a problem when signing a Hodl tx with Bitcoin offline when I originally tested it.

This seems like a major security breach to me. I have gone over the code as much as I can and while I don't see the private key being stolen, I am not a professional programmer either (I panhandle for a living) so something could be hidden in an obscure area from me.

Unfortunately, I don't think this can be easily fixed without rewriting a lot of code. I know it would take me months. I will probably just sign the large transaction and immediately broadcast it. My coins are still locked up for another 3 years though. Plenty of time to think about it though.

I just hope they don't use replay protection again during the Seg1X|Seg2X fork. What a f*cking mess.