wallet: only log txid when -debug=wallet is explicit #34341

pull l0rinc wants to merge 2 commits into bitcoin:master from l0rinc:l0rinc/wallet-redact-txids-infolog changing 11 files +78 −63
  1. l0rinc commented at 1:15 pm on January 19, 2026: contributor

    Extracted from: #34267 (review)

    Problem

    All wallet logging was written to debug.log by default, so it can leak sensitive wallet context (txids and full transaction strings) when shared. Also, WalletLogPrintf is a leftover name from the removed LogPrintf API and does not reflect the current behavior (unconditional info-level logging).

    Fix

    After a refactor commit to rename WalletLogPrintf to WalletLogInfo (scripted-diff only) to reflect that it logs unconditionally at info level, redact txids and full transaction strings from info-level wallet logs, and add a new -debug=wallet category for sensitive context (txid/full tx string) logged as indented follow-up lines via the new WalletLogDebug().

    Reproducer

    We can easily exercises the common create wallet, mine, and send paths to demonstrate the info-level redaction vs -debug=wallet behavior. It does not attempt to trigger rare error paths (e.g. database write failures, unexpected script types, conflicts/double-spends, broadcast failures, rescans/migrations), which would require additional setup and can be deduced from the code.

    Build and run this once “before” and once “after”, then compare grepped log output.

     0cmake -B build >/dev/null 2>&1 && cmake --build build --target bitcoind bitcoin-cli -j$(nproc) >/dev/null 2>&1
 1
 2DATA_DIR=$(mktemp -d)
 3
 4./build/bin/bitcoind -regtest -datadir="$DATA_DIR" -daemon -connect=0 -fallbackfee=0.0002 >/dev/null 2>&1
 5./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" -rpcwait getblockchaininfo >/dev/null
 6
 7./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" createwallet w0 >/dev/null
 8./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" createwallet w1 >/dev/null
 9ADDR0=$(./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" -rpcwallet=w0 getnewaddress)
10./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" -rpcwallet=w0 generatetoaddress 101 "$ADDR0" >/dev/null
11ADDR1=$(./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" -rpcwallet=w1 getnewaddress)
12./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" -rpcwallet=w0 sendtoaddress "$ADDR1" 1 >/dev/null
13./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" -rpcwallet=w1 -rpcwait getbalances >/dev/null
14
15rg -n "CommitTransaction|AddToWallet|Submitting wtx|txid=|CTransaction\\(" "$DATA_DIR/regtest/debug.log" || true
16
17./build/bin/bitcoin-cli -regtest -datadir="$DATA_DIR" stop >/dev/null

    0113:2026-01-19T12:51:04Z [w0] AddToWallet d9a81836a9a2e8158ca6aa49278b70305a07614df420d980abe2028366407731  new Confirmed (block=24fd805ca35464a95530674f8434c3af34111409e5e3477ae4ba4b46f085baac, height=1, index=0)
1...
2411:2026-01-19T12:51:05Z [w0] AddToWallet 3d72f6d5f6829a070b0d9766a672b158b6a1fd87bea0f6959ab0ec4b44ebb7ef  new Confirmed (block=2e937f886897ccd9345fc859ebedde9be981a831aa55786286dae69b21a36007, height=101, index=0)
3417:2026-01-19T12:51:05Z [w0] CommitTransaction:
4418:CTransaction(hash=14daa63ec9, ver=2, vin.size=1, vout.size=2, nLockTime=3)
5423:2026-01-19T12:51:05Z [w0] AddToWallet 14daa63ec9de552d7260ab2cd3e993ba41cd1eadc2e525eec8e017b26ebd5a4c  newupdate Inactive (abandoned=0)
6424:2026-01-19T12:51:05Z [w0] Submitting wtx 14daa63ec9de552d7260ab2cd3e993ba41cd1eadc2e525eec8e017b26ebd5a4c to mempool and for broadcast to peers
7425:2026-01-19T12:51:05Z [w0] AddToWallet 14daa63ec9de552d7260ab2cd3e993ba41cd1eadc2e525eec8e017b26ebd5a4c   InMempool
8426:2026-01-19T12:51:05Z [w1] AddToWallet 14daa63ec9de552d7260ab2cd3e993ba41cd1eadc2e525eec8e017b26ebd5a4c  new InMempool

    0115:2026-01-19T12:52:46Z [w0] AddToWallet new Confirmed (block=7f0cdb7a15da25963eb2276592aefb99596011a3288f08a8598c87046e5d1f2f, height=1, index=0)
1...
2411:2026-01-19T12:52:47Z [w0] AddToWallet new Confirmed (block=0a02dcb2e58029c5e665bad29ae90f69f813527bb41f6c74e7600ada7194019c, height=101, index=0)
3417:2026-01-19T12:52:47Z [w0] CommitTransaction
4418:2026-01-19T12:52:47Z [w0] AddToWallet newupdate Inactive (abandoned=0)
5419:2026-01-19T12:52:47Z [w0] Submitting wtx to mempool and for broadcast to peers
6420:2026-01-19T12:52:47Z [w0] AddToWallet  InMempool
7421:2026-01-19T12:52:47Z [w1] AddToWallet new InMempool

    Adding wallet debug logging:

    0./build/bin/bitcoind -regtest -datadir="$DATA_DIR" -daemon -connect=0 -fallbackfee=0.0002 -debug=wallet >/dev/null 2>&1

     0114:2026-01-19T12:54:47Z [w0] AddToWallet new Confirmed (block=511c1230d47d8d70c87f01b1b2274a4c04a8304f826f500af90ac36d3953544d, height=1, index=0)
 1115:2026-01-19T12:54:47Z [wallet] [w0]   txid=7d8e6900d4f3815291f5c80c24067d71867e605bc1ac96bc302174fc7c22c38f
 2...
 3512:2026-01-19T12:54:47Z [w0] AddToWallet new Confirmed (block=2c1aa6e5312f1b0213e5d8a32807baba845e5b1f19998e9ae5366ccc6ffce3b0, height=101, index=0)
 4513:2026-01-19T12:54:47Z [wallet] [w0]   txid=eb8521e70116f366541ab8202375b3ec145e29e7271779baa4eff066ccd1e9ac
 5519:2026-01-19T12:54:47Z [w0] CommitTransaction
 6520:2026-01-19T12:54:47Z [wallet] [w0]   CTransaction(hash=b56f816d0c, ver=2, vin.size=1, vout.size=2, nLockTime=101)
 7525:2026-01-19T12:54:47Z [w0] AddToWallet newupdate Inactive (abandoned=0)
 8526:2026-01-19T12:54:47Z [wallet] [w0]   txid=b56f816d0cf7fdc5ae34eb09bcfdfefe66e57e3f76be86e46ffebd046eaa8ed2
 9527:2026-01-19T12:54:47Z [w0] Submitting wtx to mempool and for broadcast to peers
10528:2026-01-19T12:54:47Z [wallet] [w0]   txid=b56f816d0cf7fdc5ae34eb09bcfdfefe66e57e3f76be86e46ffebd046eaa8ed2
11529:2026-01-19T12:54:47Z [w0] AddToWallet  InMempool
12530:2026-01-19T12:54:47Z [wallet] [w0]   txid=b56f816d0cf7fdc5ae34eb09bcfdfefe66e57e3f76be86e46ffebd046eaa8ed2
13531:2026-01-19T12:54:47Z [w1] AddToWallet new InMempool
14532:2026-01-19T12:54:47Z [wallet] [w1]   txid=b56f816d0cf7fdc5ae34eb09bcfdfefe66e57e3f76be86e46ffebd046eaa8ed2
  2. scripted-diff: update `WalletLogPrintf` method name 
    `WalletLogPrintf` is a leftover from the removed `LogPrintf` API (fa4395dffd432b999002dfd24eb6f8d7384fbcbe).
Rename it to `WalletLogInfo` to reflect that it logs unconditionally at info level.

This refactor does not change behavior.

-BEGIN VERIFY SCRIPT-
git grep -q "WalletLogInfo" $(git ls-files src/wallet) && echo "Error: Target name WalletLogInfo already exists in src/wallet" && exit 1
perl -pi -e 's/\bWalletLogPrintf\b/WalletLogInfo/g' $(git grep -l 'WalletLogPrintf' -- src/wallet)
-END VERIFY SCRIPT-
    507e751b8a
  3. wallet: log txids only behind `-debug=wallet` 
    `WalletLogInfo` logs at info level even when `-debug` is not set, potentially persisting sensitive information.
Avoid leaking wallet txids (and full transaction strings) at info level to reduce accidental privacy leaks when sharing `debug.log`.

Keep the existing info-level messages, but redact txids there and log the full details under the new `-debug=wallet` category using the newly added `WalletLogDebug` (indented slightly to indicate that it belong to the previous info log).
    60a73a834f
  4. DrahtBot added the label Wallet on Jan 19, 2026
  5. DrahtBot commented at 1:15 pm on January 19, 2026: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/34341.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #34193 (wallet: make migration more robust against failures by furszy)
    • #34075 (fees: Introduce Mempool Based Fee Estimation to reduce overestimation by ismaelsadeeq)
    • #32685 (wallet: Allow read-only database access for info and dump commands by PeterWrighten)
    • #32636 (Split CWallet::Create() into CreateNew and LoadExisting by davidgumberg)
    • #31260 (scripted-diff: Type-safe settings retrieval by ryanofsky)
    • #30343 (wallet, logging: Replace WalletLogPrintf() with LogInfo() by ryanofsky)
    • #28333 (wallet: Construct ScriptPubKeyMans with all data rather than loaded progressively by achow101)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  6. l0rinc renamed this:
    wallet: only log `txid`s when `-debug=wallet` is explicit
    wallet: only log `txid` when `-debug=wallet` is explicit
    on Jan 19, 2026
  7. vasild commented at 8:50 am on January 21, 2026: contributor

    The new info messages that are without txid look useless to me. Maybe just omit those altogether?

    Having two separate logs that are logically connected like:

    0114:2026-01-19T12:54:47Z [w0] AddToWallet new Confirmed (block=511c1230d47d8d70c87f01b1b2274a4c04a8304f826f500af90ac36d3953544d, height=1, index=0)
1115:2026-01-19T12:54:47Z [wallet] [w0]   txid=7d8e6900d4f3815291f5c80c24067d71867e605bc1ac96bc302174fc7c22c38f

    could be problematic because an unrelated message from elsewhere might sneak in between the two and make the second one look odd, out of context.

    Maybe the current logging is fine as it is and does not need to be changed?


l0rinc DrahtBot vasild

Labels
Wallet

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-22 09:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me