Vulnerability in some popular bitcoin wallets can be exploited to commit fraud
A newly discovered vulnerability in some popular bitcoin wallets can be exploited by scammers to commit fraud and even make the wallets themselves unusable.
Discovered by wallet startup ZenGo and revealed today, the vulnerability, dubbed “BigSpender,” was found in bitcoin wallets from Ledger Live, Edge and Breadwallet but potentially affects others as well. The vulnerability allows a scammer to double-spend bitcoin, a process whereby the owner of a wallet is tricked into believing he had received a bitcoin even if the transaction hasn’t been confirmed.
“Imagine receiving a $100 bank wire for some goods or services you just sold,” Obed Leiba at ZenGo explained in an example. “You supply the goods or services as you think you’ve received the money. After all, it shows in your account. Except it doesn’t. It’s just an illusion. The attacker was able to cancel the transaction in a way your bank had failed to detect.”
The same applies to the affect bitcoin wallets and, worse still, can be constantly repeated to the point that the bitcoin wallet itself becomes corrupted and hence unusable.
The issue here is that bitcoin transactions themselves are reversible. A typical transaction takes several hours before it cannot be reversed. As Crypto Briefing noted, bitcoin veterans know to check for confirmation of the transaction before considering it final, but new users can be tricked by seeing an artificially inflated wallet balance.
The vulnerability exploits the way certain wallets handle bitcoin’s replace-by-fee function. RBF is a standard method designed to allow users to undo an unconfirmed transaction by sending another transaction spending the same coins with a higher fee. In the case of the affected wallets, the way they handle RBF opens the door to double-spending attacks.
Depending on the desired outcome, attacks can come in different forms as well. In the basic double-spend attack, attackers send the victim a bitcoin asking for goods or services in return, then cancel the transaction immediately. The wallets don’t immediately reflect cancellations and show an incorrect balance, making the victim believe that the transaction is complete.
In an amplification attack, the attacker takes a double-spend attack and amplifies it, sending multiple transactions and then canceling them, making the victim think he has been sent a large amount of bitcoin when they haven’t.
The final form of attack that can be exploited by the vulnerability is an old-school denial-of-service attack. In this case, even if the target is aware that he has to wait for a transfer to be confirmed, the attack can keep sending and canceling to the point that the bitcoin wallet fails.
ZenGo did reach out to the company’s affected before publication and BreadWallet and Ledger Live fixed the vulnerability in new versions. Edge acknowledged the vulnerability but has not yet fixed it, saying it plans to do so in the future.
Users of BreadWallet and Ledge Live should update to the latest version. Bitcoin users in general are advised to choose a safe wallet that handles RBF transactions correctly or, if they choose to use a vulnerable wallet, always to verify transactions are confirmed before handing out any goods or services in return.
Image: Ledger Live
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.