At least three major Bitcoin wallets are vulnerable to fraud, and could even be completely bricked, leaving them unusable by their owners, according to new research.
Coindesk reports that the flaw was discovered by an Israeli firm.
Blockchain sleuths at ZenGo, a wallet startup, have found a vulnerability that affected at least three major crypto wallets — Ledger Live, Edge, and Breadwallet (BRD) — and potentially more.
The bug, which the Tel Aviv-based firm calls BigSpender, allows a hacker to double spend a user’s funds and possibly prevent them from ever using their wallet again […]
‘We have not tested all the wallets but it could be that if three of the largest are implicated, more out there are too,’ ZenGo CEO Ouriel Ohayon said. ZenGo alerted the firms about its findings, and gave them 90 days to repair the vulnerability […]
Ledger and BRD have released code changes to prevent the attack from happening, and paid undisclosed big bounties to ZenGo, while Edge is currently undergoing a ‘significant refactor’ that will address the issue, Edge’s CEO Paul Puey said in an email.
The site explains how the vulnerability could be exploited.
Attackers send funds to their intended victim, and set fees low enough to nearly guarantee the transaction will not receive a confirmation. While the transaction is pending, the attacker cancels it. For vulnerable wallets, this pending transaction will be reflected as an increase in a user’s account balance, and therefore, possibly, lead some victims to erroneously believe the transaction has gone through, despite being cancelled.
This discrepancy between a victim’s stated and actual balance could be exploited by malicious actors tricking people into providing goods or services without paying for them.
Coindesk also has a recommended precaution no matter which Bitcoin wallet app you use.
A general rule of thumb when transacting with Bitcoin is to never trust a transaction with less than six confirmations, 0xB10C said. This was a point repeated by a number of developers, including Todd, Lopp and BRD CTO Samuel Sutch.
Jameson Lopp, CTO of custody startup Casa, said that Bitcoin wallet apps need a user interface which clearly distinguishes confirmed from unconfirmed transactions, and also signals when the number of confirmations received is too low to be trusted.
FTC: We use income earning auto affiliate links. More.