In at least three of cryptocurrency wallets ― Ledger Live, Edge and Breadwallet (BRD) ― was discovered a vulnerability that could allow an attacker to conduct the attack double spending (controversial definition ― more on this below) on the user. About it reports Coindesk, citing a study by the developers of cryptocurrency wallet ZenGo.
The developers have called the vulnerability BigSpender ― it uses a bug in the functionality of bitcoin Replace-by-Fee (RBF), which allows users to pay a higher fee for an unconfirmed transaction to speed up its inclusion in the blockchain. RBF has been widely used functions in many bitcoin wallets.
According to the researcher under the pseudonym of bitcoin 0хВ10СС, although the function is integrated at the Protocol level, from the outset there were concerns about possible problems of its implementation in bitcoin wallets. “Trials ZenGo describes a new way of cheating the user. He will think that he received bitcoins, whereas in fact they are not. I think it’s something new. At least, I have not heard about it”, ― he said.
The developers ZenGo tested nine different wallets ― Ledger Live, Trust Wallet, Exodus, Edge, BRD, Coinbase, Blockstream Green, and Atomic Blockchain Wallet. Three of them, the developers called potentially vulnerable to this attack.
“We have tested not all existing wallets, but vulnerable if the three largest, they can be more”, ― said General Director ZenGo Uriel Ohayon. The ZenGo team have informed developers about vulnerabilities and gave them 90 days to eliminate it.
Ledger BRD and made the appropriate changes to your code, and ZenGo paid a fee (amount not disclosed). According to General Director of the Edge of the Floor POEA, the wallet is currently undergoing “significant refactoring”, which should solve the issue.
Peter Todd, who participated in the development of RBF, said that an attacker could exploit a known vulnerability in the way certain wallets display a bitcoin transaction.
How it works: the fraudster sends funds to the victim and set a very low Commission to the transaction has been confirmed. While the transaction is pending inclusion in the blockchain, the attacker cancels it. However, vulnerable wallets otobrat this transaction increases the balance and therefore some users may mistakenly assume that the transaction took place.
This discrepancy between the stated and the actual balance of the victim can be exploited. Thus, vulnerability is hidden in the interface of the purse.
According to the developers ZenGo, if a hacker could convince a person that he has received payment, and at the same time to retain control of bitcoin, then it can be called a double-spending attack.
“It is important to define what you mean by double spending. Most people who are not engaged in trolling, I will say that double spending is when you have confirmed the transaction, which somehow invalidated and spent another committed transaction,” said Jameson Lopp, a bitcoin developer and CTO of a startup Casa.
This attack uses vulnerabilities in the interface of some wallets, but not in the code of bitcoin.
“The whole point of blockchain is that it solves the problem of double spending”, said Mr. Lopp. “In the bitcoin whitepaper States that the solution to double spending is the presence of a distributed registry”.
According to 0xB10C, the General rule in transactions in bitcoins ― never trust transactions with less than six confirmations. This view was repeated by many developers, including Todd, Lopp and technical Director BRD Samuel Satch.
“Wallet developers must understand that many users do not know all the features of the blockchain,” says Lopp. “Many do not even know the difference between confirmed and unconfirmed transactions. Thus, the responsibility in this case lies on the developers not to allow users could be fooled in such way.”