Trezor users may lose their BTC

Trezor users may lose their BTC

By Artur89 | Arthur Crypto 2020 | 10 Jun 2020


The manufacturer of hardware crypto wallets Trezor has introduced an updated firmware that contains a fix for vulnerabilities in the implementation of bitcoin transactions using SegWit technology. Although Trezor users' assets are now protected from this vulnerability, they can still lose access to them, at least temporarily, due to another bug that has appeared.

The problem arises when Trezor interacts with some third-party services, such as Wasabi wallet or BTCPay payment processing, and leads to the blocking of assets. Wasabi developers are asking their users not to update the firmware until a similar patch is launched in their own service.

Security researcher Salim Rashid discovered the exploit about three months ago and reported it to major hardware wallet manufacturers, including Trezor and Ledger. The attack itself is highly complex execution. A Bitcoin holder using SegWit must download malware. Then, for example, it sends a transaction with two outputs at 10 and 5.0001 BTC. The total transaction amount is 15 BTC, the commission is 0.0001 BTC. After that, he receives an error message in which he is asked to sign the transaction again.

At this stage, the attacker changes the outputs so that the transaction amount is 0.0001 BTC, and the commission is 15 BTC.

In other words, in order to benefit from this attack, the attacker must be a miner and get the right block. The user will need to send a transaction with more than one output and download malware. Manufacturers of ColdCard hardware wallets, whom Rashid did not report the problem, said that the exploit has a low level of severity, while fixing it can lead to significant malfunctions in the functioning of the wallet.

Producer Trezor said: “Trezor will not be able to sign transactions when using some third-party tools until they update to work correctly. Due to the responsible disclosure process, we could not notify the teams that served them in advance. ”

Wasabi founder Adam Fixor said that “the consequences of upgrading the Trezor firmware, leading to restricting user access to the [Wasabi] wallet, are more problematic than the attack itself, but does not blame the company for“ excessive caution. ”

The founder of BTCPay Server, Nicholas Dorier, believes that the manufacturer should have been given 1-2 months for users to move their assets. He also admitted that BTCPay will have to abandon support for Trezor and other hardware wallets that rely on a similar transaction verification scheme, since service users use limited versions of nodes and do not store all the necessary information.

“If you use Trezor and have updated the firmware, then you can no longer withdraw money from your wallet through BTCPay Server. We cannot fix the problem, because we do not have the data that Trezor will request. We recommend that you either wait for the Trezor solution to change, or change the hardware wallet if you want to use the BTCPay Server, or switch to the hot wallet implementation in BTCPay Server, ”BTCPay developers said.

How do you rate this article?

2


Artur89
Artur89

We know everything about the world of cryptocurrencies!


Arthur Crypto 2020
Arthur Crypto 2020

Good afternoon, dear subscribers of our blog! In this blog you will find out the latest crypto news, news on the crypto market and all the hot consequences of crypto trading.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.