A mobile cryptocurrency wallet startup has discovered the double-spend attacks in some of the most popular Crypto wallets
Once again, ZenGo has come forward to highlight a vulnerability plaguing some of the most popular bitcoin wallets like hardware wallet Ledger, BRD and Edge. It was only a couple of months ago that I wrote about how ZenGo built a test net to highlight the vulnerability affecting most of the decentralized application (DApp) wallets.
Now, the crypto wallet startup has revealed a double-spend vulnerability in crypto wallets — dubbed as BigSpender, it leads to an incorrect balance on your wallet as unconfirmed transactions are taken into account in your total balance. The BigSpender attack basically enables an attacker to cancel a Bitcoin transaction, while it still reflects in the balance of the victim’s vulnerable wallet.
This kind of vulnerability is pretty common on the peer-to-peer marketplaces like the Craigslist. Somebody can trick you into thinking that they have sent you a fake money transaction for an item that you are trying to sell. However, if you open your bank account, you would find that the money never arrived. BigSpender exploits this vulnerability, but for cryptocurrencies.
It utilizes a feature in the bitcoin protocol called Replace-by-Fee — which lets you send some bitcoins with a low transaction fee followed by the same transaction, but with a higher transaction fee. The original transaction is canceled and replaced with the new one. By doing this, miners process transactions with higher transaction fees first.
The problem arises since some of the cryptocurrency wallets take unconfirmed transactions for granted a bit too quickly. While the balance in your wallet represents that you have received some bitcoin when in actuality the sender has canceled the preceding transaction and replaced it with another one, sent to another wallet which they control. Cancellation of transaction apparently has no effect on the balance of your wallet.
Another way by which a nefarious player can trick you is by sending you multiple fake transactions — they could initiate ten transactions each worth 0.1 BTC, the recipient would see a balance of 1 BTC even though they have received nothing. This is an example of an “amplification attack” using the BigSpender vulnerability.
This could lead to the third type of BigSpender attack — where your crypto assets could be frozen using the “denial-of-service” of the DDoS attack. When a victim tries to send some bitcoins after receiving a lot of fake transactions, the wallet might be trying to send crypto assets that never came — resulting in a failure of the transaction.
BigSpender, in itself, is not a hacking tool — it doesn’t let you steal the funds, but used more as a confusing mechanism for the target wallet. Rather than updating the balance of the wallet in a hurry with unconfirmed transactions, the wallet should label it with a “Pending” sign to warn the clients. In addition to this, transactions that have been replaced using Replace-by-Fee should also be labeled as failed.
ZenGo has advised the three wallet providers about the vulnerability three months ago — as reported by Tech Crunch, Ledger and BRD have handed bug bounty awards to ZenGo. BRD has released a fix already while Edge and Ledger are working on fixes (table above). ZenGo, in the meanwhile, has released an open-source tool to test your bitcoin wallet against the vulnerability.
Originally Published on Medium