At least three major Bitcoin wallets are vulnerable to fraud, and could even be completely bricked, leaving them unusable by their owners, according to new research.
Ledger Live, Edge, and Breadwallet (BRD) were all found to be vulnerable to the security flaw, but they may not be the only ones…
Coindesk reports that the flaw was discovered by an Israeli firm.
The site explains how the vulnerability could be exploited.
The bug, which the Tel Aviv-based firm calls BigSpender, allows a hacker to double spend a user’s funds and possibly prevent them from ever using their wallet again […]
‘We have not tested all the wallets but it could be that if three of the largest are implicated, more out there are too,’ ZenGo CEO Ouriel Ohayon said. ZenGo alerted the firms about its findings, and gave them 90 days to repair the vulnerability […]
Ledger and BRD have released code changes to prevent the attack from happening, and paid undisclosed big bounties to ZenGo, while Edge is currently undergoing a ‘significant refactor’ that will address the issue, Edge’s CEO Paul Puey said in an email.
Coindesk also has a recommended precaution no matter which Bitcoin wallet app you use.
Attackers send funds to their intended victim, and set fees low enough to nearly guarantee the transaction will not receive a confirmation. While the transaction is pending, the attacker cancels it. For vulnerable wallets, this pending transaction will be reflected as an increase in a user’s account balance, and therefore, possibly, lead some victims to erroneously believe the transaction has gone through, despite being cancelled.
This discrepancy between a victim’s stated and actual balance could be exploited by malicious actors tricking people into providing goods or services without paying for them.
Jameson Lopp, CTO of custody startup Casa, said that Bitcoin wallet apps need a user interface which clearly distinguishes confirmed from unconfirmed transactions, and also signals when the number of confirmations received is too low to be trusted.