A newly discovered vulnerability in some popular bitcoin wallets can be exploited by scammers to commit fraud and even make the wallets themselves unusable.
Discovered by wallet startup ZenGo and revealed today, the vulnerability, dubbed “BigSpender,” was found in bitcoin wallets from Ledger Live, Edge, and Breadwallet but potentially affects others as well. The vulnerability allows a scammer to double-spend bitcoin, a process whereby the owner of a wallet is tricked into believing he had received a bitcoin even if the transaction hasn’t been confirmed.
“Imagine receiving a $100 bank wire for some goods or services you just sold,” Obed Leiba at ZenGo explained in an example. “You supply the goods or services as you think you’ve received the money. After all, it shows in your account. Except it doesn’t. It’s just an illusion. The attacker was able to cancel the transaction in a way your bank had failed to detect.”
The same applies to the affect bitcoin wallets and, worse still can be constantly repeated to the point that the bitcoin wallet itself becomes corrupted and hence unusable.
The issue here is that bitcoin transactions themselves are reversible. A typical transaction takes several hours before it cannot be reversed. As Crypto Briefing noted, bitcoin veterans know to check for confirmation of the transaction before considering it final, but new users can be tricked by seeing an artificially inflated wallet balance.
The vulnerability exploits the way certain wallets handle bitcoin’s replace-by-fee function. RBF is a standard method designed to allow users to undo an unconfirmed transaction by sending another transaction spending the same coins with a higher fee. In the case of the affected wallets, the way they handle RBF opens the door to double-spending attacks.
Depending on the desired outcome, attacks can come in different forms as well. In the basic double-spend attack, attackers send the victim a bitcoin asking for goods or services in return, then cancel the transaction immediately. The wallets don’t immediately reflect cancellations and show an incorrect balance, making the victim believe that the transaction is complete.
In an amplification attack, the attacker takes a double-spend attack and amplifies it, sending multiple transactions and then canceling them, making the victim think he has been sent a large amount of bitcoin when they haven’t.
The final form of attack that can be exploited by the vulnerability is an old-school denial-of-service attack. In this case, even if the target is aware that he has to wait for a transfer to be confirmed, the attack can keep sending and canceling to the point that the bitcoin wallet fails.
Zeno did reach out to the company’s affected before publication and BreadWallet and Ledger Live fixed the vulnerability in new versions. Edge acknowledged the vulnerability but has not yet fixed it, saying it plans to do so in the future.
Users of BreadWallet and Ledge Live should update to the latest version. Bitcoin users, in general, are advised to choose a safe wallet that handles RBF transactions correctly or, if they choose to use a vulnerable wallet, always to verify transactions are confirmed before handing out any goods or services in return.