A major crypto wallet bug let people get scammed by double-spent bitcoin or with Faulty balances. The crypto wallet startup ZenGo discovered a major crypto wallet bug in three popular bitcoin wallets that take advantage of the replace-by-fee feature, as we are reading more in the bitcoin scam news.
The bug adds unconfirmed transactions to the users’ balances and doesn’t reverse them once they are canceled. This allows hackers to double-spend Bitcoin and launch DoS attacks on users. The major bug allowed scammers dupe people with double-spent Bitcoin by allowing unconfirmed transactions to count the users’ total wallet balance. The technical gap makes it possible for the scammers to trick users of vulnerable Bitcoin wallets into trusting they received Bitcoin even when the transaction wasn’t confirmed.
A while back, bitcoin transactions can be considered fatal if was supposed to take the time up to several hours before the transaction considered irreversible. The more confirmation the transaction gets, it becomes harder to override that transaction with higher fees. Most Bitcoin veterans check for a number of confirmations on transactions before considering it as a final one but the users can easily be scammed by seeing an artificially inflated balance. A few other bitcoin wallets including BRD wallet, Ledger Live, and Edge, which were susceptible to attacks.
The replace-by-fee feature on the Bitcoin network allows senders to have unconfirmed transactions replaced by other transactions which will replace the other transactions with higher fees. Bitcoin miners will then pick the transactions with the highest fees which will ultimately replace the previous transaction. Some wallets had a hard time implementing this protocol correctly which resulted in the appearance of BigSpender that is a family of vulnerabilities that include multiple-spending attacks.
Bitcoin core version 0.12 implemented RBF put the responsibilities of verification on users for confirming transactions based on the number of confirmed transactions. The vulnerability allows the wallets to update their balances with unconfirmed transactions and the result was the balances were not a source of truth for recipients but presented potential transactions waiting to be processed. Bitcoin transactions like others are a journey from the initial state to the final state with intermediary steps.
RBF misconfiguration in wallets allows scammers to execute several BigSpender which exploits double-spending attacks and denial of service attacks. The vulnerabilities were disclosed to these three wallet companies by ZenGo which is an Israeli crypto wallet:
“In some of the vulnerable wallets, this attack is hard (or even impossible) to recover from.”
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]
Discussion about this post