Researchers Found Issue with Bitcoin Wallets Leading to Double Transactions

ZenGo is a newly formed crypto wallet company that has created quite the ruckus for crypto wallet users. Their research team, during research that they were conducting, found a major vulnerability in several crypto wallets that could potentially lead to double transactions when exploited. The main names that came out in this research were Edge, Breadwallet (BRD), and Ledger Live. However, the list could contain a lot more names as well.

ZenGo is an Israeli firm that has recently started providing crypto wallet services to users. It called the bug BigSpender, aptly named for the fact that the hacker using it could cause a wallet to double-spend during a transaction. Once the bug is in place, the hacker can also prevent the wallet owner from making any more transactions, ever! The bug uses the replace-by-fee (RBF) function in Bitcoin which is put in as a failsafe for transactions. It lets the user use a higher fee transaction to replace one that is not confirmed.

Ouriel Ohayon, the chief executive for ZenGo said, “[BigSpender] can lead to substantial financial losses and in some cases to make the victim’s wallet totally unusable with no way for the victim to protect themselves, so this can be seen as a high severity attack.”

Bitcoin may be the most popular cryptocurrency, but it is certainly not without its own set of problems. Another widely acknowledged and criticized problem is the time-locked transactions which had its own set of complications and risks. The RBF function was a way for people holding Bitcoin to get relief from slow transaction confirmations by paying a premium.

RBF has not had any popularity with any bitcoin wallets due to the way it functions and the potential underlying problems. This has always been the case, even though the functionality is part of the core bitcoin protocol. One of the researchers from ZenGo who goes by the pseudonym of 0xB10C commented on the matter saying, “ZenGo shows that a user can be tricked into thinking he is receiving bitcoin when he is not. I believe this to be novel. I’ve at least not heard about it before.”

As part of the research, ZenGo decided to analyze nine different crypto wallets. This included Trust Wallet, Ledger Live, Edge, Exodus, Coinbase, Bread, Blockchain, Atomic Wallet, and Blockstream Green. Out of these, the three mentioned above were found to be carrying the vulnerability leading to double transactions.

ZenGo’s CEO said on the matter, “We have not tested all the wallets, but it could be that if three of the largest are implicated, more out there are, too.” If his words are to be held as true, it could mean a lot of problems for the crypto wallets in general. ZenGo did inform all the firms they found vulnerable about the issue and provided a 90-day deadline to fix the problem. ZenGo received bounties from both BRD and Ledger who also released the updates they may to their code to address the vulnerability.

The architect of RBF, Peter Todd, who is also a bitcoin developer, said that the hack uses a known vulnerability that can be found in certain wallets and the way they treat their transactions.

Here is how the hack takes place: The victim receives funds from the hacker, the amount for which is almost negligible and can be ignored and not get any confirmation. While this happens, the hacker cancels this transaction. However, the small change in the amount does show on the receiver’s account and the user may think that the transaction has already happened.

This creates a discrepancy between the stated and real balance in the user’s bitcoin account. The hacker can exploit this difference to make people pay for services that they want. The only expense on the hacker’s wallet is a minuscule payment for the transaction. Technically speaking this fault lies only in the way the app works i.e. its UX and UI.

ZenGo researchers define double-spend as a scenario where a user is tricked by a hacker into making a transaction while also controlling their account. The CTO of Casa, a custody startup, Jameson Lopp said, “You have to decide what is the definition of a double-spend. Most people that aren’t trolls would say that a double-spend is when you have a confirmed transaction that is somehow invalidated and spent with a different confirmed transaction.”

In its very nature, the attack’s primary source of entry is the way a wallet is designed. Those with the vulnerability built into their systems can be hacked without any problem whatsoever! The cleverest part about it is that the hack is not attacking the bitcoin code in any way. It is simply exploiting a shortcoming that is already present in the bitcoin transaction atmosphere.

The irony is not lost when you see that the purpose of creating a blockchain, according to Satoshi’s white paper, was to eliminate this specific problem in the first place.

Want to start investing in cryptocurrencies on auto-pilot? Check out the most popular crypto trading robots.

Copyright © 2020. All Rights Reserved. | Web Design by Flytonic.