A standard way to transact Bitcoin could be vulnerable to double-spending, new research has found. Blockchain sleuths at ZenGo, a wallet startup, have found a vulnerability that affected at least three major crypto wallets – Ledger Live, Edge and Breadwallet (BRD) – and potentially more.
The bug, which the Tel Aviv-based firm calls BigSpender, allows a hacker to double spend a user’s funds and possibly prevent them from ever using their wallet again. It works by exploiting a flaw in Bitcoin’s replace-by-fee (RBF) function, a failsafe that enables users to swap an unconfirmed transaction with one that has a higher fee.
“[BigSpender] can lead to substantial financial losses and in some cases to make the victim’s wallet totally unusable with no way for the victim to protect themselves,” ZenGo CEO Ouriel Ohayon said in an email. “So this can be seen as a high severity attack.”
Like other vulnerabilities found in Bitcoin’s core codebase, such as timelocked transactions, the RBF function has become a standard way for users to send value back and forth. It was pitched and accepted by the developer community as a way for Bitcoiners to circumvent slow confirmation times by paying more in fees.
See also: Raphael Auer – The Security Trilemma and the Future of Bitcoin
From the outset, there were fears that the RBF function was not well supported by Bitcoin wallets, despite being integrated at Bitcoin’s protocol layer, the pseudonymous Bitcoin researcher 0xB10C said. “ZenGo shows that a user can be tricked into thinking he is receiving bitcoin when he is not. I believe this to be novel. I’ve at least not heard about it before,” he said.
The firm tested nine different wallets including Ledger Live, Trust wallet, Exodus, Edge, Bread, Coinbase, Blockstream Green, Blockchain and Atomic Wallet. Of those tested, three were found to be vulnerable to the theoretical exploit.
“We have not tested all the wallets but it could be that if three of the largest are implicated, more out there are too,” Ohayon said. ZenGo alerted the firms about its findings, and gave them 90 days to repair the vulnerability.
Ledger and BRD have released code changes to prevent the attack from happening, and paid undisclosed big bounties to ZenGo, while Edge is currently undergoing a “significant refactor” that will address the issue, Edge’s CEO Paul Puey said in an email.
The hack leverages a known vulnerability in how certain wallets treat Bitcoin’s RBF transactions, Peter Todd, Bitcoin developer and RBF’s architect, said.
How it works: Attackers send funds to their intended victim, and set fees low enough to nearly guarantee the transaction will not receive a confirmation. While the transaction is pending, the attacker cancels it. For vulnerable wallets, this pending transaction will be reflected as an increase in a user’s account balance, and therefore, possibly, lead some victims to erroneously believe the transaction has gone through, despite being cancelled.
This discrepancy between a victim’s stated and actual balance could be exploited by malicious actors tricking people into providing goods or services without paying for them – except the minimal amount of fees spent. In this sense, the flaw is with a wallet’s UX and UI design.
Double trouble?
If a hacker can trick a person into believing they received payment, while simultaneously maintaining control of the bitcoin, this is a double-spend, according to ZenGo’s researchers.
“You have to decide what is the definition of a double-spend. Most people that aren’t trolls would say that a double-spend is when you have a confirmed transaction that is somehow invalidated and spent with a different confirmed transaction,” Jameson Lopp, CTO of custody startup Casa, said, denying the researchers’ claims.
This attack, by its nature, takes advantage of the way wallets display unconfirmed transactions. In this sense, the attack – while fraudulent – isn’t breaking the way the Bitcoin code functions.
“The whole point of the blockchain is to prevent the double-spend problem,” Lopp said. “It goes back to the original Satoshi white paper, which says the solution to double-spending is to have a distributed ledger that many people are checking.”
A general rule of thumb when transacting with Bitcoin is to never trust a transaction with less than six confirmations, 0xB10C said. This was a point repeated by a number of developers, including Todd, Lopp and BRD CTO Samuel Sutch. If this exploit goes through, at least some of the responsibility is on the victim.
“The only thing you can rely on is transactions that have been mined,” Todd said.
In this sense, Sutch called BigSpender a “minor bug,” and “kind of contrived,” but also something worth fixing and paying a bug bounty for. BRD recently passed 5 million users, Sutch said.
“More wallet developers need to know their users don’t know the distinctions under the hood,” Lopp siad. Many don’t even know the difference between confirmed and unconfirmed from a security standpoint. So the onus is on developers to build a better user experience so they cannot be confused and defrauded by things like this.”
To this end, Ledger updated the way the wallet displays RBF transactions, and added that if users are unsure “to check the status of a transaction” using a block explorer. “Such verification is not possible with your bank today,” Ledger’s CTO Charles Guillemet said over email.
Double vision
Updating wallets to clearly display what is happening during a RBF transaction is well and good for everyone involved. However, ZenGo researchers found there is a second order attack, which follows the same scheme outlined above, which could permanently disable a wallet with or without the victim’s knowledge of the transaction.
In this case, the attacker again artificially inflates a victim’s balance by sending repeated transactions to her wallet. This can be done without a victim’s consent. By canceling the transactions before confirmed, the victim’s stated wallet balance and actual funds are again decoupled, making their wallet unusable. Worse, the attack can affect multiple wallets at the same time.
Essentially, it’s a denial of service (DoS) attack, preventing people from using their wallets.
“This also disables other kinds of sending attempts if the wallet’s coin selection algorithm chooses funds from this nonexistent transaction,” Ohayon said. These wallets are “bricked,” to use Sutch’s parlance. “It’s a huge inconvenience.”
Sutch said BRD made the vulnerability a top priority for the firm after it was alerted. Strangely, it managed to fix the bug while working an unrelated problem, he said.
The issue ZenGo raises with its security research is not sequestered to the wallets the team tested. The vast majority of Bitcoin wallets are capable of receiving RBF transactions, and many of them are “resource constrained,” Sutch said, and are unable to provide a fix immediately.
When enabling RBF functionality on Casa, Lopp said he configured the system to not display these types of transactions until confirmed, which is non-standard in the industry. “The default parameters would display these transactions,” he said.
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.