A vulnerability was recently discovered by ZenGo in popular cryptocurrency wallets Ledger, Edge, and BRD. Named BigSpender, the vulnerability could lead to a double-spend and an incorrect balance on the wallet.
Double-spending is spending the same money more than once and preventing it is one of the most critical tasks of any digital currency system.
The issue with BigSpender is that “vulnerable wallets are not prepared for the option that a transaction might be canceled and implicitly assume it will get confirmed eventually.”
This negligence results in increasing a user’s balance on an unconfirmed incoming transaction but doesn't decrease if the transaction is double-spent.
Other implications included the state of canceled transactions not updated in the users' transaction history, canceled transactions’ coins still being selected by the wallet’s software, and user interfaces not well distinguished from a confirmed state.
Easy with Minimal Risk
The vulnerability was found while investigating the handling of Bitcoin’s Replace-by-Fee (RBF) feature, a standard method that allows users to “undo” a yet to be confirmed transaction by sending another transaction, spending the same coins with a higher fee.
Due to RBF’s standard nature, attackers can easily and with minimal risk launch the basic double-spend, amplification attack, and Denial-of-Service (DoS) BigSpender exploits.
According to the ZenGo report, in some of the vulnerable wallets, this attack is hard or even impossible to recover from in which DoS attack becomes permanent.
Attackers don’t even need a big amount of money to launch the attack, they only pay for the small cancellation fees. And they do it by sending a small amount to many users of a vulnerable wallet as it doesn’t need the consent of victims which are then unable to use their funds.
Funds are Safe
“There is no actual double-spend being performed. The user funds stay safe,” Ledger told Forbes.
In its official response, Ledger reassured that “it’s not a vulnerability, but instead a clever piece of social engineering where a malicious actor would try to trick you.” The vulnerability cannot be used to get the 24-word recovery phrase or access your crypto in any way. Your funds are safe, it said.
ZenGo has also released an open-source tool checking your BigSpender vulnerability in Bitcoin wallets.