Developers of the zengo cryptocurrency wallet without private keys and passwords have discovered a vulnerability to the BigSpender double spending attack, which affects Ledger Live, Bread and Edge wallets.
The vulnerability to a double spend attack allows attackers to spend the same coins two or more times. Fraudsters can send a transaction with a minimum Commission, and then immediately replace it by increasing the Commission. This way, miners get an incentive to check out a more profitable new transaction first. Then the scammers can redirect the funds to another address.
As the developers note, although the vulnerability has been partially eliminated, users of some wallets can still become victims of it. According to the ZenGo report, Ledger and Bread wallets did not take into account the potential cancellation of a transaction during testing. In addition, they simply visually deposited additional funds to users ‘ balances, without waiting for transaction confirmation.
“The main problem underlying The bigspender vulnerability is that vulnerable wallets are not prepared for the fact that a transaction can be canceled, and indirectly assume that it will be confirmed eventually,” the researchers explained.
Ledger solved this problem by clearing the cache and forcing network re-synchronization. However, in the case of Bread, getting out of this situation can “present great difficulties”.
“This problem leaves the user with the only option – to transfer money from Bread to another wallet. Given that Bread has a non-standard output of key pairs from the sid, this operation is likely to be difficult and will require technical skills on the part of the user and possibly external tools, ” explains ZenGo.
The situation with the Edge wallet is somewhat different, since the wallet balance increased only once for a series of pending transactions. The problem was resolved by clicking the Resync button in the options menu.
In some cases, the vulnerability of BigSpender can prevent users from completely withdrawing crypto assets, since some of them simply do not exist, which leads to unsuccessful transactions. In more serious cases, such as deliberate DDoS attacks of double spending, wallet owners will not be able to withdraw funds at all.
“In some vulnerable wallets, it is difficult or even impossible to recover from this attack. Even reinstalling the wallet does not help re-sync with the Bitcoin network and shows the correct balance. If recovery is not possible, the attack becomes irreversible, ” zengo warns.
The company said it notified developers of vulnerable wallets 90 days before the report was published, but only some of them decided to completely fix the vulnerability.
According to the developers of ZenGo, Bread Wallet has fixed a vulnerability in version 4.3 for iOS and Android. Ledger developers “recognized the vulnerability, fixed some aspects (only the extended version) of the attack in version 2.6”, but “other attack options have not yet been fixed”. Edge also acknowledged the vulnerability and plans to ” fix it in the future.”
Ledger technical Director Charles Guillemet confirmed that ZenGo reported the vulnerability, but he claims that BigSpender is more of a “trick” rather than a vulnerability in the traditional sense.
“It is important to understand that this problem can be considered not as a vulnerability, but as a clever trick. But we do not want anyone to fall victim to such clever schemes, ” said Guillem.
He added that Ledger “will release an update to the Ledger Live software so that an appropriate message is displayed every time an incoming transaction has not yet been confirmed.” He also stated that Ledger’s hardware wallets are “not affected by this user interface flaw.”
Recall that earlier this year, the ZenGo team discovered a vulnerability that can cause the theft of user tokens from almost all dApp wallets.