Researchers at wallet service provider ZenGo have discovered a vulnerability among some cryptocurrency wallets that could see users of these wallets suffer a ‘double-spend’ attack.
According to a report released by ZenGo on Thursday, the vulnerability makes use of the Replace by Fee (RBF) feature of popular blockchain networks such as bitcoin. Replace by Fee is a way to replace a pending transaction with another one of the same amount but a different fee to fasten the confirmation process. Ideally, a wallet user with a pending transaction with small network fees would opt to replace the transaction with another appended with more fees to ensure faster confirmation.
According to ZenGo, the RBF feature gets various treatment by various wallets. According to the report, ZenGo researchers were only able to test ten of the major wallet services which are Ledger Live, Trust wallet, Exodus, Edge, Bread, Coinbase, Blockstream Green, Blockchain and Atomic Wallet.
Out of these wallet services, three were found to have the particular vulnerability they referred to as ‘big-spender.’ These wallets are Ledger Live, Edge, and Breadwallet (BRD).
“As part of our on-going security research in the field of Bitcoin wallets, we investigated the handling of Bitcoin’s Replace-by-Fee (RBF) feature among different existing wallets,” ZenGo noted. “Unfortunately, as we show in this [report], some wallets do not handle such scenarios well.”
ZenGo goes on to point out that these wallets have various ways to handle RBF transactions but the common theme is that they do not manage to warn the users of the nature of these transactions. Effectively, if a user believes that they have been paid they can then authorize a service only to realize later that the transaction was canceled. ZenGo explains that these wallets perform a less than par job especially in regards to UI and UX that would enable their users to identify suspect transactions.
“The core issue at the heart of the BigSpender vulnerability is that vulnerable wallets are not prepared for the option that a transaction might be canceled and implicitly assume it will get confirmed eventually,” ZenGo researchers report.
For users to protect themselves against this vulnerability, ZenGo recommends ensuring all transactions are confirmed on the blockchain. This can be done by using a block explorer. Experts recommend at least six (6) confirmations for every transaction before proceeding to authorize any service. This way if the attacker cancels the transaction, the receiver can see the cancelation in time. However, this is just part of the user role. What about the wallet services that have the vulnerability in the first place?
Well, according to the report, ZenGo claims that some of the wallet services have failed to own up to the responsibility. The biggest suggestion from ZenGo is for these wallets to create a better UI interface that would distinguish between confirmed transactions and pending ones.
“In some wallets, the graphical representation of an unconfirmed transaction in the wallets user interface is not well distinguished from a confirmed state, making it even harder for users to understand these transactions are not final yet.”
In its part, however, ZenGo did give the wallet services the customary 90 days to fix the vulnerability before making its public. As expected, some of the wallets have paid ZenGo a bug bounty fee for its efforts to warn them of the vulnerability.
If you found this article interesting, here you can find more Blockchain and cryptocurrency news