- A recent report by ZenGo unveiled a bug that is present in numerous popular BTC wallets.
- The bug, according to researchers, could trick people into thinking that they were paid in Bitcoin.
- In reality, a scammer could cancel the transaction by replacing it with another before it gets processed.
For all the rapid advancements that the crypto industry is seeing, there are still plenty of flaws that remain to be found and fixed. One major flaw that could impact quite a few people in a very negative way, revolves around the UI of some of the popular Bitcoin wallets.
What does the flaw do?
According to a recent report from a wallet service ZenGo, numerous major wallets, such as Edge, BRD, and Ledger Live, all suffer from the same flaw. The flaw could allow potential attackers to trick wallet owners into thinking that they were paid in BTC. In reality, however, this payment would never have arrived.
Are you looking for fast-news, hot-tips and market analysis? Sign-up for the Invezz newsletter, today.
The problem lies in a feature known as Replace-by-Fee. This feature allows users to replace transactions that are still waiting for confirmation with another one which would use the same coins, but come at a higher fee.
This feature exists to help people whose initial transaction ends up stuck in the mempool due to low fees. In theory, at least, opting to pay a higher fee would get the transaction to get processed quicker.
But, the affected wallets’ design could allow hackers to exploit this feature and trick people into thinking that they were paid.
This could be used against merchants or service providers, as fraudsters could make a transaction, and then while it remains in pending, they could cancel it prior to the confirmation.
ZenGo kept quiet for 90 days which expired yesterday
The ZenGo team name the flaw BigSpender, and it quickly made the affected wallets’ developers aware of the issue. The company also kept its findings confidential for 90 days, according to the formal disclosure process. However, this period expired yesterday, July 1st, and the company published its findings to warn the public.
It characterized the flaw as a double-spend vulnerability. Of course, the issue is there mostly due to the UI, as some of the wallets do not make the user aware of the transactions’ status. Therefore, the user doesn’t know if the transaction is pending, canceled, or completed.
The same bug can also expose people to a DoS attack, if the wallet miscalculates the balance. All in all, it is a small bug, easy to overlook, but also a flaw that could make a lot of damage if it doesn’t get addressed.