Researchers Expose Flaw in Bitcoin Wallets That Could Be Exploited for Double-Spending

Screen-Shot-2020-07-01-at-5.16.04-PM
2 July 2020

A standard way to transact bitcoin could be misused to enable a kind of double-spending, new research has found. 

Blockchain sleuths at ZenGo, a wallet startup, have found a vulnerability that affected at least three major competing crypto wallets – Ledger Live, Edge and Breadwallet (BRD) – and potentially more. 

The bug, which the Tel Aviv-based firm calls BigSpender, allows a hacker to double-spend a user’s funds and possibly prevent them from ever using their wallet again. It works by exploiting how certain wallet’s handle Bitcoin’s replace-by-fee (RBF) function, a failsafe that enables users to swap an unconfirmed transaction with one that has a higher fee. 

“[BigSpender] can lead to substantial financial losses and in some cases to make the victim’s wallet totally unusable, with no way for the victim to protect themselves,” ZenGo CEO Ouriel Ohayon said in an email. “So this can be seen as a high severity attack.”

Like other optional Bitcoin features with associated vulnerabilities, such as time-locked transactions, the RBF function has become a standard way for users to send value back and forth. It was pitched and accepted by the developer community as a way for Bitcoiners to circumvent slow confirmation times by paying more in fees. 

See also: Raphael Auer – The Security Trilemma and the Future of Bitcoin

From the outset, there were fears the RBF function was not well supported by bitcoin wallets, despite being integrated at the Bitcoin system’s protocol layer, the pseudonymous Bitcoin researcher 0xB10C said. “ZenGo shows that a user can be tricked into thinking he is receiving bitcoin when he is not. I believe this to be novel. I’ve at least not heard about it before,” he said. 

The firm tested nine different wallets including Ledger Live, Trust wallet, Exodus, Edge, Bread, Coinbase, Blockstream Green, Blockchain and Atomic Wallet. Of those tested, three were found to be vulnerable to the theoretical exploit. 

“We have not tested all the wallets but it could be that if three of the largest are implicated, more out there are, too,” Ohayon said. ZenGo alerted the firms about its findings, and gave them 90 days to repair the vulnerability. 

Ledger and BRD have released code changes to prevent the attack from happening, and paid undisclosed bug bounties to ZenGo, while Edge is undergoing a “significant refactor” that will address the issue, Edge CEO Paul Puey said in an email. 

The hack leverages a known vulnerability in how certain wallets treat unconfirmed transactions, including but not limited to RBF ones, said Peter Todd, a former Bitcoin developer and RBF’s architect

How it works: Attackers send funds to their intended victim, and set fees low enough to nearly guarantee the transaction will not receive a confirmation. For vulnerable wallets, this pending transaction will be reflected as an increase in the recipient’s account balance, possibly leading some victims to erroneously believe the pending transaction has already been confirmed. The attacker then “cancels” the pending transaction, in ZenGo’s terminology, by using RBF to change the recipient to an address they control.  By the time the victim realizes that the transaction has, in fact, been canceled, he’ll have delivered the goods.

To be clear: Similar attacks were possible before RBF, but in the absence of proper precautions by wallet providers, the payment option has highlighted the risk. 

This discrepancy between a victim’s stated and actual balance could be exploited by malicious actors tricking people into providing goods or services without paying for them – except the minimal amount of fees spent. In this sense, the flaw is with a wallet’s UX and UI design.

Double trouble?

If a hacker can trick a person into believing they received payment, while simultaneously maintaining control of the bitcoin, this is a double-spend, according to ZenGo’s researchers. Others contest this use of the term. 

“You have to decide what is the definition of a double-spend. Most people that aren’t trolls would say that a double-spend is when you have a confirmed transaction that is somehow invalidated and spent with a different confirmed transaction,” Jameson Lopp, CTO of custody startup Casa. 

This attack, by its nature, takes advantage of the way wallets display unconfirmed transactions. In this sense, the attack – while fraudulent – isn’t breaking the way the Bitcoin code functions.  

“The whole point of the blockchain is to prevent the double-spend problem,” Lopp said. “It goes back to the original Satoshi white paper, which says the solution to double-spending is to have a distributed ledger that many people are checking.” 

The only thing you can rely on is transactions that have been mined

A general rule of thumb when transacting with bitcoin is to never trust a transaction with fewer than six confirmations, 0xB10C said. This was a point repeated by a number of developers, including Todd, Lopp and BRD CTO Samuel Sutch. If this exploit goes through, at least some of the responsibility is on the victim. 

“The only thing you can rely on is transactions that have been mined,” Todd said.

In this sense, Sutch called BigSpender a “minor bug,” and “kind of contrived,” but also something worth fixing and paying a bug bounty for. BRD recently passed 5 million users, Sutch said. 

“More wallet developers need to know their users don’t know the distinctions under the hood,” Lopp said. Many don’t even know the difference between confirmed and unconfirmed from a security standpoint. So the onus is on developers to build a better user experience so they cannot be confused and defrauded by things like this.”

To this end, Ledger updated the way the wallet displays pending transactions. If users are unsure “to check the status of a transaction” using a block explorer. “Such verification is not possible with your bank today,” Ledger’s CTO Charles Guillemet said over email.

Double vision

Updating wallets to clearly display what is happening during a RBF transaction is well and good for everyone involved. However, ZenGo researchers found there is a second-order attack, which follows the same scheme outlined above, and could permanently disable a wallet with or without the victim’s knowledge of the transaction. 

In this case, the attacker again artificially inflates a victim’s balance by sending repeated transactions to her wallet. This can be done without a victim’s consent. By rerouting the transactions before they are confirmed, the victim’s stated wallet balance and actual funds are again decoupled, making their wallet unusable. Worse, the attack can affect multiple wallets at the same time. 

See also: Long-Festering DeFi Dapp Bug Still Not Fixed by Industry (Updated)

Essentially, it’s a denial of service (DoS) attack, preventing people from using their wallets.

“This also disables other kinds of sending attempts if the wallet’s coin selection algorithm chooses funds from this nonexistent transaction,” Ohayon said. These wallets are “bricked,” to use Sutch’s parlance. “It’s a huge inconvenience.”

Sutch said BRD made the vulnerability a top priority for the firm after it was alerted. Strangely, it managed to fix the bug while working an unrelated problem, he said. 

The issue ZenGo raises with its security research is not sequestered to the wallets the team tested. The vast majority of Bitcoin wallets are capable of receiving RBF transactions, and many of the companies behind them are “resource-constrained,” Sutch said, and are unable to provide a fix immediately.  

When enabling RBF functionality on Casa, Lopp said he configured the system to not display these types of transactions until confirmed, which is non-standard in the industry. “The default parameters would display these transactions,” he said.

Update (July 2, 20:15 UTC): A passage paraphrasing Peter Todd was modified to make it clear he was referring to the problem of how some Bitcoin wallets display unconfirmed transactions broadly, not just RBF transactions. Other passages were revised for clarity as well.