A startup has discovered a vulnerability present in major cryptocurrency wallets that leads to double-spend attacks and inflated balances by exploiting existing protocols.
The ‘family’ of vulnerabilities, named BigSpender, was discovered in some of the world’s most popular cryptocurrency wallets including Ledger, Bread and Edge.
Ledger told cryptocurrency magazine Decrypt that the scam was a “clever piece of trickery.”
ZenGo, the startup behind the discovery, spotted the problem while researching the security of bitcoin wallets. In their report, the keyless cryptocurrency wallet stated that BigSpender was found as part of “ongoing security research.”
Essentially, what they found was that BigSpender shows users incorrect bank balances. These balances incorporate unconfirmed transactions into their totals, and fail to reveal that the transaction had actually been revoked.
This type of crime is nothing new. All peer-to-peer transactions carry the risk of one party hoodwinking the other.
How BigSpender does this is by leveraging the bitcoin protocol Replace-by-Fee (RBF). This entails swapping one transaction with a low transaction fee for one with a higher one.
For example, bitcoins with a lower transaction fee are replaced with higher crypto asset ones.
In the world of crypto, more expensive transactions are prioritized over smaller ones.
By swapping a low-cost transaction for a higher one, transactions can be bumped up in the queue and redirected to a different address. This is what allows bad actors to double-spend.
“The core issue at the heart of the BigSpender vulnerability is that vulnerable wallets are not prepared for the option that a transaction might be canceled and implicitly assume it will get confirmed eventually,” the Zengo researchers explained.
This leads to users’ balances being increased without the transaction being confirmed, and not decreased if the transaction is double spent and canceled.
Like this story? Share it with a friend!