Blockchain researcher at the Tel Aviv-based cryptocurrency wallet startup, ZenGo has uncovered a vulnerability in major digital currency wallets, which could potentially result in Bitcoin double-spending. Most of these wallet providers have been informed and have also taken up measures to prevent such cases.
Attackers leverage on RBF function for Bitcoin double-spending
The so-called ‘BigSpender’ bug works by exploiting Bitcoin’s RBF function (replace-by-fee). Using the bug, bad actors can cause Bitcoin double-spending with victims’ funds, and ultimately stop them from making use of the affected wallets again. “This can be seen as a high severity attack,” said Ouriel Ohayon, the CEO at ZenGo.
Basically, the RBF function was adopted as a way for Bitcoin users to bypass the slow confirmation period by enabling them to pay a higher transaction fee. Despite serving its purpose of reducing long confirmation time, there were still concerns that it could possibly cause problems as Bitcoin wallets don’t fully support it.
To be precise, the Bitcoin double-spending attack leverages on how digital currency wallet treats RBF transactions with Bitcoin, according to a Bitcoin developer, Peter Todd. The attackers would knowingly place a low fee bitcoin transaction to avoid fast confirmation and later cancel the pending transaction.
Crypto wallets update their system against ‘BigSpender’
On the vulnerable crypto wallets, the transaction will be credited to the victim, whereas the attacker has already canceled it. Reportedly, three major wallets out of nine were found vulnerable to this attack, which can result in Bitcoin double-spending. The wallets include Breadwallet (BRD), Edge, and Ledger Live. Ohayon says:
We have not tested all the wallets, but it could be that if three of the largest are implicated, more out there are too.
Per the report, BRD and Ledger have updated new codes to avoid the double-spending attack, while the Edge wallet undergoes a “significant refactor” to prevent such an attack as well.