- Wallet startup ZenGo discovered a bug in three popular Bitcoin wallets that takes advantage of Bitcoin’s replace-by-fee (RBF) feature
- The bug adds unconfirmed transactions to users’ balances and does not reverse them even when they are cancelled
- This allows hackers to double-spend Bitcoin and launch DoS attacks on people
Share this article
A bug in three major cryptocurrency wallets let scammers dupe people with double-spent Bitcoin, allowing unconfirmed transactions to count in a user’s total wallet balance.
Unreliable Bitcoin Wallet Balances
The technical gap makes it possible for attackers to trick users of vulnerable Bitcoin wallets into believing that they had received Bitcoin, even if the transaction wasn’t confirmed.
Before a Bitcoin transaction can be considered final, it is necessary to wait up to several hours before the transaction is considered irreversible. The more confirmations the transaction gets, the harder it becomes to override that transaction with higher fees.
Most Bitcoin veterans check for the number of confirmations on a transaction before considering it final, but new users can easily be duped by seeing an artificially inflated wallet balance.
Several popular Bitcoin wallets, including Ledger Live, BRD wallet, and Edge, were susceptible to this vulnerability.
The RBF (Replace-by-fee) feature on the Bitcoin network allows senders to have their unconfirmed transactions replaced by another transaction, which would replace a previous transaction with one with a higher fee. Bitcoin miners would then pick the transaction with the higher fees, essentially replacing the previous transaction.
Some wallets had a hard time implementing RBF correctly, which ultimately resulted in the appearance of BigSpender, a family of vulnerabilities that include double-spending and multiple-spending attacks. Hence the name “BigSpender,” which lets attackers spend more than what they have, often to scam people.