Bitcoin hacks and thefts have exploded since bitcoin’s epic 2017 bull run saw the price balloon to around $20,000.
The bitcoin price has fallen by more than half since its late-2017 all-time high but bitcoin users remain a popular target for hackers.
Now, researchers have warned “millions” of bitcoin users might have been exposed by a newly discovered vulnerability in a number of popular bitcoin wallets.
Bitcoin transactions across three major bitcoin wallets were vulnerable to what some might call a double-spending attack, researchers at Tel Aviv-based bitcoin and crypto company ZenGo have revealed, adding other wallets beyond the nine they tested could be compromised.
The bitcoin wallets known to be affected—Ledger Live, Edge and BRD—have been updated in an effort to prevent the attack after their developers were alerted by ZenGo.
The vulnerability, named BigSpender, allows the attacker to make the wallet holder believe a payment has been received while in fact it has been replaced by the sender. The exploit could prevent the wallet’s owner from accessing its funds, though not everyone agrees on the nature of the vulnerability.
“The core issue at the heart of the BigSpender vulnerability is that vulnerable wallets are not prepared for the option that a transaction might be canceled and implicitly assume it will get confirmed eventually,” ZenGo’s senior software engineer, Oded Leiba, wrote in a blog post revealing the weakness.
“This negligence has many faces. First and foremost, a user’s balance is increased on an incoming transaction while unconfirmed and is not decreased if the transaction is double-spent and thus effectively canceled.”
Ledger and BRD have questioned the language used by ZenGo researchers.
“There is no actual double spend being performed,” the Ledger security team said via email. “The user funds stay safe. Nevertheless, the display of received transactions could be misleading.”
The bitcoin wallets that were found to be susceptible to the attack are some of the most widely used—something ZenGo researchers said highlights the bug’s seriousness.
“Potentially several millions of users were exposed before the fix based on the user base of Ledger and BRD public numbers,” ZenGo’s chief executive Ouriel Ohayon said via email. BRD recently passed the 5 million user mark, its chief technology officer told bitcoin and crypto news outlet Coindesk.
While the bitcoin wallet developers dispute the exploit’s risk, Ohayon insists the threat could actually be worse than is known.
“It does not mean that there are no other issues or that other wallets are not exposed to the BigSpender attack,” Ohayon said, adding other wallets ZenGo researchers tested, including its own, were not vulnerable to the attack.
“Considering that this could result in the impossibility to spend your funds and the fact that this could be done at scale, this [exploit] can be considered serious.”
“Hacks are constant. Security is an on-going battle fought by the industry and one that cannot be won by a single player or a single product, let alone a version update. To allow mass adoption it is critical that wallets invest as much effort in research and security and they do in product development and services.”