Bitcoin wallet ZenGo has disclosed the “BigSpender” vulnerability existing in many crypto wallets, wherein an attacker can cancel a transaction but still make the funds appear in the victim’s wallet.
Via the BigSpender Attack, the hacker creates the illusion that there are Bitcoins in the victim’s wallet, except that it doesn’t. The wallet will also be corrupted so the victim won’t be able to spend or use whatever is left inside.
ZenGo disclosed this vulnerability after informing the wallet providers that are prone to this attack. The company claimed only some fixed their wallets to prevent these kinds of attacks and as such, they disclosed the vulnerability to the public after 90 days customary notice to the exposed bitcoin wallets.
The Bitcoin blockchain has a mechanism called Replace-By-Fee (RBF,) a relay policy that can signal a 0-conf transaction (transactions with zero confirmations) to be replaced by the next transaction by the user. To do this, the user is advised to spend the same coins and provide a higher fee. RBF requires the user and wallet apps to identify unconfirmed transactions as unsafe.
According to ZenGo, many wallets have failed to do this, allowing the vulnerability called “BigSpender” to be possible. “Vulnerable wallets are not prepared for the option that a transaction might be canceled and implicitly assume it will get confirmed eventually,” ZenGo said in its disclosure blog post.
The vulnerability will make the users’ wallets appear to have more Bitcoins even if the incoming transaction is still unconfirmed. What’s more, the canceled transactions will not appear in the canceled transaction list and UTXO could still be selected by the wallet application despite the transaction actually not happening.
Because of ‘BigSpender’, an attacker can do a basic double-spend attack for a minimum fee, making it pending for a long time. The attacker can basically ask for a good or service and when the goods or service is rendered, the attacker can cancel the transaction. However, the victim will believe the money is in their account because the Bitcoin wallet they use considered the transaction as fulfilled.
The attacker could amplify this by repeatedly sending small amounts of Bitcoin and then canceling it through the flaw.
Finally, because the vulnerable wallet designated a transaction as complete even when it isn’t, a user who tries to withdraw their holdings could experience failed transactions, because the wallet is trying to select coins that are not actually there.
ZenGo said this attack is either “hard or impossible to recover from.” The vulnerable wallet would not re-synchronize with the network to show the correct balance, making it corrupted.
ZenGo notified the providers and among them, Bread Wallet and Ledger Live have fixed the issue. Edge wallet acknowledged the vulnerability but has not yet fixed it. However, ZenGo said the issue with Edge showing incorrect balance can be resolved by clicking “Resync” in its options.
Many, however, were doubting the “vulnerability,” as ZenGo claimed it to be. Ledger remarked that it is not a vulnerability but simply a UX bug or trickery. For one, it involved some social engineering; the attacker has to convince the victim first in order for the attacker to take advantage of ‘BigSpender’, just like in typical crypto scams.