Bengaluru, NFAPost: ZenGo has recently unearthed a Bitcoin vulnerability known as ‘Big Spender’ across a bunch of crypto-currency wallets including Ledger, Edge and BRD. The vulnerability is known to perform a fake-buy transaction on expensive items sold via peer-to-peer marketplaces like Craiglist.
Consequently, the victim will encounter incorrect total-balance status on his/her Bitcoin-wallet account whenever the attacker revokes the unconfirmed transaction before it is finalised.
Furthermore, the victim is often confused by the double-spend attacks initiated by the potential attacker while exploiting the Bitcoin-protocol feature called Replace-by-Fee. This feature enables the perpetrator to send some Bitcoins for a low-transaction fee and then replace it with a higher-transaction fee.
By virtue of this exploit, it is possible to fake the transaction and reflect an inflated Bitcoin balance in the recipient’s wallet. However, in reality the transaction has not been finalised and leads to miscalculated balance.
For instance, the attacker could initiate ten crypto-currency deposits each worth 0.1 BTC wherein the recipient will see a net balance of 1 BTC although he/she received 0 BTC.
Such miscalculated transactions could further enable the BigSpender vulnerability to freeze your Crypto assets through Denial of Service (DoS) attack.
Consequently, the transaction fails when the recipient tries to send some Bitcoins after receiving a ton of fake crypto-currency payments as the wallet tries to send currency that never existed.
On the flip side, BigSpender does not affect your actual Bitcoin balance or steal your digital currency. Instead, it crashes the service and denies the permission to use your crypto assets for making online transactions.
Workaround for BigSpender Vulnerability
As a workaround, you can simply clear the Bitcoin-app cache. Then resync your wallet with the Bitcoin blockchain to correct the balance status and resume online transactions.
It is necessary that the wallets are updated to mark unconfirmed transactions as ‘pending’ to avoid the inflated wallet-balance scenario. All such Replace-by-Fee transactions should be labelled as ‘failed’ to prevent fake-buy attempts and DoS attacks.
The Vulnerability has come to light just 90 days ago when Ledger and BRD offered bug-bounty awards to ZenGo. BRD has already rolled out a fix while Ledger and Edge are still working on it.
Meanwhile, ZenGo has launched an open-source tool to test and identify BigSpender vulnerability in your Bitcoin wallet.