A new vulnerability in some popular bitcoin wallets can be exploited by scammers to commit fraud and even make the wallets themselves unusable.
Discovered by wallet startup ZenGo, the vulnerability, dubbed “BigSpender,” was found in bitcoin wallets from Ledger Live, Edge and Breadwallet but potentially affects others as well. The vulnerability allows a scammer to double-spend bitcoin, a process whereby the owner of a wallet is tricked into believing he had received a bitcoin even if the transaction hasn’t been confirmed.
How BigSpender works
“Imagine receiving a $100 bank wire for some goods or services you just sold,” Obed Leiba at ZenGo explained in an example. “You supply the goods or services as you think you’ve received the money. After all, it shows in your account. Except it doesn’t. It’s just an illusion. The attacker was able to cancel the transaction in a way your bank had failed to detect.”
TechCrunch offered an even deeper explanation of how BigSpender works. It’s similar to how cyber thieves could send a fake email suggesting they sent a payment to your PayPal account, but when you log in, no payment is there.
In the case of bitcoin, the attacker uses a feature in the protocol called Replace-by-Fee. The feature allows users to send some bitcoins with a low transaction fee and then later send the same amount with a higher transaction fee. They cancel the original transaction and replace it with the new one. Miners process transactions with higher fees before those with lower fees.
Some cryptocurrency wallets show unconfirmed transactions in such a way that makes it look like you received bitcoins even though the sender canceled it and replaced the transaction with a payment sent to a different wallet. Even though they canceled the transaction, your balance still reflects the payment. It means the transaction was a fake, and your cryptocurrency wallet didn’t catch it.
Other problems with BigSpender
Attackers can try to buy something expensive by using the BigSpender attack multiple times even if they don’t have much money. They could start 10 transactions worth 0.1 bitcoin, and the recipient’s wallet would show that they had received 1 bitcoin even though they didn’t receive any.
In the same way, attackers can also use BigSpender to freeze the victim’s crypto assets with a denial-of-service attack. When they try to send bitcoins have receiving a large number of fake transactions, the crypto wallet could try to send bitcoins that never arrived. As a result, the transaction fails.
It’s important to note that BigSpender isn’t a way to steal bitcoins. It’s a way to trick someone into thinking you’ve paid them when you actually haven’t. Any bitcoins that are already in the victim’s wallet are still safe, even if it gets frozen.
The good news is that most cryptocurrency wallets affected by BigSpender have fixed the vulnerability, according to Forbes. The problem was that affected wallets assumed that unconfirmed transactions would be confirmed eventually, even though it doesn’t always happen. ZenGo said millions of crypto users could have been impacted by the vulnerability. No details on the fix were provided.
The importance of reliable bitcoin wallets
It might seem like cryptocurrency adoption is not widespread enough for the BigSpender vulnerability to be a serious problem. However, many people use cryptocurrencies for transactions despite the volatility in the price.
For example, many online gamblers use bitcoin wallets for safe and fast withdrawals because credit card companies sometimes decline gambling transactions. Here is a guide on how to use the wallets for igaming.
BigSpender was a serious vulnerability because it meant wallet users couldn’t always count on the balance their wallet showed them. Those who use their digital wallets for transactions on a regular basis could face serious problems. The idea that your crypto assets could be frozen is also a big concern, especially for online gamblers who don’t have any other options to fund their online casino accounts. They could find themselves unable to place any bets or play any games in the online casino of their choice.
Additionally, if their digital wallet were frozen due to a string of BigSpender attacks, any other transactions they make would fail. Many online gamblers use the same casinos and online betting companies to place their wagers. Some online casinos could ban accounts if they start to show multiple failed transactions. Having more than one failed transaction is a red flag because it looks like someone may be trying to scam someone else’s money.
The more widespread cryptocurrency becomes, the more vulnerabilities are certain to appear. Digital wallets must keep up with the latest scams and attacks to ensure that their users’ crypto assets are safe. Scammers will always come up with new ways to break in and steal cryptocurrencies.