Mobile crypto wallet startup ZenGo recently discovered a vulnerability in some popular crypto wallets including Edge, BRD, and Ledger.
The BigSpender vulnerability can show the incorrect balance on a user’s wallets because unconfirmed transactions are taken into account in the total balance. The attacker can revoke these transactions before they are confirmed because of which there could be confusion about the actual balance. This type of attack is quickly gaining prominence in online marketplaces like Craigslist.
In this method, people buy stuff from others online and send them fake PayPal transaction emails which confirms their transactions. However, in reality, no transaction is made and the user’s account doesn’t reflect any changes. Similar BigSpender techniques are now being used in cryptocurrencies. They utilize a feature in the Bitcoin protocol called Replace-by-Fee.
This feature allows users to send some Bitcoins will a low transaction fee. They could also send the same transaction with a higher transaction fee. The original transaction is then canceled and the new one replaced it. The new transaction is processed more quickly because of a higher transaction fee.
How fake transactions work in crypto?
Some crypto wallets may take unconfirmed transactions into account very quickly because of which it may appear that a user has received Bitcoin. In reality, they behave not received anything. The sender may cancel or replace that transaction with another one at a wallet they control. As a result of this, the balance in user accounts still remains, even though the amount is never credited.
The attackers can use this feature to make multiple transactions even if they don’t possess the money needed to buy an expensive item. The attackers may also launch a denial-of-service attack and freeze a user’s crypto assets. This problem can usually be solved by clearing app cache and resyncing the Bitcoin wallet. It does not affect the existing balance in your account.
ZenGo discovered the vulnerability in BRD, Ledger, and Edge about 90 days ago. Both BRD and Ledger have handed over bug bounty rewards to the startup. BRD has released a fix while Edge and Ledger are working on a fix.