Recently on 2nd July, renowned cryptocurrency security firm ZenGo identified a double-spend exploit targeting several popular Bitcoin [BTC] wallets, dubbed ‘BigSpender’.
Out of 9 crypto wallets tested by ZenGo, BRD, Ledger Live, and Edge were found to be susceptible to the attack. The 3 firms updated their products after ZenGo notified them of the threat, however the firm warned that “millions” of cryptocurrency users might already be exposed to the exploit before its identification.
Despite the wallets’ move to guard against BigSpender, Bitcoin Cash [BCH] proponent Hayden Otto claims the vulnerability is inherent to Bitcoin “by design” and might still be exploited.
Bitcoin’s ‘Replace-By-Fee’ [RBF] Feature
BigSpender was discovered via ZenGo’s ongoing research into Bitcoin’s ‘Replace-by-Fee’ [RBF] feature.
In line with the security firm, “RBF is a standard method to permit users to ‘undo’ a yet to be confirmed transaction, by transferring another transaction spending similar coins [but possibly different destination] with a much higher fees”.
BigSpender isn’t the primary time an exploit has targeted RBF vulnerabilities to execute a double-spend attack, with an identical technique being notoriously revealed within a video published by Otto earlier in the month of December last year that quickly went viral. The exploit is merely possible with zero confirmations.
While adding further, Otto said that RBF attack’s are “particularly concerning for Bitcoin-accepting merchants who could have easily handed over goods to a customer who then reversed their BTC transaction upon leaving the purchase.”
“The technique is facilitated by RBF [replace by fee], a so-referred ‘feature’ added at the protocol level by the Bitcoin Core developers.The issue exists if you use BTC. Wallet software can solely make some trade off, that ends up within a worse BTC user experience, so as to try to guard BTC users.”
The BCH proponent described the exploit as “an issue with Bitcoin itself,” adding that it’s “nothing to try to to with several wallet software”.
There’s Not Any Actual Double-Spend Being Performed
However, not most are convinced that BigSpender comprises a grave threat to Bitcoin, with the affected wallet suppliers challenging the language employed by ZenGo’s researchers.
While speaking to Forbes: Ledger asserted: “There is not any actual double-spend being performed. The user funds stay safe. Nevertheless, the display of received transactions might be misleading.”
This is in-fact, what Otto exploited: getting merchants handy over the products before the funds were transferred due to a “misleading” display. However, merchants who await transactions to be confirmed before transferring goods don’t risk being affected.
ZenGo has also released a free open-source tool that permits wallet suppliers to check their products and secure against the BigSpender vulnerability. The firm added that not all of the wallets suffering from the exploit have implemented upgrades.