Leading crypto hardware wallet producer Ledger has denied that its product’s transaction management software featured a double-spend vulnerability.
According to Ledger’s CTO Charles Guillemet, the vulnerability recently revealed by software wallet ZenGo is — in fact — nothing more than a user experience flaw. He illustrated the nature of its hardware wallet companion software Ledger Live to Cointelegraph:
“It’s important to understand that rather than an attack, the actual flaw may be seen more as a clever piece of trickery. Trickery is not a vulnerability. However, we do want to prevent anyone from falling victim to these kinds of clever schemes. [...] It’s just a UX issue that could be used by a dishonest product buyer. ”
The claims are not new
ZenGo’s claims are closely related to those released by Bitcoin Cash (BCH)-focused firm BitcoinBCH at the end of 2019. At the time, the firm’s CEO Hayden Otto explained in a video how a Bitcoin (BTC) point-of-sale solution misled merchants into believing non-confirmed transactions were final and accepting them.
Like BitcoinBCH, ZenGo noted that Bitcoin’s replace-by-fee (RBF) feature can easily allow users to replace an unconfirmed transaction with a new one with a different target address that has a higher fee. It is worth noting that this feature only makes it easier to leverage the non-finality of unconfirmed transactions, a thing that is harder, but still possible without RBF.
Furthermore, ZenGo’s report also points out that RBF “does not introduce any new vulnerabilities in itself” and instead “it explicitly puts the responsibility on wallet applications and users’ to identify unconfirmed transactions as unsafe.” This is confirmed by Guillemet:
“We want to thank ZenGo for having responsibly disclosed this issue to us. [...] We do want to prevent anyone from falling victim to these kinds of clever schemes. A way to prevent this is of course to make sure that any transaction is first confirmed. Ledger Live is releasing an update on July 2nd. A warning is now displayed on pending transactions.”
ZenGo said that it was awarded a bug bounty for bringing attention to the issue.