Main crypto {hardware} pockets producer Ledger has denied that its product’s transaction administration software program featured a double-spend vu
Main crypto {hardware} pockets producer Ledger has denied that its product’s transaction administration software program featured a double-spend vulnerability.
In line with Ledger’s CTO Charles Guillemet, the vulnerability lately revealed by software program pockets ZenGo is — in reality — nothing greater than a person expertise flaw. He illustrated the character of its {hardware} pockets companion software program Ledger Stay to Cointelegraph:
“It’s essential to grasp that reasonably than an assault, the precise flaw could also be seen extra as a intelligent piece of trickery. Trickery shouldn’t be a vulnerability. Nevertheless, we do need to forestall anybody from falling sufferer to those sorts of intelligent schemes. […] It’s only a UX challenge that may very well be utilized by a dishonest product purchaser. ”
The claims should not new
ZenGo’s claims are carefully associated to these launched by Bitcoin Money (BCH)-focused agency BitcoinBCH on the finish of 2019. On the time, the agency’s CEO Hayden Otto defined in a video how a Bitcoin (BTC) point-of-sale resolution misled retailers into believing non-confirmed transactions had been ultimate and accepting them.
Like BitcoinBCH, ZenGo famous that Bitcoin’s replace-by-fee (RBF) function can simply permit customers to switch an unconfirmed transaction with a brand new one with a distinct goal deal with that has a better price. It’s price noting that this function solely makes it simpler to leverage the non-finality of unconfirmed transactions, a factor that’s more durable, however nonetheless attainable with out RBF.
Moreover, ZenGo’s report additionally factors out that RBF “doesn’t introduce any new vulnerabilities in itself” and as a substitute “it explicitly places the duty on pockets functions and customers’ to establish unconfirmed transactions as unsafe.” That is confirmed by Guillemet:
“We need to thank ZenGo for having responsibly disclosed this challenge to us. […] We do need to forestall anybody from falling sufferer to those sorts of intelligent schemes. A approach to forestall that is after all to ensure that any transaction is first confirmed. Ledger Stay is releasing an replace on July 2nd. A warning is now displayed on pending transactions.”
ZenGo stated that it was awarded a bug bounty for bringing consideration to the problem.