Ledger Crypto Wallet Claims Purported Vulnerability Is User Experience Flaw

Ledger’s chief technology officer Charles Guillemet said that the recently revealed vulnerability is nothing more than a user experience flaw.

Leading crypto hardware wallet producer Ledger has denied that its product’s transaction management software featured a double-spend vulnerability.

According to Ledger’s CTO Charles Guillemet, the vulnerability recently revealed by software wallet ZenGo is — in fact — nothing more than a user experience flaw. He illustrated the nature of its hardware wallet companion software Ledger Live to Cointelegraph:

“It’s important to understand that rather than an attack, the actual flaw may be seen more as a clever piece of trickery. Trickery is not a vulnerability. However, we do want to prevent anyone from falling victim to these kinds of clever schemes. […] It’s just a UX issue that could be used by a dishonest product buyer. â€�

The claims are not new

ZenGo’s claims are closely related to those released by Bitcoin Cash (BCH)-focused firm BitcoinBCH at the end of 2019. At the time, the firm’s CEO Hayden Otto explained in a video how a Bitcoin (BTC) point-of-sale solution misled merchants into believing non-confirmed transactions were final and accepting them.

Like BitcoinBCH, ZenGo noted that Bitcoin’s replace-by-fee (RBF) feature can easily allow users to replace an unconfirmed transaction with a new one with a different target address that has a higher fee. It is worth noting that this feature only makes it easier to leverage the non-finality of unconfirmed transactions, a thing that is harder, but still possible without RBF.

Furthermore, ZenGo’s report also points out that RBF “does not introduce any new vulnerabilities in itself� and instead “it explicitly puts the responsibility on wallet applications and users’ to identify unconfirmed transactions as unsafe.� This is confirmed by Guillemet:

“We want to thank ZenGo for having responsibly disclosed this issue to us. […] We do want to prevent anyone from falling victim to these kinds of clever schemes. A way to prevent this is of course to make sure that any transaction is first confirmed. Ledger Live is releasing an update on July 2nd. A warning is now displayed on pending transactions.â€�

ZenGo said that it was awarded a bug bounty for bringing attention to the issue.

Powered by WPeMatico