Ledger Crypto Wallet Claims Purported Vulnerability Is User Experience Flaw
Ledgerâ€™s chief technology officer Charles Guillemet said that the recently revealed vulnerability is nothing more than a user experience flaw.
Leading crypto hardware wallet producer Ledger has denied that its productâ€™s transaction management software featured a double-spend vulnerability.
According to Ledgerâ€™s CTO Charles Guillemet, the vulnerability recently revealed by software wallet ZenGo is â€” in fact â€” nothing more than a user experience flaw. He illustrated the nature of its hardware wallet companion software Ledger Live to Cointelegraph:
â€œItâ€™s important to understand that rather than an attack, the actual flaw may be seen more as a clever piece of trickery. Trickery is not a vulnerability. However, we do want to prevent anyone from falling victim to these kinds of clever schemes. […] Itâ€™s just a UX issue that could be used by a dishonest product buyer. â€�
The claims are not new
ZenGoâ€™s claims are closely related to those released by Bitcoin Cash (BCH)-focused firm BitcoinBCH at the end of 2019. At the time, the firmâ€™s CEO Hayden Otto explained in a video how a Bitcoin (BTC) point-of-sale solution misled merchants into believing non-confirmed transactions were final and accepting them.
Like BitcoinBCH, ZenGo noted that Bitcoinâ€™s replace-by-fee (RBF) feature can easily allow users to replace an unconfirmed transaction with a new one with a different target address that has a higher fee. It is worth noting that this feature only makes it easier to leverage the non-finality of unconfirmed transactions, a thing that is harder, but still possible without RBF.
Furthermore, ZenGoâ€™s report also points out that RBF â€œdoes not introduce any new vulnerabilities in itselfâ€� and instead â€œit explicitly puts the responsibility on wallet applications and usersâ€™ to identify unconfirmed transactions as unsafe.â€� This is confirmed by Guillemet:
â€œWe want to thank ZenGo for having responsibly disclosed this issue to us. […] We do want to prevent anyone from falling victim to these kinds of clever schemes. A way to prevent this is of course to make sure that any transaction is first confirmed. Ledger Live is releasing an update on July 2nd. A warning is now displayed on pending transactions.â€�
ZenGo said that it was awarded a bug bounty for bringing attention to the issue.
Powered by WPeMatico