A bug in applications for storing digital assets allows criminals to replace unconfirmed transactions with their own and make user wallets malfunctioning
A team of experts from ZenGo discovered a BigSpender bug in many cryptocurrency wallets, such as Ledger Live, Edge, BreadWallet. The error allows hackers to steal bitcoin and other user coins, reports Research and markets.
Some wallets have a feature that allows users to replace an outgoing, unconfirmed transaction with a new one, but with a different fee. Due to this feature, holders could pay miners a higher amount for cryptocurrency transfer, so that they quickly confirm the operation. At the same time, it has become a loophole for hackers.
To steal cryptocurrency, they must first replace the transaction with another, but with an extremely low commission. This will guarantee that the cryptocurrency transfer does not receive confirmation. Then, the hackers replace the standby transaction with their own, leading to a wallet controlled by them. As a result, the money goes to criminals, but the user’s application shows that the coins were allegedly delivered.
A bug gives hackers another opportunity. They can spam a user’s address with a lot of fake transactions, so that a critical discrepancy appears between the real and the displayed balance. As a result, the wallet will be impossible to use. It is clarified that the Breadwallet and Ledger Live applications have already fixed the vulnerability.
Today, July 13, hackers hacked the cryptocurrency wallet of the Indian cryptocurrency exchange Cashaa and withdrew 336 dollars worth $ 3.1 million from it. The company reported the incident to the Department of Cybercrime Investigation Department of Delhi and other trading floors.