A new bug dubbed “Big Spender” has made its way into several popular bitcoin wallets.
Big Spender Is Here to Take Your Crypto
Big Spender is a double spend hack that gives users the idea that they have received money when in fact, they have not. Instead, the person who has ultimately overtaken the transaction and the wallets in question has intercepted the crypto transaction and stolen the money and replaced it. This ultimately prevents the receiver from accessing their wallet and utilizing their funds while the hacker works to redirect them to a wallet in his (or her) control.
The problem was discovered by Zen Go, a Tel Aviv-based bitcoin and cryptocurrency enterprise. Representatives claim that the problem may have been integrated into millions of individual BTC and crypto wallets. Among the wallets known to be affected at the time of writing are Ledger Live, Edge and BRD (Bread).
Zen Go has already begun working on these wallets to remove their vulnerabilities. The company has also gotten in touch with the wallets’ original developers to inform them of the situation.
Senior software engineer at the Israeli company Oded Leiba explained in a statement:
The core issue at the heart of the Big Spender vulnerability is that vulnerable wallets are not prepared for the option that a transaction might be canceled and implicitly assume it will get confirmed eventually. This negligence has many faces. First and foremost, a user’s balance is increased on an incoming transaction while unconfirmed and is not decreased if the transaction is double-spent and thus effectively canceled.
But while Zen Go is moving quickly to ensure the vulnerability is taken care of ahead of time, not everyone is reacting positively. Both and Ledger and BRD staff claim that Zen Go is utilizing unclear verbiage to describe the situation and say that there is no double spending happening in any of the transactions in question.
Members of the Ledger security team explain:
There is no actual double spend being performed. The user funds stay safe. Nevertheless, the display of received transactions could be misleading.
So Many Big Wallets Affected
If the double spend threat is real, it’s surprising just how many mainstream crypto wallets have fallen victim to it. BRD, for example, currently boasts more than five million users. Chief executive of Zen Go Ouriel Ohayon stated:
Potentially several millions of users were exposed before the fix based on the user base of Ledger and BRD public numbers… It does not mean that there are no other issues or that other wallets are not exposed to the Big Spender attack… Considering that this could result in the impossibility to spend your funds and the fact that this could be done at scale, this [exploit] can be considered serious. Hacks are constant. Security is an on-going battle fought by the industry and one that cannot be won by a single player or a single product, let alone a version update.