On July 2nd, the cryptographic security company ZenGo identified a double-spend exploit targeting several popular Bitcoin (BTC) portfolios, called “BigSpender”
Of the nine cryptocurrency portfolios tested by ZenGo, BRD, Ledger Live and Edge were found to be vulnerable to the attack. All three companies updated their products after ZenGo informed them of the threat, but the company warned that “millions” of crypto users could have been exposed to the exploit before it was identified.
Despite the desire to protect wallets from the BigSpender, Bitcoin Cash (BCH) proponent Hayden Otto says the vulnerability is inherent in Bitcoin “by design” and can still be exploited.
BigSpender was discovered through ZenGo’s ongoing research into Bitcoin’s Replace-by-Fee (RBF) function
According to the security company, “FBR is a standard method allowing users to ‘cancel’ a transaction that has not yet been confirmed, by sending another transaction spending the same (but possibly a different) coins with a higher cost”.
The BigSpender is not the first time that an exploit targets BCH vulnerabilities to execute a double cost attack, a similar technique being notoriously described in a video released by Otto in December that quickly went viral. The exploit is only possible with zero confirmation.
Speaking to the Cointelegraph, Otto said that the FBR attacks are “particularly worrying for BTC-accepting merchants who could easily have given goods to a customer who then reversed his BTC transaction as he left the store.”
The technique is facilitated by RBF (replace by fee), a “feature” added at the protocol level by the Bitcoin Core developers, which is problematic if you use BTC. The problem exists if you use BTC. Portfolio software can only make a certain compromise, resulting in a poorer BTC user experience, in an attempt to protect BTC users”
The BCH supporter described the exploit as “a problem with BTC itself”, adding that it has “nothing to do with the different portfolio software”.
Portfolios question the seriousness of the threat
However, not everyone is convinced that the BigSpender poses a serious threat to Bitcoin, as the portfolio providers involved are challenging the language used by ZenGo researchers.
Speaking to Forbes: Ledger said, “There is no real double spending. User funds remain secure. Nevertheless, the display of transactions received could be misleading”
This is, of course, what Otto exploited: getting merchants to hand over goods before funds are transferred because of a “misleading” display. However, merchants who wait for transactions to be confirmed before sending the goods are not likely to be affected.
ZenGo has released a free open-source tool that allows portfolio vendors to test their products and protect themselves against the BigSpender vulnerability. The company found that not all portfolios affected by the exploitation have updates in place