A standard way to transact Bitcoin could be vulnerable to double-spending, new research has found. Blockchain sleuths at ZenGo, a wallet startup, have found a vulnerability that affected at least three major crypto wallets – Ledger Live, Edge and Breadwallet (BRD) – and potentially more.
The bug, which the Tel Aviv-based firm calls BigSpender, allows a hacker to double spend a user’s funds and possibly prevent them from ever using their wallet again. It works by exploiting a flaw in replace-by-fee (RBF) function, a failsafe that enables users to swap an unconfirmed transaction with one that has a higher fee.
“[BigSpender] can lead to substantial financial losses and in some cases to make the victim’s wallet totally unusable with no way for the victim to protect themselves,” CEO Ouriel Ohayon said in an email. “So this can be seen as a .”
Like other vulnerabilities found in Bitcoin’s core codebase, such as , the RBF function has become a standard way for users to send value back and forth. It was pitched and accepted by the developer community as a way for Bitcoiners to circumvent slow confirmation times by paying more in fees.