‘Bypass’ Attack in Coldcard Bitcoin Wallet Could Trick Users Into Sending Incorrect Funds

Motion blurred image of male hands playing shell game(LeventKonuk/iStock/Getty Images Plus)

‘Bypass’ Attack in Coldcard Bitcoin Wallet Could Trick Users Into Sending Incorrect Funds

The bitcoin-only hardware wallet Coldcard has released a beta firmware patch for a vulnerability that also affected a competitor hardware wallet earlier this year.

Both testnet and mainnet bitcoin transactions, though, “have the exact same transaction representation under the hood,” Ma writes in his post disclosing the vulnerability. An attacker, then, could generate a bitcoin mainnet transaction for the hardware wallet but make it look like a testnet transaction. The mainnet transaction is presented like a testnet transaction on the user’s wallet, making it difficult for users to recognize the error.

By signing up, you will receive emails about CoinDesk products and you agree to our terms & conditions and privacy policy.

Ma learned of the vulnerability after a pseudonymous researcher discovered the so-called “isolation bypass” attack in the French-manufactured Ledger hardware wallet. 

Read more:  Uniswap May Re-Up Rewards as SushiSwap Angles to Catch Itinerant Yield Farmers

Unlike Coldcard, Ledger supports many coins, so the bypass attack could work by tricking wallet users into sending bitcoin when they mean to send litecoin and bitcoin cash, in addition to testnet BTC.

‘Bypass’ Bitcoin wallet vulnerability: A background

When the initial vulnerability in the Ledger wallet was disclosed, Coinkite founder and Coldcard creator Rodolfo Novak said, “Coldcard doesn’t support any shitcoins, we find that to be the best path,” implying that his bitcoin-only wallet would be safe since the flaw (in part) resulted from the fact that Ledger devices previously managed different coins using the same private key. 

Since Coldcard doesn’t support multiple coins, it theoretically shouldn’t have this problem. And it wouldn’t, if it weren’t for the fact that it can be exploited with bitcoin testnet addresses, as well.

If a user’s computer is compromised – and their Coldcard device is unlocked and connected to that computer – then an adversary could trick them into sending real bitcoin when they think they are sending testnet bitcoin.

Read more:  Blockchain Grain Trading Platform Sees Commercial Launch to Tap Russia Market

“The attacker merely has to convince the user to e.g. ‘try a testnet transaction’ or to buy an ICO with testnet coins (I’ve heard there was a ICO like this recently) or any number of social engineering attacks to make the user perform a testnet transaction. After the user confirms a testnet transaction, the attacker receives mainnet bitcoin in the same amount,” Ma writes in the post. 

Seeing as an attacker could execute this attack remotely, it met Shift Crypto’s criteria as a critical issue, triggering the responsible disclosure process. 

According to the post, Ma disclosed the vulnerability to Coinkite on Aug. 4 and Novak acknowledged it the next day. On Nov. 23, Coldcard released a beta firmware to patch the vulnerability.

LEAVE A REPLY

Please enter your comment!
Please enter your name here