According to Ledger’s CTO, Charles Guillemet, the vulnerability recently discovered by ZenGo wallet software is – in reality – nothing more than a flaw in the user experience. He illustrated the nature of his wallet hardware companion software, Ledger Live, to Cointelegraph:
„It’s important to understand that more than an attack, the real flaw can be seen more as a clever trap. The trap is not a vulnerability. However, we want to prevent someone from falling victim to this kind of clever trick. […] It’s just a matter of UX that could be used by a dishonest buyer of the product“
Double Spend or Double Spend Attack on Bitcoin: Myth or Reality?
Complaints are not new
ZenGo’s complaints are closely related to those published by the firm Bitcoin Cash (BCH) at the end of 2019. At that time, the firm’s CEO, Hayden Otto, explained in a video how a Bitcoin Cash (BTC) point-of-sale solution misled users into believing that unconfirmed transactions were final and they accepted them.
Like BitcoinBCH, ZenGo noted that Bitcoin’s replace-by-fee (RBF) feature can allow users to easily replace an unconfirmed transaction with a new one with a different destination address that has a higher rate. However, it should be noted that this feature only makes it easier to take advantage of the non-completion of unconfirmed transactions, which is more difficult, but still possible without the RBF.
It is likely that Ripple has sold XRP in an unregistered securities offering
In addition, the ZenGo report also notes that the RBF method „does not introduce any new vulnerabilities in itself“ and instead „explicitly places the responsibility for identifying unconfirmed transactions as insecure on wallet apps and users“. This was confirmed by Guillemet:
„We want to thank ZenGo for responsibly communicating this issue to us. […] We want to prevent anyone from becoming a victim of this type of deception. One way to prevent this is, of course, to make sure that any transactions are confirmed first. Ledger Live will publish an update on July 2nd. A warning about pending transactions is now displayed“
Security company detects a double-expenditure exploit in BTC wallets
ZenGo claimed that it was given a reward for drawing attention to the issue.