Researchers from cryptocurrency startup ZenGo, which is building a mobile cryptocurrency wallet, found major cryptocurrency wallets could be vulnerable to double-spend attacks.

ZenGo’s researchers tested the vulnerability, dubbed BigSpender, on major wallets like Edge, BRD, and Ledger and found that leveraging Bitcoin’s Replace-by-Fee feature it could be possible to double-spend funds. Replace-by-Fee lets a user send a bitcoin transaction with a low fee, and send the same bitcoin in another transaction with a higher fee.

The original transaction is canceled when this is done, and replaced by the second one which is confirmed on the network faster as miners prioritize it thanks to the higher fee. If a cryptocurrency wallet accepts unconfirmed transactions too quickly, for a user it may look like they’ve received the funds while they are still being sent. If the attacker moves the funds to another wallet with a higher transaction fee the initial transaction is canceled, even though the user sees the funds in its balance.

BigSpender can even be used multiple times. If an attacker wants to buy something that costs 1 BTC, it can send 10 transactions of 0.1 BTC each. The recipient would see it received 1 BTC in the wallet, but the attacker could then move the 0.1 BTC to another address.

Because the recipient’s wallet would have a miscalculated balance, attackers could also freeze the funds in it using a denial-of-service-attack. The victim would only see the real balance on its wallet after resyncing it with the Bitcoin blockchain – an option that would likely be considered after some confusion.

BigSpender, it’s worth noting, is not a vulnerability in the Bitcoin protocol as it doesn’t let attackers steal bitcoins. The vulnerability can be used to confuse users and scam them out of goods and services instead.

ZenGo disclosed the vulnerability with Edger, BRD, and Ledger 90 days ago, and received a Bug Bounty from Ledger and BRD. Both firms have already fixed the issue. Ledger’s VP of Marketing, Benoît Pellevoizin, said in a blog post:

Everything has been fixed in the most recent update that was released two days ago.

Pellevoizin added that unconfirmed transactions are now highlighted, and a message informs users there are unconfirmed transactions. Ledger Live, he added, does not use funds from unconfirmed transactions when sending funds.

ZenGo has released an open-source tool for users to test their wallets against BigSpender.

Featured image via Pixabay.