–
The new firmware release for the Trezor hardware wallet released this week is aimed at eliminating vulnerabilities in the implementation of SegWit transactions, however, as it turned out, it contains a different bug. Because of it, users can lose access to their bitcoins, Decrypt writes.
The threat arises when Trezor interacts with third-party services, including the Wasabi desktop wallet and BTCPay processing.
The vulnerability in question was discovered about three months ago by researcher Salim Rashid. He told about it to manufacturers of popular hardware wallets, including Trezor and Ledger.
Thanks to a report by @ saleemrash1d about vulnerability in Segwit transactions, a result of Bitcoin protocol design choices, we released firmware updates that change how these transactions are handled. https://t.co/QKcEoK57ap
– Trezor (@Trezor) June 3, 2020
According to Trezor developers, the identified attack vector is quite complex and suggests that the user must install malware during the implementation of the SegWit transaction. The next step, for example, it sends a transaction with two inputs at 10 and 5.0001 BTC. The total transaction amount is 15 BTC, the size of the commission is 0.0001 BTC. After that, the user receives an error message asking him to re-sign the transaction again. At this stage, the attacker changes the inputs in such a way that the transaction amount is 0.0001 BTC and the fee is 15 BTC.
In order for the trick to work, an attacker not only needs to be a miner himself, but also obtain the necessary block.
The manufacturer of the hardware wallet ColdCard Rashid for some reason did not notify the vulnerability, however, its developer NVK Decrypt said in a comment that its severity is low. At the same time, he noted that a new update could disrupt the device’s interaction with other software.
CEO Trezor Pavol Rusnak Meanwhile, he stated that the solution to the problem is quite simple: SegWit transactions must be regarded in the same way as all others, which implies validation of all previous transactions before sending new ones.
But, even if Trezor considers the solution simple, this does not mean the complete elimination of the problem for those wallet users who trust him to interact with some third-party software.
“Trezor will not be able to sign transactions using these tools until they are updated to work correctly. Due to the process of responsible disclosure of information, we could not notify the teams serving them in advance, ”said representatives of the Czech company.
Among these services was the Wasabi wallet, a user-centric wallet that was integrated into Trezor last year. Its founder and technical director Adam Fichor Already appealed to users with a recommendation to refrain from installing the Trezor firmware until the vulnerability is fixed.
If you are using Trezor with Wasabi please don’t upgrade your firmware until compatibility issues are resolved, otherwise your funds will get stuck until support of new firmware comes out. https://t.co/zrA5ml2kBL
– nopara73 (@ nopara73) June 5, 2020
According to Fichor, the consequences of updating the Trezor firmware, leading to restricting user access to the wallet, are more problematic than the attack itself, but he does not blame the company for excessive caution.
Founder of BTCPay Server Nicholas Dorier believes that Trezor should not be in a hurry with the release of the firmware and give users a month or two to move assets. He did not rule out that BTCPay would refuse support for Trezor and other hardware wallets, which rely on a similar transaction verification scheme, since service users use stripped-down versions of nodes and do not store all the necessary information.
On their Twitter, service representatives wrote:
“If you use Trezor and have updated the firmware, then you can no longer withdraw money from your wallet through BTCPay Server. We are unable to fix the problem because we do not have the data that Trezor will request. We recommend either wait for the Trezor solution to change, or change the hardware wallet if you want to use BTCPay Server, or switch to the hot wallet implementation in BTCPay Server. ”
Meanwhile, co-founder Trezor Marek ‘Slush’ Palatinus emphasized that there were no confirmed cases of blocking funds. Expressing hope that the situation would soon be resolved, he noted that due to the compatibility of BIPs, users can manage funds in other wallets that do not have such a strict interface as BTCPay, for example Electrum or Trezor Wallet
It isn’t true that anybody is locked out of funds; thanks to compatibility BIPs, people can manage funds in other wallets, which doesn’t have such strict interface like BTCPay, like Electrum or Trezor Wallet.
I hope the situation will resolve soon though.https: //t.co/3cEhdzF15V
– slush ???????? (@slush) June 6, 2020
Recall that in January, Kraken Security Labs specialists found a critical vulnerability in Trezor hardware wallets, which makes it possible to extract seed phrases within 15 minutes with physical access to the device.
Follow ForkLog on Twitter!
Found a mistake in the text? Highlight it and press CTRL + ENTER
– .
