The well-known hardware wallet brand Trezor has announced that it has released a firmware that solves a vulnerability which has affected some types of bitcoin transactions.
Thanks to a report by @saleemrash1d about vulnerability in Segwit transactions, a result of Bitcoin protocol design choices, we released firmware updates that change how these transactions are handled. https://t.co/QKcEoK57ap
— Trezor (@Trezor) June 3, 2020
As can be read in detail in the announcement, both the Trezor One model, at version 1.9.1, and the Trezor T model, at version 2.3.1, have been updated.
The changes have removed a security flaw discovered by Saleem Rashid, who reported the bug through the program dedicated to this type of discovery.
Before proceeding to explain how the vulnerability was fixed, Trezor explained in the post how the wallet requires to check the UTXO of previous transactions in order to check the actual address balance.
This check serves to prevent those who want to start an attack from showing that they have a lower UTXO balance than they actually have.
In fact, when a transaction is carried out, a part of it is sent to the miner as a fee. This system allows discovering not the current balance, which of course will be lower, but the previous balance with the transaction already executed and completed.
In detail, the vulnerability exploits the SegWit (Segregated Witness) system in which part of the data is signed. By exploiting two SegWit transactions it is possible to charge the victim a huge fee, precisely like this:
- The victim has two SegWit/BIP-143 UTXOs of 15 BTC and 20 BTC.
- The malware asks the user to confirm a transaction with input 1 as 15 BTC and input 2 as 5.00000001 BTC, with the user’s chosen outputs and a valid change output, if necessary.
- The user confirms the transaction, spending 20 BTC plus 0.00000001 BTC fee.
- The malware throws an error and tells the user to confirm the transaction again (e.g. “Uh, oh! Something went wrong. Please try again.”).
- The malware asks the user to confirm a transaction with input 1 as 0.00000001 BTC and input 2 as 20 BTC, with exactly the same outputs as before.
- The user sees an apparently identical transaction, and again confirms spending 20 BTC plus 0.00000001 BTC fee.
- The malware uses the signature of input 1 from the first transaction, and the signature of input 2 from the second transaction, creating a transaction that in fact spends 15 BTC from input 1 and 20 BTC from input 2.
- The user ends up paying a transaction fee of just over 15 BTC.
Considering the time to perform the update, Trezor has proceeded step by step, so other wallets can update and fix this type of vulnerability.
In fact, even web applications will have to be updated to Connect v8.
For Electrum, for example, Trezor itself will provide the patch, while other PSBT-based tools will have to fix their servers, as is the case with Wasabi.