Bitcoin Wallets Vulnerable To Opt-in Replace-by-fee Double Spend Attacks
The topic of transaction fees has been kicked around a few times in the world of Bitcoin, but the question remains whether or not wallets are ready to deal with opt-in replace-by-fee. Several exchange platforms have taken the necessary steps to detect opt-in replace-by-fee situations, but more efforts are needed.
Bitcoin Wallets Are Not Ready For Opt-in Replace-by-fee
It will come as a big surprise to find out a lot of most popular Bitcoin wallet solutions in existence have some serious flaws regarding security, as well as detecting double-spends. Especially this latter part is of particular worry, as a double-spend attack puts the recipient at risk of never obtaining their money.
A recent blog post by Peter Todd shows how all of the wallets tested do not even warn users about a potential double-spend, but most of them also fail at warning WHEN a double-spend has happened. This is an unacceptable scenario for the Bitcoin ecosystem in its current stage, as users have little to no protection when it comes to using some of the most common wallets. With the recent addition of opt-in replace-by-fee, it seems wallet developers have not taken the potential repercussions into account.
But it did not end there, as Peter Todd also mentioned how one in two tested Bitcoin wallets can be easily double-spent. Although these types of attacks usually require a fair bit of technological know-how, this was not necessary during this test. In fact, no knowledge whatsoever will still result in a 100% success rate, The other half of the wallets only had a 25% success rate, but it is still rather worrying.
Luckily, some of the merchant payment providers have started implementing additional security measures to detect potential double-spend attacks. The detection of opt-in replace-by-fee will allow these platforms to check whether or not incoming transactions are followed by the same operation at a higher fee, creating a double-spend.
That being said, the key issue remains that a simple double-spend Python script can let users actually broadcast multiple transactions with different fees. Users who want to experiment with this opt-in replace-by-fee “functionality” should be able to add the necessary code into their mobile Bitcoin wallet software in a matter of days.
Without proper opt-in replace-by-fee detection, Bitcoin wallets will never be able to distinguish whether or not a double-spend will occur. The test run by Peter Todd and his team shows how the tested wallet solutions are all vulnerable to these types of attack, although some tweaking might be needed for particular wallets. Only Mycelium on Android seems to detect a double-spend, but only after the second transaction has received its first network confirmation.
Are you concerned about the lack of double-spend detection tools in most popular Bitcoin wallets? Let us know in the comments below!
Source: Peter Todd
Images courtesy of Shutterstock, Bitckerz