According to him Ledger’s CTO, Charles Guillemetthe vulnerability recently discovered by ZenGo Wallet software is not – actually – nothing more than a mistake in the user experience. He illustrated the nature of his hardware wallet complementary software. Ledger Live, to Cointelegraph:
“It is important to understand that the real mistake can be seen as a clever trap rather than an attack. The trap is not a security hole. However, we want to prevent anyone from falling victim to these clever tricks. […] It’s just a UX issue that could be used by a dishonest buyer of the product. “
Complaints are not new
ZenGo’s complaints are closely related to the complaints published by Bitcoin Cash (BCH) at the end of 2019. At that time it was CEO the company Hayden Otto, In a video, he explained how a Bitcoin (BTC) point-of-sale solution made users believe that unconfirmed transactions were final, and accepted them.
Like BitcoinBCH, ZenGo found that Bitcoin’s RBF (replace-by-fee) feature can easily replace an unconfirmed transaction with a new transaction to a different destination with a higher fee. However, it should be noted that this feature only makes it easier to take advantage of the non-fulfillment of unconfirmed transactions, which is more difficult, but is still possible without the RBF.
The ZenGo report also refers to the RBF method “does not in itself introduce a new security hole” and instead “It is explicitly our responsibility to identify unconfirmed transactions in wallet apps and users as unsafe.”. This has been confirmed by Guillemet:
“We would like to thank ZenGo for responsibly communicating this to us. […] We want to prevent someone from falling victim to this type of deception. Of course, one way to prevent this is to ensure that each transaction is committed first. Ledger Live will release an update on July 2nd. A warning about pending transactions is now displayed. “
ZenGo explained that He was rewarded for drawing attention to the topic.