A vulnerability was discovered in Bitcoin apps and Bitcoin-based applications with Segwit support that could allow an attacker to increase transaction fees without the user’s knowledge. Although this vulnerability does not enable the theft of coins, it is important to address it to avoid unexpected transaction fees.
What Should I Do to Protect Myself?
- Update Ledger Live and Bitcoin App:
For Ledger Live Users:
Ensure you are using Ledger Live desktop version 2.4.1 or later.
Update your Ledger Bitcoin app to version 1.4.0 or later.
To update, quit and restart Ledger Live, then click on the update notification banner or download version 2.4.1 directly from the Ledger website.
Go to My Ledger and click Update All to update all applications on your Ledger device.
- For Third-Party Wallet Users:
Install the Latest Bitcoin Application: Update the Bitcoin app on your Ledger device to version 1.4.0 or later.
Be Cautious with Transactions: When making transactions, watch for any warnings displayed on your Ledger device. You can cancel the transaction if it seems suspicious.
Contact Third-Party Wallet Developers: Reach out to the developers of any third-party wallets you use and request that they update LedgerJS to address this vulnerability.
Frequently Asked Questions
How could an attacker exploit this vulnerability?
The attack would require compromising the client application. This might involve tricking users into installing a fake version of Ledger Live or another wallet application. The attacker could then combine inputs from multiple transactions to broadcast a transaction with much higher fees.
Has this vulnerability been exploited?
There are no known reports of this vulnerability being exploited. The attacker cannot steal coins directly, which makes practical exploitation less likely.
How do I protect myself when using Ledger Live?
Updating Ledger Live and the Bitcoin app to the latest versions will protect you from this vulnerability. Make sure to follow the update instructions provided above.
How do I protect myself when using a third-party wallet?
Install the latest Bitcoin application on your Ledger device and watch for warnings during transactions. Contact third-party wallet developers to ensure they update their software to address this vulnerability.
For more detailed information about the vulnerability, refer to the Ledger Security Bulletin.
“Fill out the form to send a request to the wallet’s customer service.”