SlowMist Team: Risk Analysis of Fake Bitcoin RBF Recharge

Preface

According to Chain News, crypto wallet ZenGo released a report saying that it found a vulnerability (named " BigSpender ") in mainstream cryptocurrency wallets such as Ledger, BRD and Edge. This vulnerability may cause unconfirmed transactions to be included in the user's total balance, and at this time, the attacker can cancel the transaction before the transaction is confirmed. The attacker took advantage of a fee replacement " Replace-by-Fee " function in the Bitcoin protocol. This function can replace a previous transaction by paying a higher fee. The attacker can use this function multiple times in a row to carry out the BigSpender attack. Next, the SlowMist Security Team will analyze the impact of the Bitcoin protocol RBF feature on exchanges and wallets based on this incident.

What is RBF

RBF , full name Replace-by-fee , is a protocol in the Bitcoin memory pool that allows unconfirmed transactions to be replaced with other transactions. The main RBF schemes are as follows:

1. Full RBF : Replace the previous transaction with a higher fee

2. First-seen-safe RBF : First-seen replacement, that is, the output amount of the replacement transaction itself must be greater than or equal to the replaced transaction

3. Opt-in RBF : Selectively replace transactions, replace old transactions by adding additional fees. Nodes can choose to turn this function on or off.

4. Delayed RBF : When an old transaction is first received by a node in the network, if the old transaction is still not packaged after a given number of blocks, the new transaction is allowed to unconditionally replace the old transaction

Currently, Bitcoin Core uses the Opt-in RBF solution, which means that by declaring a transaction as replaceable, other transactions can be used to replace the transaction later. For detailed instructions on Opt-in RBF, please refer to the Bitcoin Core instructions at https://bitcoincore.org/en/faq/optin_rbf/

How to use RBF to attack

RBF mainly targets 0-confirmation transactions, that is, replacing unconfirmed transactions in the memory pool. When an exchange or wallet processes 0-confirmation transactions and does not correctly handle the transaction-related status, it will lead to double spending and false recharge problems. The specific attack methods are as follows:

1. The attacker sends an RBF transaction with the output address pointing to an exchange or wallet, and pays a low fee to prevent the transaction from being packaged too quickly;

2. After the exchange retrieves the 0-confirmation transaction, the attacker immediately sends a replacement transaction and changes the output address to another address controlled by the attacker, replacing the previous transaction sent to the exchange or wallet;

3. Due to problems in the processing of 0-confirmation transactions by exchanges or wallets, there is no verification of whether the transaction is an RBF transaction and the confirmation status of the transaction. RBF transactions are directly recorded without confirmation, resulting in fake recharges, double spending, fraud attacks on exchanges or wallets, and DoS attacks on wallets;

The attack flow chart is as follows:

At present, the SlowMist security team has tested several decentralized wallets on the market and has found such problems in some wallets. The team has also reported the problems to the corresponding project parties and assisted in repairing them.

Defense plan

1. Exchanges or wallets should not use 0 confirmation to deposit Bitcoin;

2. If you need to record a 0-confirmation transaction, you must check that the transaction cannot be an RBF transaction. Specifically, the value of the nSequence field in the transaction Input must be 0xffffff. Any unconfirmed transaction containing an nSequence value other than 0xffffff should be rejected;

3. Check the transaction status, such as whether the Bitcoin transaction has been packaged or has reached the corresponding number of confirmations (such as 3);

4. The wallet should display the corresponding transaction confirmation status to prevent fraud attacks;

5. The SlowMist Security Team has supported the detection of this attack. If the wallet or exchange is not sure whether there is a problem with their account entry method, they can contact the SlowMist Security Team ([email protected]) for detection .