Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
Trezor, the company offering hardware cryptocurrency wallets, announced a firmware update 1.9.1 for Trezor One and 2.3.1 for Trezor Model T devices. The introduction of the upgrades will fix a security vulnerability regarding SegWit transactions discovered three months ago.
The Vulnerability In Question
As todayâs blog post from the company explains, Trezor requires the previous transaction for non-SegWit transactions to check the UTXOâs real balance. By doing so, the firm ultimately reassures that the user would not become a victim of manipulation between the differences of input and output amounts and wouldnât pay a significantly larger fee without even knowing it.
Segregated Witness (SegWit) transactions, however, require different data to be signed, as the amount of the UTXO is present there. It simplifies the process, and if an attacker lies about that UTXO amount, the signature will not be valid.
Yet, a security vulnerability, discovered in March this year, was possible in the following example:
The victim has two SegWit (BIP-143) UTXOs of 15 BTC and 20 BTC. A malware asks him to confirm a transaction with input 1 as 15 BTC and input 2 as 5.00000001 BTC, with the userâs chosen outputs and a valid change output, if necessary.
He confirms it, but the malware displays an error and requests another confirmation with input 1 as 0.00000001 BTC and input 2 as 20 BTC, with the same outputs as before. This transaction seems somewhat identical to the first one, and the user confirms it.
The malware could use the signature of input 1 from the first transaction and the signature of input 2 from the second one to create a transaction that spends 15 BTC from input 1 and 20 BTC from input 2. In this scenario, the user will end up paying a transaction fee of just over 15 BTC.
Trezorâs Solution
The implemented fix from Trezor seems rather straightforward. With the recent updates, the firm will treat SegWit transactions in the same manner as non-SegWit ones. More specifically, Trezor will require the validation of the UTXO amounts from the previous transactions.
The company also said that âapplications using Trezor Connect version 8 will continue to work seamlessly.â Trezor will also provide a patch for users of the Electrum wallet. Until the patch implementation, they wonât be able to use it with the newest updates.
Enjoy reading? Please share:âUnfortunately, some third-party tools do not allow hardware wallets to obtain the previous transaction in case of SegWit inputs, which is why Trezor will not be able to sign transactions using these tools until they are updated to work correctly. Due to the responsible disclosure process, we were not able to inform the maintainers beforehand.â â reads the statement.
Telegram
The post Trezor Releases a Firmware Update to Patch a Possible Vulenrability With Segwit Transactions appeared first on CryptoPotato.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.