Ben Ma, a security researcher who works for hardware wallet manufacturer Shift Crypto, discovered the Coldcard hardware wallet has a flaw: An attacker could trick Coldcard users into sending a real bitcoin transaction when they think they are sending a “testnet” transaction – or a payment on Bitcoin’s testing network, which is not the same as the mainnet.
Both testnet and mainnet bitcoin transactions “have the exact same transaction representation under the hood,” Ma writes in his post disclosing the vulnerability. An attacker could then generate a bitcoin mainnet transaction for the hardware wallet but make it look like a testnet transaction. The mainnet transaction is presented like a testnet transaction on the user’s wallet, making it difficult for users to recognize the error.
Ma learned of the vulnerability after a pseudonymous researcher discovered the so-called “isolation bypass” attack in the French-manufactured Ledger hardware wallet.
‘Bypass’ Bitcoin wallet vulnerability: A background
When the initial vulnerability in the Ledger wallet was disclosed, Coinkite founder and Coldcard creator Rodolfo Novak said, “Coldcard doesn't support any s**tcoins. We find that to be the best path,” implying that his bitcoin-only wallet would be safe because the flaw (in part) resulted from the fact that Ledger devices previously managed different coins using the same private key.
Since Coldcard doesn’t support multiple coins, it theoretically shouldn’t have this problem. And it wouldn’t, if it weren’t for the fact that it can be exploited with bitcoin testnet addresses.
If users' computers are compromised – and the Coldcard device is unlocked and connected to that computer – then an adversary could trick users into sending real bitcoin when they think they are sending testnet bitcoin.
“The attacker merely has to convince the user to, e.g., ‘try a testnet transaction’ or to buy an ICO with testnet coins (I’ve heard there was a [initial coin offering] like this recently) or any number of social engineering attacks to make the user performs a testnet transaction. After the user confirms a testnet transaction, the attacker receives mainnet bitcoin in the same amount,” Ma writes in the post.
Because an attacker could execute this attack remotely, it met Shift Crypto’s criteria as a critical issue, triggering the responsible disclosure process.
According to the post, Ma disclosed the vulnerability to Coinkite on Aug. 4 and Novak acknowledged it the next day. On Nov. 23, Coldcard released a beta firmware to patch the vulnerability.
A Coldcard representative told CoinDesk that “unlike the attack on Trezor/Ledger,” Coldcard’s version “is not a realistic attack because the attacker would have to convince the victim to manually switch the device to testnet. That's not something people are likely to do.”
Additionally, Coinkite addressed the vulnerability in a blog post, adding that an attacker would have had to learn a victim’s XPUB (the master public key for their wallet) and the specific transaction ID for the unspent bitcoin they were targeting to pull off the attack.
Coldcard now includes a warning message when a user decides to switch the wallet into testnet (the wallet is set to mainnet by default).
UPDATE (November 25, 2020, 5:52 UTC): This article has been updated to include additional information from Coldcard.