Czech bitcoin hardware wallet Trezor released a firmware update two days ago. The patch was in response to a potential exploit for wallets using the Segwit protocol–a transaction fix that allows for cheaper and less data-heavy Bitcoin transactions.
But while Trezor has patched their wallets, it still causes problems for Trezor users who rely on the wallets to interact with other Bitcoin-related software, such as the privacy-focused Wasabi wallet and Bitcoin tech stack BTCPay.
Given the manner in which the vulnerability has been patched, Trezor users running the update and using Trezor with Wasabi and / or BTCPay will be excluded from their money. Wasabi and BTCPay urge users not to update until the compatibility issues between the firmware update and their software are resolved.
Prolific independent hacker Saleem Rashid discovered the exploit (its latest from many bitcoin hardware / software bug finds) about three months ago and made it known to major hardware wallet manufacturers including Trezor and Ledger. With a firmware update available for download, Trezor fixed the vulnerability at the end.
But this vulnerability, which developers said Decrypt would be difficult to exploit, Trezor has been in the spotlight for its popularity with third-party wallet integrations (the hardware wallet can connect to the popular privacy wallet Wasabi and Bitcoin payment portal BTCPay Server, for example).
The actual bug, which is more or less serious than others in the past depending on the hardware wallet and software wallet developers, opens the following attack vectors according to Trezor:
A Bitcoin user using Segwit downloads specific malware from an attacker. The victim then starts a transaction with two “inputs” (i.e. parts): one input is for 10 BTC and another is for 5,0001 BTC, so the transaction total is 15 BTC for a fee of 0.0001. After confirming the transaction, the user will receive an error message asking to re-sign. The attacker then switches the transaction entry, so that one entry is for 15 BTC and the other is for 0.0001.
With this move, the 15 BTC is now the transaction cost and the 0.0001 BTC is the transaction. But to pay for this, the attacker must be a miner which also mines the block in which the transaction is included. The victim must also issue a transaction with more than one entry and download the miner’s malware. In other words, a lot must go well for this to work.
NVK, the manufacturer of ColdCard hardware wallets, who was not aware of the vulnerability, said the “severity is low” for the attack, adding that updating hardware wallets may break the interaction of hardware wallets with other wallet software.
Potential hyperbola aside, Trezor said it keeps the solution simple. Pavol Rusnak, CEO of Trezor, said in a statement:The solution is simple: we need to deal with Segwit transactions in the same way as with non-Segwit transactions, which means that the wallet checks and validates all its previous transactions before sending new ones.
But if the solution for Trezor is easy to make, it doesn’t mean that the problem for Trezor users who rely on the wallet to interact with other software is not completely resolved.
The solution, for example (with Segwit wallets checking and re-validating old transactions), does not work with some ‘third party tools’.
“Trezor cannot sign transactions with these tools until they are updated to work correctly. Due to the responsible disclosure process, we were unable to inform the administrators in advance, ” said the company’s message.
One of these affected parties is the privacy-oriented Wasabi wallet, which was integrated with Trezor last year. For example, founder Adam Fiscor announced on Twitter that Wasabi users should not update their firmware until ‘compatibility issues’ are resolved.
Fiscor said Decrypt via email that in his opinion “the consequences of the firmware update to which Trezor users are excluded [Wasab] wallet is more problematic than the attack itself “, and although he agrees”with NVK’s assessment “he does not blame Trezor” for being overly cautious. “
Nicolas Dorier, founder and head of the open-source BTCPay Server, said Decrypt that he wished Trezor “offered a transitional period of 1-2 months, giving users time to migrate their money.”
BTCPay Server is a decentralized Bitcoin payment processor with added features like the Lightning network and, since last year, hardware wallet integration with Trezor.
Dorier said his service should probably drop support for Trezor and hardware wallets that require the transaction control system because BTCPay Server users don’t store all blockchain data; they use so-called “pruned” nodes that only store as much data as needed to use BTCPay’s services with the Bitcoin network (this makes it faster and easier to download and run BTCPay).
So just like Wasabi, BTCPay urges its users not to update otherwise their money will be blocked for the service. As long as users are using an older version of Trezor, they should have no problem removing them. They can also restore their wallets from their seed phrase (the backup phrase that acts as a master key for a wallet in case it gets damaged or lost), either on a different unpatched hardware wallet or as a new wallet at their BTCPay instance.
For now, Trezor users on Wasabi and BTCPay are advised to hold tight and move their money before updating.