Bitcoin Forum
November 19, 2024, 11:56:21 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: ledger vulnerability: Invalid addresses for certain miniscript policies  (Read 93 times)
Yamane_Keto (OP)
Hero Member
*****
Offline Offline

Activity: 630
Merit: 510



View Profile WWW
May 12, 2023, 11:34:59 AM
Merited by dkbit98 (3), Pmalek (2), Lucius (1)
 #1

Miniscript is a language to define possibly complex spending conditions for bitcoin wallets.

The Ledger bitcoin app supports miniscript policies since version 2.1.0, deployed in February 2023.

Quote
Versions 2.1.0 and 2.1.1 of the app incorrectly handle the a: fragment, causing the app to produce wrong addresses.

In theory this is critical as the device is usually trusted to display the right address. In practice, the impact is limited, as there is no currently deployed wallet software with a full integration with such policies.

Any other wallet not using miniscript, or any miniscript policy not containing the a: fragment, is not affected.

Users who encounter issues related to spending Bitcoins can reach out Ledger Support.

Source https://donjon.ledger.com/lsb/019/
Read more in the detailed report by Antoine Poinsot https://wizardsardine.com/blog/ledger-vulnerability-disclosure/

Although there are very few (users) who use such functions and will be affected by this vulnerability (this will only happen if you are using advanced hand-rolled tooling), it is necessary to upgrade to version 2.1.2.

えいごをはなせますか。
dkbit98
Legendary
*
Offline Offline

Activity: 2422
Merit: 7590



View Profile WWW
May 12, 2023, 10:27:13 PM
Last edit: May 12, 2023, 10:50:42 PM by dkbit98
 #2

Although there are very few (users) who use such functions and will be affected by this vulnerability (this will only happen if you are using advanced hand-rolled tooling), it is necessary to upgrade to version 2.1.2.
Thanks for reporting before me, I was just getting ready to write about this  Wink
This was very serious bug and result of this exploit could be theft of coins, this could happen if it wasn't reported by this guys and fixed on time.
Maybe this would never happen if Ledger would spent more time improving their Bitcoin app instead of wasting time with bunch of shitcoins.
Everyone better update latest version of your BTC app that was released few days ago.

EDIT:
Bitcoin app v2.1.2 is latest one.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pmalek
Legendary
*
Offline Offline

Activity: 2954
Merit: 7565


Playgram - The Telegram Casino


View Profile
May 14, 2023, 04:31:09 PM
 #3

I wonder what they mean with complex spending conditions? I assume it's got nothing to do with standard sending/receiving, generating addresses, etc. Could it be related to Taproot and the "bitcoin tokens" and ordinals?

If I understood correctly, for a successful attack, the software you use would have to be malicious, hacked, or manipulated with malware. The second condition is that the user doesn't verify the address on the hardware wallet screen. Apparently, Liana is the only client where the Miniscript feature worked completely.   

▄▄███████▄▄███████
▄███████████████▄▄▄▄▄
▄████████████████████▀░
▄█████████████████████▄░
▄█████████▀▀████████████▄
██████████████▀▀█████████
████████████████████████
██████████████▄▄█████████
▀█████████▄▄████████████▀
▀█████████████████████▀░
▀████████████████████▄░
▀███████████████▀▀▀▀▀
▀▀███████▀▀███████

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
 
Playgram.io
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

▄▄▄░░
▀▄







▄▀
▀▀▀░░
▄▄▄███████▄▄▄
▄▄███████████████▄▄
▄███████████████████▄
▄██████████████▀▀█████▄
▄██████████▀▀█████▐████▄
██████▀▀████▄▄▀▀█████████
████▄▄███▄██▀█████▐██████
█████████▀██████████████
▀███████▌▐██████▐██████▀
▀███████▄▄███▄████████▀
▀███████████████████▀
▀▀███████████████▀▀
▀▀▀███████▀▀▀
██████▄▄███████▄▄████████
███▄███████████████▄░░▀█▀
███████████░█████████░░
░█████▀██▄▄░▄▄██▀█████░
█████▄░▄███▄███▄░▄█████
███████████████████████
███████████████████████
██░▄▄▄░██░▄▄▄░██░▄▄▄░██
██░░░░██░░░░██░░░░████
██░░░░██░░░░██░░░░████
██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████
███████████████████████
███████████████████████
 
PLAY NOW

on Telegram
[/
Yamane_Keto (OP)
Hero Member
*****
Offline Offline

Activity: 630
Merit: 510



View Profile WWW
May 15, 2023, 11:43:42 AM
Merited by Pmalek (2), dkbit98 (1)
 #4

I wonder what they mean with complex spending conditions? I assume it's got nothing to do with standard sending/receiving, generating addresses, etc. Could it be related to Taproot and the "bitcoin tokens" and ordinals?
No, Since bitcoin script is a stack-based language with too many edge cases, miniscript is the function representation for these stack-based scripts and designed for Tapscript (BIP342) embedded scripts.
what is happen above is vulnerability enable bypassing some spending conditions which was not allowed in the previously generated script and thus enables a third party to the possibility of spending.

Apparently, Liana is the only client where the Miniscript feature worked completely.   
even Liana is not effected because there is no release of it that allows the user to create descriptor that was affected by this vulnerability

You will find technical details, sources and more here https://wizardsardine.com/blog/ledger-vulnerability-disclosure/

The Miniscript fragment a:X was incorrectly encoded by the Ledger Bitcoin application. Instead of translating to:

Code:
OP_TOALTSTACK X OP_FROMALTSTACK
It was encoded to:

Code:
OP_TOALTSTACK X
This opens the possibility for the spender to always provide the return value of the expression preceding a a: in a Miniscript. This implies any type of check (preimage, signature, timelock) preceding a a: may be bypassed (just feed a 1 at the correct place in the witness).

えいごをはなせますか。
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!