Connect with us


Tezos [XTZ]: Multiple Tezos Wallets found vulnerable to blind signature attacks



Multiple KYC-Tezos [XTZ] Wallets found vulnerable to blind signature attacks
Source: Unsplash

Tezos, the 24th largest cryptocurrency is well-known for its self-amending cryptographic ledger. It was recently noticed that certain wallets for Tezos have an inherent flaw that allows ‘bling signature’ attacks, commonly known as ‘bling sig’ attacks.

The post surfaced on the official subreddit of Tezos, r/tezos, it mentioned vulnerability which allowed certain wallets to be breached causing loss of user funds.

The post stated:

“All major Tezos wallets we tested except two, are vulnerable to a simple yet catastrophic attack that can lead to loss of funds (blind signature vulnerability)”

The post mentions how these ‘vulnerable’ wallets connect to the server [RPC node] without building raw transactions like every other cryptocurrency wallet. Moreover, these wallets do not check the binary before signing it, so if the RPC is compromised it would expose the clients’ transactions allowing the hackers.

The hackers could provide a malicious transaction to sign and since the binary wouldn’t be parsed, the hackers could easily siphon the users’ funds.

The post also provided the creators of the wallets a demo to test if their wallets were vulnerable to such threats.

Furthermore, the subreddit post stated:

“Cryptocurrency wallets were meant to be trustless, but most Tezos wallets are not… When you’re signing any tx with these wallets you’re trusting the server (RPC) to send you money… The RPC you rely upon could turn malicious (e.g. be hacked) at any moment in time, with no way for you to detect it.”

The post illustrates the recent attack on Electrum wallets which were more secure than Tezos’ wallet which led to a loss of assets worth $750,000.

One of the two mentioned vulnerable wallets was LibreBox and the post stated that the wallet has been fixed and cannot be ‘blind sig’ attacked.

The post suggested a few steps that could be done to secure the users’ funds, which were:

“1.Tezos users: do not sign any tx with a vulnerable wallet until the vulnerability is addressed.
2. Wallet developers: immediately start warning your users of the danger, until binary txs are parsed and checked. If you resolved the issue or if your wallet is not listed, feel free to contact us to update this post.
3. Tezos Foundation: immediately release specs for the binary tx format, and improve documentation to a more decent standard.”

Corey Soreff, a board member of Tezos Commons mentioned that the vulnerability of the wallets in question has been patched.

Follow us on Telegram | Twitter | Facebook

Akash is your usual Mechie with an unusual interest in cryptos and day trading, ergo, a full-time journalist at AMBCrypto. Holds XRP due to peer pressure but otherwise found day trading with what little capital that he owns.



Subscribe to AMBCrypto's Newsletter