This repository has been archived by the owner on Jun 27, 2022. It is now read-only.
signP2SHTransaction large fee vulnerability #815
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Could you guys take a look and confirm if signP2SHTransaction was updated to deal with the large fee transaction vulnerability[1]?
When signing a p2wsh transaction the Ledger device will show "Unverified Inputs Update Ledger Live or third party wallet software".
It will still sign the transaction (with correct signatures - I can confirm). But that message makes me suspicious that ledgerjs's signP2SHTransaction may still be affected by the vulnerability which could lead to a potential security problem. Also the UX is pretty bad.
I've seen this problem in my tests and confirmed it happens to other parties that use ledgerjs for p2wsh. See for example Unchained Capital:
unchained-capital/unchained-wallets#32
signP2SHTransaction was updated with deal with segwit in 2018 (#189), way before that vulnerability was disclosed.
I tried to find the pull request that fixed the fee vulnerability for createPaymentTransactionNew to see if signP2SHTransaction was easily fixable by comparison but could not find it.
[1] https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-1-and-trezor-model-t-version-2-3-1-1eba8f60f2dd
The text was updated successfully, but these errors were encountered: