11 May 2023: Invalid addresses for certain miniscript policies
Summary
Miniscript is a language to define possibly complex spending conditions for bitcoin wallets.
The Ledger bitcoin app supports miniscript policies since version 2.1.0, deployed in February 2023.
Versions 2.1.0 and 2.1.1 of the app incorrectly handle the a: fragment, causing the app to produce wrong addresses.
In theory this is critical as the device is usually trusted to display the right address. In practice, the impact is limited, as there is no currently deployed wallet software with a full integration with such policies.
Any other wallet not using miniscript, or any miniscript policy not containing the a: fragment, is not affected.
Users who encounter issues related to spending Bitcoins can reach out Ledger Support.
Description
The a: fragment was incorrectly implemented in the Ledger bitcoin app.
Read more in the detailed report by Antoine Poinsot showing how the vulnerability could be exploited.
Mitigations
The 2.1.2 version of the app fixed the handling of the a: fragment. Users making use of miniscript policies are strongly recommended to upgrade.
As a further mitigation, all the three client libraries have been updated to reject miniscript policies containing the a: fragment on the affected versions of the Ledger bitcoin app; this reduces the risk of incorrectly implemented software wallets using the wrong receiving addresses:
- ledger-bitcoin Python client on Pypi, version
0.2.1. - ledger-bitcoin JavaScript client on npm, version
0.2.1. - ledger_bitcoin_client Rust crate on crates.io, version
0.1.3.
Recommendations for software wallets
Generally, it is strongly recommended that software wallets fully implement the address verification flow on the device screen, This allows the user to inspect the address. Absent that, users are inherently more vulnerable to malware installed on the user’s machine that might (for example) replace the receiving address.
Moreover, software wallets would typically be able to generate the addresses independently (for example, in order to scan for incoming transactions). Therefore, it is recommended that once the user approves an address (prior to receiving funds), the software wallet compares the address it expects with the one returned by the hardware wallet. This is in line with the principles of defense in depth, where seemingly redundant security checks do in fact increase the overall security when unexpected situations do occur, like a hardware bug.
In a software wallet implementing these recommendations, the impact of this vulnerability is indeed smaller, as exploitation of the bug against a user would require that either:
- the software wallet contains malware specifically targeting the vulnerability;
- the user skips the address verification step when receiving funds, which goes against the recommended security practices.
Credits
We would like to thank Kevin Loaec and Antoine Poinsot, who discovered the vulnerability and disclosed it through our bug bounty program.