Ledger, the company behind a popular range of hardware wallets, reported a bug in its software last Thursday concerning Ethereum funds. The bug was initially announced by Ledger on Twitter. The tweet revealed that their Google Chrome app was displaying an incorrect destination address:
There is currently an issue on the Ledger Wallet Ethereum Chrome application, showing on screen a static address (same for all users). This looks more like a bug than a compromission. Engineering is working on it, we’ll know more soon. PLEASE USE ONLY LEDGER LIVE / MEW MEANWHILE
— Ledger (@LedgerHQ) August 3, 2018
As a result, sixty-four transactions did not arrive at the intended address. They were instead delivered to a single incorrect address starting with ‘0xC33B16’, which seems to be a placeholder address owned by Ledger. No funds were stolen as a result of the bug, and Ledger has since announced that it will return misdirected funds, including transaction fees, to the proper owners. Ledger is asking affected users to contact the company via its support page.
The impact of the bug was minimized thanks to Ledger’s quick response—and due to the fact that the bug was limited to a specific software version: “version 1.3.0 of the Ledger Wallet Ethereum Chrome App” to be precise. If this version is installed on your computer, the patched update will be automatically installed on Google Chrome’s next startup.
The bug was not caused by a hack but was a side effect of an update that invited users to install the Ledger Live software, a desktop app which will eventually replace the Google Chrome app when the latter is discontinued later this year.
Even though the issue was due to a rushed delivery of an update rather than malicious intent, an actual attack could appear very similar to this bug. Ledger previously raised the possibility of an “industry-wide” susceptibility to man-in-the-middle attacks, in which attackers replace their target’s addresses with their own.
Although hardware wallets are one of the safest ways of storing crypto, Ledger is still urging users to verify or double-check their addresses before sending or receiving funds.
The post Ledger Bug Accidentally Sends 64 Ethereum Transactions To the Wrong Address appeared first on UNHASHED.