Security Fix (BIP-143 replay attack)

This release includes defences for an attack against SegWit users. Please upgrade ASAP.

This issue can only affect SegWit addresses, and would require you to accidentally sign twice for what looks like the same transaction. Neither signed transaction is valid, but they could be mixed together into a valid transaction that gives away your coins to miners.

The attacker must be a MiTM and able to produce two modified PSBT files, trick you into signing them both, and then combine the signed results from those two signed PSBTs into another transaction before sending. There is no evidence any malicious actor has exploited this bug, but the underlying limitation of BIP-143 has been known for years.

All hardware wallet vendors are affected because this known flaw is part of the standard for SegWit signatures. Each vendor will have different solutions, some of which may break backward compatibility, or have a big impact on the rest of the ecosystem.

The Coinkite solution is to add some history to the COLDCARD: It will now capture the amount stored at the recently-used SegWit UTXO you control. For the attack to work, the attacker needs to present different (fraudulent) amounts for two or more UTXO. We can detect that happening now, since UTXO are immutable. Your stored UTXO are compressed, hashed and encrypted so they cannot be revealed if your COLDCARD is captured, even once unlocked with the PIN.

If the attack is attempted, the PSBT will be rejected, and you’ll see an error message, similar to: Input#0: Expected 15 but PSBT claims 5.00001 BTC

Bottom line: After this upgrade, you are secure against this attack. You don’t need to change any other software nor change the contents of PSBT files.

Download the latest firmware

Notwithstanding BIP-341 Taproot fixes everything😉

BIP-85: Deterministic Entropy From BIP32 Keychains

You probably haven’t heard of BIP-85 yet because it only became official a few days ago. You will want it! It’s a big usability and convenience upgrade:

COLDCARD can now derive “entropy”, based mathematically on your COLDCARD’s seed value. This will be displayed as a 12 or 24 word seed phrase, or formatted in other ways to make it easy to import into other wallet systems.

You can easily recreate this value later, based only the seed phrase or encrypted backup file for the COLDCARD.

There is no way to reverse the process, even if the other wallet system is compromised. As a result, the other wallet is segregated from the COLDCARD and yet still fully backed-up.

How To Use

  • Go to Advanced > Derive Entropy
  • Choose type of data export needed for target wallet: 12 words / 18 words / 24 words, WIF (private key), XPRV (BIP32), or 32/64-bytes hex.

  • Enter an “index number” from 0 to 9999. This is anything you wish and allows you to do have multiple wallets of the same-type. You should probably write down what index number you used, since it is required for restore.

  • The seed words, or other value, is shown on-screen. Scroll down to see the details for the BIP-85 path used to create the entropy, as well as the raw entropy itself.

  • You can stop here, or press (1) to save the screen contents to the MicroSD card. (This is somewhat insecure, since it’s private key material, but very handy.)

  • (Advanced users) Press (2) to make the COLDCARD switch over temporarily to the new key. This will allow you to sign PSBT files associated with the derived wallet. The key stays in effect until next power down. You will probably need to consult in order to build specialized PSBT files for recovery purposes.

Thanks go to Ethan Kosakovsky for creating this useful standard, and for accepting our additions as the standard was being refined.

We still recommend people don’t mix their “deep cold HODL” with their other wallet. It’s best to have one/many master seed for your “Spending” wallet and one/many master seed for your “long term HODL”. Then use your Spending’s master to generate seeds. It’s important to segregate funds.

New Feature: Display of TXID

When the COLDCARD is finalizing a transaction, we now show the TXID (hex transaction ID) of the transaction on the screen. You can verify that number when transmitting the transaction to the blockchain. It’s also what you need to lookup your transaction on blockchain explorers.

Example TXID screen

Other Changes

  • Bugfix: When scrambled keypad used with the login delay feature, the PIN-entry sequence was not scrambled after the forced delay was complete. Thanks to an anon customer for reporting this.

  • Enhancement: Scrambled keypad didn’t change between PIN prefix and suffix.

  • Enhancement: QR Code rendering improved. Should be more readable in more cases. Faster.

  • Bug fixes and performance enhancements.


Video Tutorials

We now have started releasing video tutorials: check them out on Youtube.

More being added every other day!

BIP-85 Demo