A security researcher has reported an attack leveraging an known issue with how BIP-143 commits to segwit inputs. If malware is in a position to tamper with your PSBT data, and it can get you to sign twice, it may be able to send your coins to miners. The attacker would not profit directly unless they can capture those miner’s fees somehow.
This is effectively a bug in BIP-143 and will affect all devices that sign segwit transactions.
Should I worry?
If malware is in a position to tamper with your PSBT data—both in and out—of your Coldcard, and it can get you to sign twice for the same transaction, it may be able to send your coins to miners. The attacker would not profit directly unless they can capture the value of those miner’s fees.
To make you sign twice, the assumption is showing a generic/vague error message would be enough, and to be honest, it probably is.
The amount the attacker can misdirect is determined by the mix of UXTO in your wallet. The examples given in the original report work nicely and represent large values, but an actual attacker would have to work with values in your UTXO set.
We are researching the best way to address this issue, as we did not get
any advance notice about this issue before it became public. There will likely be
changes to how PSBT files are constructed going forward, and
BIP-174 (PSBT file format) may also be updated to help address this issue.
This exploit is a good example of why it’s important to maintain custody of your signed bitcoin transaction. This attack requires merging the two misleading transactions into a single result and that could not be done if you go directly from the Coldcard into a trusted means to send the transaction. For example, you could take the signed transaction (it’s a small text file with hex digits inside) from the MicroSD and send it to the public Bitcoin network using a website. One great choice is Blockstream’s onion site using a Tails setup, or Tor browser.
At the same time, using sneakernet would probably reveal this attack happening anyway, since you’d be forced to transport two different files to the Coldcard and back again while you are being attacked.