signP2SHTransaction large fee vulnerability
landabaso opened this issue · 0 comments
Could you guys take a look and confirm if signP2SHTransaction was updated to deal with the large fee transaction vulnerability[1]?
When signing a p2wsh transaction the Ledger device will show "Unverified Inputs Update Ledger Live or third party wallet software".
It will still sign the transaction (with correct signatures - I can confirm). But that message makes me suspicious that ledgerjs's signP2SHTransaction may still be affected by the vulnerability which could lead to a potential security problem. Also the UX is pretty bad.
I've seen this problem in my tests and confirmed it happens to other parties that use ledgerjs for p2wsh. See for example Unchained Capital:
unchained-capital/unchained-wallets#32
signP2SHTransaction was updated with deal with segwit in 2018 (#189), way before that vulnerability was disclosed.
I tried to find the pull request that fixed the fee vulnerability for createPaymentTransactionNew to see if signP2SHTransaction was easily fixable by comparison but could not find it.