Author

Topic: Vulnerability on electrum 3.0.6? [Solved] (Read 168 times)

HCP
legendary
Activity: 2086
Merit: 4363
February 23, 2018, 01:01:54 PM
#9
0.002 BTC sounds like the 2 factor security fee. This is collected once for every 20 transactions, i.e. the following 19 transactions won't have a fee.
Those 0.002 are charged from trusted coin.
You do have 2FA activated in electrum, right?
I very much doubt that this has anything to do with 2FA, as you can't use 2FA and Hardware wallet together in Electrum. The wallet is either a hardware wallet, or it is a 2FA wallet...

As the OP has specifically mentioned he is using a Ledger, then it cannot possibly be a 2FA wallet. It is just a coincidence that his "change" amount was 0.002 BTC.

I have seen in my recent transactions using Ledger+Electrum that it does indeed make you confirm ALL outputs (including change)... There was previously an "issue" when Ledger did the initial SegWit update where "Output #2" was showing up and that was supposedly patched... I'm not sure if this is a regression issue from later releases, or if this was deliberately done and is now "by design".
legendary
Activity: 1624
Merit: 2481
February 23, 2018, 11:07:55 AM
#8
Electrum is trying to send a specific amount of bitcoins (0.002 btc) to a specific address that i didn't choose....

Those 0.002 are charged from trusted coin.
You do have 2FA activated in electrum, right?

There was a description of this service when creating a new wallet:



You can either pay the fee (for 20 co-signed tx's) or create a new wallet (same seed possible) without 2FA.
You can read more about the 2FA of electrum here: http://docs.electrum.org/en/latest/2fa.html
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
February 23, 2018, 06:04:33 AM
#7
This is something that is confuses users of Ledger Nano S,and Ledger call this minor bug which is linked with using of SegWit address in combination with old version of Chrome app.I've experienced it also few times recently with Ledger&Electrum,so maybe solution is to update apps in Ledger device what I have not tried yet.

Regarding to recent news about vulnerability in Chrome Ledger Wallet app,caution should be at the highest level and device we use for cryptocurrency must be well protected&clean from malware.
member
Activity: 93
Merit: 39
February 23, 2018, 02:57:16 AM
#6
Electrum is trying to send a specific amount of bitcoins (0.002 btc) to a specific address that i didn't choose....

0.002 BTC sounds like the 2 factor security fee. This is collected once for every 20 transactions, i.e. the following 19 transactions won't have a fee.
HCP
legendary
Activity: 2086
Merit: 4363
February 23, 2018, 12:37:30 AM
#5
It's called a "change" address... Have a read here: https://en.bitcoin.it/wiki/Change

That will explain about change and why it occurs. Basically, you can't spend part of a bitcoin, just like you can't spend part of a $5 note when you buy a pack of gum with it. You have to hand over the whole $5... and you get change... same with Bitcoin... you have to hand over the "whole" bitcoin UTXO and whatever isn't being spent to the other party (and/or on miner's fees), comes back to you as "change". Modern wallets like to create "new" change addresses to reduce "Address re-use".

As for attempting to verify if it is your address or not, simply look on the "Addresses" tab (View -> Show Addresses). Note that you will need to change the dropdown filter from "Receiving" to "Change" to be able to view your "Change" Addresses.

Also, before you even attempt to send the transaction, you can simply click the "Preview" button and it will show you all the details of the transaction you are about to make. You can then double-check that these addresses are "yours", and you can also double-check that the addresses displayed there are the ones displayed on the ledger screen.
full member
Activity: 230
Merit: 100
19/11/2018 - Capitulation !!!!
February 22, 2018, 06:52:15 PM
#4
Problem solved, the 2nd address was mine and ledger was asking me to verify it, i had to manually write it down and then try to sign it, to see if was mine, unused, address.

I don't think that this is very practical.
full member
Activity: 230
Merit: 100
19/11/2018 - Capitulation !!!!
February 22, 2018, 06:19:16 PM
#3
Try to check your PC for any malware.
I know a specific type of malware that changes your copy and paste from one address to another one.
That specific address that you didn't choose might be the address from the one who creates that malware.
Did you download or install anything suspicious these past months?

I have scanned already my pc with Bitdefender and i didn't found anything.I'm very careful about what i install on my pc.
I have also verified the file that i download from the electrum site (https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/) and was also ok.
hero member
Activity: 714
Merit: 528
February 22, 2018, 06:12:15 PM
#2
Try to check your PC for any malware.
I know a specific type of malware that changes your copy and paste from one address to another one.
That specific address that you didn't choose might be the address from the one who creates that malware.
Did you download or install anything suspicious these past months?
full member
Activity: 230
Merit: 100
19/11/2018 - Capitulation !!!!
February 22, 2018, 04:58:07 PM
#1
I'm trying to send some bitcoins from my ledger nano s and i have connected with electrum 3.0.6 (https://electrum.org/#download).
Everytime that i try to send to an address and i click "send" the address and the number of bitcoins is different on the ledger's screen?
So i download again the electrum from the site and i try again, the same problem when i change the input address i was able to see the correct address and number of bitcoins on my screen and i click accept, then the ledger show's 2nd output that i didn't choose it on the electrum.
Electrum is trying to send a specific amount of bitcoins (0.002 btc) to a specific address that i didn't choose....

*the input that i choose has more bitcoins than the address i want to send to.


Any suggestion?
Jump to: