Ledger Bitcoin App's Implementation of Miniscript Had A Theft Enabling Bug

Liana's team uncovered a vulnerability in the Ledger Bitcoin application’s implementation of Miniscript, which could have potentially allowed for bypassing some spending conditions advertized to the user but not actually present in the generated Bitcoin Script.

Ledger Bitcoin App's Implementation of Miniscript Had A Theft Enabling Bug
  • "We discovered the bug on the 7th of April. Antoine put up reproduction instruction on the same day in a private Gist (available here). We then reported the vulnerability to Ledger through their bug bounty program and to Salvatore Ingala."
  • The Miniscript fragment a:X was incorrectly encoded by the Ledger Bitcoin application, which opened a possibility for the spender to always provide the return value of the expression preceding a a: in a Miniscript.
  • "This implies any type of check (preimage, signature, timelock) preceding a a: may be bypassed (just feed a 1 at the correct place in the witness)."
  • "The Ledger security team acknowledged reception on the 11th. A fix was deployed in the Bitcoin application. They later informed us (on the 14th) this finding was eligible to a bug bounty."
  • "On the 13th, and after receiving agreement from the Ledger security team, Antoine disclosed the vulnerability to maintainers of projects whose users could potentially be affected."
  • "On May 10th the version 2.1.2 of the Ledger Bitcoin app was released with a fix. Salvatore Ingala also took care to update the client libraries in various languages to error when trying to register an affected descriptor on a Ledger running an affected Bitcoin application."
  • "On May 11th the Ledger security team gave us the go ahead to announce the vulnerability."
"It’s rather a good things that we catch those bugs now that there is only very few (to none) users of such functionalities."
  • "Liana was probably the only wallet to provide a full integration of Ledger’s Miniscript capabilities, and no release of Liana allowed a user to create a Miniscript descriptor that was affected by this bug. So if anybody was affected by this vulnerability, they must have been using advanced hand-rolled tooling."

Full Blog Post