Ledger Bitcoin App's Implementation of Miniscript Had A Theft Enabling Bug

• "We discovered the bug on the 7th of April. Antoine put up reproduction instruction on the same day in a private Gist (available here). We then reported the vulnerability to Ledger through their bug bounty program and to Salvatore Ingala."
• The Miniscript fragment a:X was incorrectly encoded by the Ledger Bitcoin application, which opened a possibility for the spender to always provide the return value of the expression preceding a a: in a Miniscript.
• "This implies any type of check (preimage, signature, timelock) preceding a a: may be bypassed (just feed a 1 at the correct place in the witness)."
• "The Ledger security team acknowledged reception on the 11th. A fix was deployed in the Bitcoin application. They later informed us (on the 14th) this finding was eligible to a bug bounty."
• "On the 13th, and after receiving agreement from the Ledger security team, Antoine disclosed the vulnerability to maintainers of projects whose users could potentially be affected."
• "On May 10th the version 2.1.2 of the Ledger Bitcoin app was released with a fix. Salvatore Ingala also took care to update the client libraries in various languages to error when trying to register an affected descriptor on a Ledger running an affected Bitcoin application."
• "On May 11th the Ledger security team gave us the go ahead to announce the vulnerability."

"It’s rather a good things that we catch those bugs now that there is only very few (to none) users of such functionalities."

• "Liana was probably the only wallet to provide a full integration of Ledger’s Miniscript capabilities, and no release of Liana allowed a user to create a Miniscript descriptor that was affected by this bug. So if anybody was affected by this vulnerability, they must have been using advanced hand-rolled tooling."

Full Blog Post
Archive