A serious security hole has been identified in the Electrum SV crypto wallet, causing some users to lose their Bitcoin SV (BSV) funds. Bitcoin SV is a fork of Bitcoin Cash, designed to improve the speed at which transactions are processed. However, to optimize speed, BSV has softened some of the technical features implemented to ensure the safety of parts in transit. Namely, BSV has removed the Pay Per Script (P2SH) hash function, which is used to verify transactions that must be lit green by multiple parties (also known as multi-signature transactions). Instead, the developers of the ElectrumSV wallet (and possibly others) introduced a feature called accumulator multi-signature, which is now considered highly insecure.
Crypto wallet vulnerability
The threat posed by the accumulator's multi-signature system has been recognized by ElectrumSV, which is taking steps to prevent users from falling victim to transaction hijacking. "Please don't change the script type in your wallet, and especially don't change it to a multi-signature accumulator," ElectrumSV warned in a tweet. "As unfortunately discovered by one of our users, it is broken and using it will result in loss of parts." The user in question is said to have lost 600 BSV, worth almost €100,000 at current market rates, as a result of an attack targeting weaknesses related to multi-signature accumulators. According to some knowledgeable parties, the issue would never have arisen if proper testing procedures had been implemented prior to publication. Others argue that Bitcoin SV should not have adopted an alternative system in the first place. “This situation would have been avoided entirely if BSV hadn't ripped off the competent, time-tested, and highly peer-reviewed mechanisms for Bitcoin multisig in favor of a much less efficient home crypto,” wrote Gregory Maxwell. , developer at Bitcoin Core. “It kinda makes you wonder what amazing bugs are lurking in their node software or in their wallets. I can say for sure: I am not going to deal with anything and I will risk finding out. Via CoinDesk