Safeheron Alert: UTXO MultiSig Could be Used for Fake Depositing Towards Blockbook, Troubleshooting


By Safeheron Security Team

Following the disclosure by the SlowMist security team yesterday that the UTXO multi-signature mechanism can be used to launch fake depositing attacks on exchanges, the Safeheron team further tracked the relevant details and found a new threat, the well-known open-source middleware Blockbook (Trezor open-source product) ) is also affected by this feature.

Safeheron found that the MultiSig-type transaction is not fully displayed in the results returned by Blockbook's transaction data. If the output is a MultiSig script, Blockbook will select the last address in the script to display, which is indistinguishable from the ordinary-addressed transactions.

If exchanges, wallet clients, or other centralized services only make tell deposits based on the results returned by Blockbook, it will cause misjudgment for fake deposits. Currently known tokens that may be affected by this multi-signature feature are BTC, LTC, DOGE, BCH, BSV, BHD, CPU, DFI, BTCV, BXC and ZCL.

Safeheron recommends relevant operators pay attention to risk investigation.

Last updated