Replying to Avatar Dr. Bitcoin, MD

The ways to mess up are growing over time. For example, is it really self custody if you don’t also run your own node? I’d argue it’s not ideal because your hardware wallet has no idea about anything other than addresses and keys. The node you connect to in order to find out how much value is at each utxo is a potential attack vector.

Suppose you want to buy a coffee for $1. A maliciously node might report a value of 0.001BTC for the value of a utxo to use as an input and your transaction creation software will compute 0.00001 for the spend, 0.00099 for the change address (or less, allowing for tx fee). This would all be fine to sign with your hardware wallet if and only if the input value really is 0.001BTC…what if it really was 1 BTC? What happens then? Is the transaction still valid? Yes, it’s still valid, but your tx fee is now almost 1 entire BTC.

Remember, the tx fee is merely the difference between outputs and inputs. Anything not spent is by default a transaction fee. So, know your utxo! The only way to do that is for your transaction creation software to query your own node before constructing a transaction for your hardware wallet to sign.

Might even want to double check input utxo value on a few nodes if you don’t run your own!
2b
2bc1cc92... 1y ago

thats why you should only trust the values your hardware wallet shows you before signing.

Reply to this note

Please Login to reply.

Discussion

Avatar
Dr. Bitcoin, MD 1y ago

Except that’s incorrect. Your hardware wallet only knows with certainty the value of the assigned outputs. It believes the value of the input it is told by the software used to create the transaction.

Just because your hardware wallet says the fee is 500 sats doesn’t make it so. Hardware wallets require a node to tell it the balance of a utxo…hardware wallets can’t know this automatically.

Lying about utxo value isn’t a common attack vector because the only party standing to gain is a miner…and such an attack ruins the value of their primary product: block space.

A trusted but malicious attacker could easily screw an individual by lying about utxo value. This is why running your own node and connecting your wallet to it very much matters.

2b
2bc1cc92... 1y ago

Thanks for making me think twice. I see the problem now. You trust the node for the value of a utxo.

Not your node, not your utxo.

Avatar
Dr. Bitcoin, MD 1y ago

Bitcoin understanding is like an onion…

The split node, transaction creation software, and signing device paradigm is tricky to navigate well.

For my setup, I have a satellite connection 📡 🛰️ Blockstream Bitcoin data service to keep my otherwise airgapped nodes in sync. While it’s possible Blockstream could be lying to my node, it would be very expensive to do and it’s easy to check a few block explorers to make sure they all agree.