freezing coins conflicts with coin control when fullspend #6317
Comments
|
I created this public issue because even if this could be a security and potentially disastrous bug, this is nothing that needs to be addressed privately and it is not something exploitable by an external attacker... |
|
@limpbrains any thoughts? |
|
Exploring more cases I found that the problem seems to be that the function "freeze coins" doesnt work at all with coin control; freezed coins are always selectable in coin control in every case (is this intended? Its at least an ambiguous ui, considering also that when a coin is selected, the "use coin" button seems a "save the state" button where the only boolean available on screen is "freeze"). I cant replicate now the exact situation described in the issue, its possible that in this case the coin .4 was freezed AND also selected. In this case the issue is only that "coin control permit to select freezed coin" (intended?). Another thing to add is that this bug was foud with a view-only wallet where the txs elaborated are PSBTs. |
|
Hi! |
|
I tried to reproduce and could not. |
|
I did this: I had 4 utxo. I froze the 3rd one. |
Hi, I discovered this dangerous issue.
Last version (6.5.9.), android 14.
A guide to replicate:
I have a wallet with 5 utxo (coins).
I wanted to do a tx that fullspends the coins number .1 .2 and .3 but leaves untouched the coin number .4 and .5,.
Composing tx, I first freeze coin 4. to be sure it isnt selected, and then using coin control I select the coin .1 .2 and .3.
The coin control situation is like that:
coin .1 - selected to be spent
coin .2 - selected to be spent
coin .3 - selected to be spent
coin .4 - freezed
coin .5 - nothing (not selected and not freezed)
Now, if I do a fullspend I would expect the tx would fullspend the coin .1, .2 and .3.
BUT a dangerous bug happens:
doing a fullspend actually select the coins .1, .2, .3 and .4 to fullspend!!!
Its like freezing the coin is considered as a "selected" when I do the fullspend. But freezing a coin is the exact opposite of selecting a coin.
I also add that the fullspend makes clear the bug, but I think the freezed coins are selected even when I don't fullspend the coins.
For example, If I'm selecting coins to spend (.1, .2 and .3) I would freeze a coin that I want to be sure it will never be spent (.4) and leave not selected and not freezed some other coins that I dont care much about (.5).
This bug will spend the coin that the user have explicitely sayd to not spend. The dangerous also increase if the user has a lot of coins, making difficult to recognize the bug composing the tx.
This issue needs absulute urgency and is a security threat to users funds!
The text was updated successfully, but these errors were encountered: