Bitcoin Forum
September 22, 2018, 04:50:18 AM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: ledger nano s hack question  (Read 102 times)
simplyred
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
March 13, 2018, 08:02:55 PM
 #1

I was going to send erc20 token from my ledger nano s, and on the ledger device itself i always get some other address when i was going to send.

Is this the contract address that i am seeing or am i infected from this ledger nano s malwere/Hack that happend in februar ?

Because i always thought i should be looking at the exact receiving address on the device itself.

thanks guys.

1537591818
Hero Member
*
Offline Offline

Posts: 1537591818

View Profile Personal Message (Offline)

Ignore
1537591818
Reply with quote  #2

1537591818
Report to moderator
1537591818
Hero Member
*
Offline Offline

Posts: 1537591818

View Profile Personal Message (Offline)

Ignore
1537591818
Reply with quote  #2

1537591818
Report to moderator
1537591818
Hero Member
*
Offline Offline

Posts: 1537591818

View Profile Personal Message (Offline)

Ignore
1537591818
Reply with quote  #2

1537591818
Report to moderator
Make a difference with your Ether.
Donate Ether for the greater good.
SPRING.WETRUST.IO
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537591818
Hero Member
*
Offline Offline

Posts: 1537591818

View Profile Personal Message (Offline)

Ignore
1537591818
Reply with quote  #2

1537591818
Report to moderator
1537591818
Hero Member
*
Offline Offline

Posts: 1537591818

View Profile Personal Message (Offline)

Ignore
1537591818
Reply with quote  #2

1537591818
Report to moderator
1537591818
Hero Member
*
Offline Offline

Posts: 1537591818

View Profile Personal Message (Offline)

Ignore
1537591818
Reply with quote  #2

1537591818
Report to moderator
Xynerise
Sr. Member
****
Offline Offline

Activity: 280
Merit: 280

39twH4PSYgDSzU7sLnRoDfthR6gWYrrPoD


View Profile
March 13, 2018, 08:48:46 PM
 #2

When you're sending ERC20 tokens with the Ledger, the address that shows on the Ledger device is the smart contract address of the token, because that's how smart contract tokens work: addresses in ethereum don't "own" tokens; the smart contract does.
The smart contract is just an array of addresses with the token balance of the addresses.
So whenever you're sending tokens to another address, you're actually sending a call to the smart contract to update Its mapping of tokens and update the balances to reflect your transaction.
simplyred
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
March 13, 2018, 09:10:58 PM
 #3

thanks Xynerise

But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?
RGBKey
Hero Member
*****
Offline Offline

Activity: 826
Merit: 616


rgbkey.github.io/pgp.txt


View Profile WWW
March 13, 2018, 09:40:57 PM
 #4

I'm not sure there is a way to, because I don't think the ledger displays the contract data being sent.

bob123
Hero Member
*****
Offline Offline

Activity: 686
Merit: 568



View Profile WWW
March 15, 2018, 05:05:51 PM
 #5

It's using a Hierarchical Deterministic architecture. The main idea is to avoid address reuse by deriving all keys from a master key and an index, so all previously generated key are valid.

This is normal for the Nano S to always have a different address.

Did you even read the thread/OP? Thats completely irrelevant.




Because i always thought i should be looking at the exact receiving address on the device itself.

This applys for the 'receiving' address of your nano s.
This is to ensure the private key which is necessary to spend funds from this address has been created by your nano s.
That step prevents malware from manipulating your screen (to mislead you into sending coins to that 'faked' address).



But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?

You have to verify your address (when receiving coins 'to your nano s') to make sure it has been properly created by your device.
When sending coins you will have to verify the transaction details on your nano s.
If you always carefully check whether the details on monitor / nano s screen match, you are good to go.

HCP
Hero Member
*****
Offline Offline

Activity: 728
Merit: 923

<insert witty quote here>


View Profile
March 16, 2018, 05:15:32 AM
Merited by achow101 (1)
 #6

... or am i infected from this ledger nano s malwere/Hack that happend in februar ?
But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?

It should be pointed out that there was no ACTUAL malware/hack... What happened was that:

1. Someone pointed out a potential vulnerability with the way the Ledger Chrome App displays addresses in the app... there was no "confirmation" option when displaying receive addresses, so malware COULD potentially alter it to a hackers address and trick people into giving out incorrect addresses. This was ONLY for "receive" addresses... it did not apply to addresses you were sending to, as they were always displayed on the device BEFORE you confirmed a send transaction.

2. There was also the announcement recently about a vulnerability that existed pre-firmware 1.4.1... again, there was NO actual malware/hack known to exist in the wild, simply a proof of concept (not fully disclosed, details due for release Mar 20th)... it was uncovered by a 3rd party, they advised Ledger who patched it in the latest firmware.

As far as I'm aware... there were no known cases of malware exploiting either of these vulnerabilities before they were patched.

crypto_sec_please
Copper Member
Newbie
*
Offline Offline

Activity: 6
Merit: 1


View Profile
March 16, 2018, 07:48:50 AM
Merited by HCP (1)
 #7

To verify the smart contract address you can check with the company or creator themselves, they should have some authoritative confirmation of the address. Most likely, if you have tokens already, you can check where you sent the original transaction to and if it matches. Various third parties like ethscan also provide community feedback on addresses, and often scammers addresses will have relevant feedback. Best to check in multiple ways that the contract you believe it to be is what it is rather than rely on just one confirmation from one source.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!