Bitcoin Forum
June 18, 2018, 07:03:59 PM *
News: Latest stable version of Bitcoin Core: 0.16.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: ledger nano s hack question  (Read 96 times)
simplyred
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
March 13, 2018, 08:02:55 PM
 #1

I was going to send erc20 token from my ledger nano s, and on the ledger device itself i always get some other address when i was going to send.

Is this the contract address that i am seeing or am i infected from this ledger nano s malwere/Hack that happend in februar ?

Because i always thought i should be looking at the exact receiving address on the device itself.

thanks guys.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1529348639
Hero Member
*
Offline Offline

Posts: 1529348639

View Profile Personal Message (Offline)

Ignore
1529348639
Reply with quote  #2

1529348639
Report to moderator
1529348639
Hero Member
*
Offline Offline

Posts: 1529348639

View Profile Personal Message (Offline)

Ignore
1529348639
Reply with quote  #2

1529348639
Report to moderator
Xynerise
Full Member
***
Offline Offline

Activity: 238
Merit: 267


39twH4PSYgDSzU7sLnRoDfthR6gWYrrPoD


View Profile
March 13, 2018, 08:48:46 PM
 #2

When you're sending ERC20 tokens with the Ledger, the address that shows on the Ledger device is the smart contract address of the token, because that's how smart contract tokens work: addresses in ethereum don't "own" tokens; the smart contract does.
The smart contract is just an array of addresses with the token balance of the addresses.
So whenever you're sending tokens to another address, you're actually sending a call to the smart contract to update Its mapping of tokens and update the balances to reflect your transaction.

A R B I T A O         THE NEW WAY OF ARBITRAGE TRADING     
█          [   PRE-SALE starts on   J u l y   1 s t   ]        ❱ ❱ ❱   WHITEPAPER          █
──────────     FACEBOOK     TWITTER     TELEGRAM     ──────────
simplyred
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
March 13, 2018, 09:10:58 PM
 #3

thanks Xynerise

But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?
RGBKey
Hero Member
*****
Offline Offline

Activity: 756
Merit: 614


rgbkey.github.io/pgp.txt


View Profile WWW
March 13, 2018, 09:40:57 PM
 #4

I'm not sure there is a way to, because I don't think the ledger displays the contract data being sent.

bob123
Sr. Member
****
Offline Offline

Activity: 588
Merit: 439



View Profile
March 15, 2018, 05:05:51 PM
 #5

It's using a Hierarchical Deterministic architecture. The main idea is to avoid address reuse by deriving all keys from a master key and an index, so all previously generated key are valid.

This is normal for the Nano S to always have a different address.

Did you even read the thread/OP? Thats completely irrelevant.




Because i always thought i should be looking at the exact receiving address on the device itself.

This applys for the 'receiving' address of your nano s.
This is to ensure the private key which is necessary to spend funds from this address has been created by your nano s.
That step prevents malware from manipulating your screen (to mislead you into sending coins to that 'faked' address).



But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?

You have to verify your address (when receiving coins 'to your nano s') to make sure it has been properly created by your device.
When sending coins you will have to verify the transaction details on your nano s.
If you always carefully check whether the details on monitor / nano s screen match, you are good to go.

HCP
Hero Member
*****
Offline Offline

Activity: 630
Merit: 814

<insert witty quote here>


View Profile
March 16, 2018, 05:15:32 AM
Merited by achow101 (1)
 #6

... or am i infected from this ledger nano s malwere/Hack that happend in februar ?
But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?

It should be pointed out that there was no ACTUAL malware/hack... What happened was that:

1. Someone pointed out a potential vulnerability with the way the Ledger Chrome App displays addresses in the app... there was no "confirmation" option when displaying receive addresses, so malware COULD potentially alter it to a hackers address and trick people into giving out incorrect addresses. This was ONLY for "receive" addresses... it did not apply to addresses you were sending to, as they were always displayed on the device BEFORE you confirmed a send transaction.

2. There was also the announcement recently about a vulnerability that existed pre-firmware 1.4.1... again, there was NO actual malware/hack known to exist in the wild, simply a proof of concept (not fully disclosed, details due for release Mar 20th)... it was uncovered by a 3rd party, they advised Ledger who patched it in the latest firmware.

As far as I'm aware... there were no known cases of malware exploiting either of these vulnerabilities before they were patched.

crypto_sec_please
Copper Member
Newbie
*
Offline Offline

Activity: 6
Merit: 1


View Profile
March 16, 2018, 07:48:50 AM
Merited by HCP (1)
 #7

To verify the smart contract address you can check with the company or creator themselves, they should have some authoritative confirmation of the address. Most likely, if you have tokens already, you can check where you sent the original transaction to and if it matches. Various third parties like ethscan also provide community feedback on addresses, and often scammers addresses will have relevant feedback. Best to check in multiple ways that the contract you believe it to be is what it is rather than rely on just one confirmation from one source.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!