A personal safety announcement from privacy-focused Bitcoin wallet Wasabi today: don’t update your Wasabi wallet if you use a Trezor device. If you do, you could temporarily lose access to your Bitcoin.
While you’re at it, don’t update your Trezor devices if you’re using Wasabi. If you’re using a Trezor Model T, don’t update to version 2.3.1., and if you’re using a Trezor One, don’t update to 1.9.1.
Why? Last Wednesday, the inventors of the Trezor hardware wallet, SatoshiLabs, told its customers about a security vulnerability that could force its users to pay extortionate mining fees.
Thanks to a report by @saleemrash1d about vulnerability in Segwit transactions, a result of Bitcoin protocol design choices, we released firmware updates that change how these transactions are handled. https://t.co/QKcEoK57ap
— Trezor (@Trezor) June 3, 2020
SatoshiLabs fixed the issue with Trezor, but the update messed things up for services like Wasabi and the BTCPay server, wrote Jumar Macato, a software developer at Wasabi Wallet.
Wasabi wallet is a privacy-focused Bitcoin wallet that has CoinJoins baked into it.
CoinJoins obscure Bitcoin transactions by jumbling lots of transactions together in batches before sending them off elsewhere; because the Bitcoin was mixed together, it’s difficult to determine the identities of those executing transactions.
Wasabi interacts with Trezor, a cold wallet, to let it send Bitcoins using these CoinJoins. Wasabi sends a “Partially-Signed Bitcoin Transaction” to the Trezor and the Trezor confirms the transaction once its owner signs off on it.
But Trezor’s new update doesn’t work with Wasabi, since the Trezor thinks that the Partially-Signed Bitcoin Transaction is invalid. The Trezor device could also have to expend a lot of energy and space to access previous transaction data, potentially making the Partially-Signed Bitcoin Transaction file too large for the Trezor.
“In light of the aforementioned problems, we at Wasabi Wallet are urging our users with Trezor hardware wallets to hold off updating their devices,” wrote Macato.
In an addendum, he wrote: “We are advising users to not update Wasabi Wallet until the fixes are out due to the potential of bad actors distributing a malicious copy of Wasabi Wallet and exploiting the vulnerability.”
Until it’s fixed, stay safe out there!