Comments (3)
Makes sense, I forgot the Jade asks the user to confirm the fee 🤦♂️ Thank you :)
from jade.
Actually, based on this comment, it seems SingleSig/regular MultiSig change does not need to be confirmed by the user (I was checking MultiSig Shield change).
In that case, can a malicious computer omit the change address completely causing the user to burn the change they should have gotten?
from jade.
At the moment, no - it does not verify or mandate the presence of a change output. (It is possible [albeit unlikely] that there really is no change.)
So Jade will ask the user to confirm every output - other than those verified as change.
It then, as a final step before signing, asks the user to confirm the fee - this is calculated on the hardware as sum(inputs) - sum(outputs) - so while your suggested attack is possible the user would have to confirm a suspiciously large fee.
I suppose if there is no change output we could add a warning message on that final 'confirm fee' screen - but then that could be confounded by the malicious app adding a very small change output ...
from jade.
Related Issues (20)
- As a new user trying to connect Jade to Green, I cannot connect to the blind oracle because the domain redirect to j8d.io displays as a Warning HOT 5
- REPRODUCIBLE.md fullclean produces error HOT 1
- idf.py all fails (from REPRODUCIBLE.md) HOT 1
- OTP - add support for google authenticator exported QRcode ? HOT 3
- Jade issues with Specter signing HOT 8
- Wen codex32?
- Electrum package of arch linux is currently incompatible with jade HOT 7
- Untrusted Hash found HOT 2
- Block HOT 2
- Feature request: add display option to flip vertically the screen HOT 4
- Feasibility for supporting M5Stack Cardputer Kit (M5StampS3) HOT 1
- Can not update HOT 18
- [Feature request]: BIP352 support
- Firmware Extraction Attack HOT 3
- [Feature Request] bip39 wordlist in multi languages
- Improve UX for descriptor registration HOT 4
- Do not display change output as a payment HOT 20
- Add support for M5Stick Plus 2 HOT 1
- No lock when connecting to power supply HOT 3
- Add a copy buttons in the descriptor registration pages (or replace labels by non editable text input) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jade.