Post
Topic
Board Hardware wallets
Re: Ledger hacked or not? 100k lost
by
bitmover
on 24/08/2020, 19:47:00 UTC

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

I agree. This is , as far as I understand,  exactly the case in this recent exploit:

Quote
This path restriction was not enforced for the Bitcoin app and most of its derivatives, allowing a Bitcoin derivative (eg. Litecoin) to derive public keys or sign Bitcoin transactions.
https://donjon.ledger.com/lsb/014/

As the user is already spending some altcoin, it is easy to be fooled and click the button for a bitcoin transaction while using a fake mew.

I will pay much more attention now when spending altcoins (I don't have much anyway)