Kevin Loaec

**Name of the Vulnerable Software and Affected Versions** Ledger Bitcoin app versions 2.1.0 through 2.1.1 **Description** An address derivation issue exists due to the improper handling of miniscript policies containing the `a:` fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, which could lead to funds being sent to unintended addresses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.