Vulnerabilities identified in Monero multisignature wallet code
by binaryFate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Monero users and participants of the Monero ecosystem,
Some vulnerabilities have been identified in the implementation of
Monero multisignature wallets.
These vulnerabilities do not affect the theory supporting multisigs,
but affect the current wallet code implementing them.
Initially disclosed and discussed via the vulnerability response
process*, the discussion has been enlarged to other key developers and
MRL contributors. We agreed together that a public announcement had to
be made.
These vulnerabilities affect (i) multisignature wallet creation and
(ii) multisignature transaction signing.
They can lead to funds being stolen by one of the signing parties.
Until a fix is released, we strongly recommend not to perform any
multisignature transaction unless all signing parties can be trusted.
If all signing parties cannot be trusted, no transaction should be
attempted. Funds are not at risk if they are not moved and if the
wallet-creation process was not abused.
A fix is currently being reviewed. At this stage we hope to have a
pull request ready within a week, together with a more detailed
description of the issues.
Regards,
binaryFate
* https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE...
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL
35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua
okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee
TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32
0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x
RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0
yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb
XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq
O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE
CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX
ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe
DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY=
=HZgv
-----END PGP SIGNATURE-----
2 years, 11 months
Vulnerabilities identified in Monero multisignature wallet code
by binaryFate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Monero users and participants of the Monero ecosystem,
Some vulnerabilities have been identified in the implementation of
Monero multisignature wallets.
These vulnerabilities do not affect the theory supporting multisigs,
but affect the current wallet code implementing them.
Initially disclosed and discussed via the vulnerability response
process*, the discussion has been enlarged to other key developers and
MRL contributors. We agreed together that a public announcement had to
be made.
These vulnerabilities affect (i) multisignature wallet creation and
(ii) multisignature transaction signing.
They can lead to funds being stolen by one of the signing parties.
Until a fix is released, we strongly recommend not to perform any
multisignature transaction unless all signing parties can be trusted.
If all signing parties cannot be trusted, no transaction should be
attempted. Funds are not at risk if they are not moved and if the
wallet-creation process was not abused.
A fix is currently being reviewed. At this stage we hope to have a
pull request ready within a week, together with a more detailed
description of the issues.
Regards,
binaryFate
* https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE...
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL
35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua
okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee
TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32
0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x
RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0
yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb
XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq
O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE
CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX
ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe
DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY=
=HZgv
-----END PGP SIGNATURE-----
2 years, 11 months