4rkal/monero-site
1
0
Fork 0
mirror of https://github.com/monero-project/monero-site.git synced 2024-12-04 23:51:11 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

blog: add post about multisig vulnerability

Browse Source
This commit is contained in:
erciccione 2021-12-06 16:24:55 +00:00
parent acd041cbd8
commit 36e55b9a9b
No known key found for this signature in database
GPG Key ID: 762AF8C608E56CDF
1 changed files with 63 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
_posts/2021-12-06-vulnerability-multisig.md Normal file
View File

@ -0,0 +1,63 @@
---
layout: post
title: Vulnerabilities identified in Monero multisignature wallet code
summary: Some vulnerabilities have been identified in the implementation of Monero multisignature wallets
tags: [urgent]
author: binaryFate (Core Team)
---
{% t global.lang_tag %}
```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Monero users and participants of the Monero ecosystem,
Some vulnerabilities have been identified in the implementation of
Monero multisignature wallets.
These vulnerabilities do not affect the theory supporting multisigs,
but affect the current wallet code implementing them.
Initially disclosed and discussed via the vulnerability response
process*, the discussion has been enlarged to other key developers and
MRL contributors. We agreed together that a public announcement had to
be made.
These vulnerabilities affect (i) multisignature wallet creation and
(ii) multisignature transaction signing.
They can lead to funds being stolen by one of the signing parties.
Until a fix is released, we strongly recommend not to perform any
multisignature transaction unless all signing parties can be trusted.
If all signing parties cannot be trusted, no transaction should be
attempted. Funds are not at risk if they are not moved and if the
wallet-creation process was not abused.
A fix is currently being reviewed. At this stage we hope to have a
pull request ready within a week, together with a more detailed
description of the issues.
Regards,
binaryFate
* https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL
35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua
okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee
TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32
0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x
RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0
yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb
XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq
O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE
CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX
ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe
DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY=
=HZgv
-----END PGP SIGNATURE-----
```