From 36e55b9a9b0e97c4b66f0207a55aa8f09b9e36c0 Mon Sep 17 00:00:00 2001 From: erciccione Date: Mon, 6 Dec 2021 16:24:55 +0000 Subject: [PATCH] blog: add post about multisig vulnerability --- _posts/2021-12-06-vulnerability-multisig.md | 63 +++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 _posts/2021-12-06-vulnerability-multisig.md diff --git a/_posts/2021-12-06-vulnerability-multisig.md b/_posts/2021-12-06-vulnerability-multisig.md new file mode 100644 index 00000000..2457c2ac --- /dev/null +++ b/_posts/2021-12-06-vulnerability-multisig.md @@ -0,0 +1,63 @@ +--- +layout: post +title: Vulnerabilities identified in Monero multisignature wallet code +summary: Some vulnerabilities have been identified in the implementation of Monero multisignature wallets +tags: [urgent] +author: binaryFate (Core Team) +--- + +{% t global.lang_tag %} + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +Dear Monero users and participants of the Monero ecosystem, + +Some vulnerabilities have been identified in the implementation of +Monero multisignature wallets. +These vulnerabilities do not affect the theory supporting multisigs, +but affect the current wallet code implementing them. + +Initially disclosed and discussed via the vulnerability response +process*, the discussion has been enlarged to other key developers and +MRL contributors. We agreed together that a public announcement had to +be made. + +These vulnerabilities affect (i) multisignature wallet creation and +(ii) multisignature transaction signing. +They can lead to funds being stolen by one of the signing parties. + +Until a fix is released, we strongly recommend not to perform any +multisignature transaction unless all signing parties can be trusted. +If all signing parties cannot be trusted, no transaction should be +attempted. Funds are not at risk if they are not moved and if the +wallet-creation process was not abused. + +A fix is currently being reviewed. At this stage we hope to have a +pull request ready within a week, together with a more detailed +description of the issues. + +Regards, + +binaryFate + + +* https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL +35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua +okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee +TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32 +0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x +RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0 +yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb +XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq +O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE +CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX +ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe +DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY= +=HZgv +-----END PGP SIGNATURE----- +``` \ No newline at end of file