mirror of
https://github.com/monero-project/monero-site.git
synced 2024-12-23 03:59:26 +00:00
Merge pull request #1897 from erciccione/vuln-multisig
blog: add post about multisig vulnerability
This commit is contained in:
commit
d38ce6fe59
1 changed files with 63 additions and 0 deletions
63
_posts/2021-12-06-vulnerability-multisig.md
Normal file
63
_posts/2021-12-06-vulnerability-multisig.md
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
---
|
||||||
|
layout: post
|
||||||
|
title: Vulnerabilities identified in Monero multisignature wallet code
|
||||||
|
summary: Some vulnerabilities have been identified in the implementation of Monero multisignature wallets
|
||||||
|
tags: [urgent]
|
||||||
|
author: binaryFate (Core Team)
|
||||||
|
---
|
||||||
|
|
||||||
|
{% t global.lang_tag %}
|
||||||
|
|
||||||
|
```
|
||||||
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||||||
|
Hash: SHA256
|
||||||
|
|
||||||
|
Dear Monero users and participants of the Monero ecosystem,
|
||||||
|
|
||||||
|
Some vulnerabilities have been identified in the implementation of
|
||||||
|
Monero multisignature wallets.
|
||||||
|
These vulnerabilities do not affect the theory supporting multisigs,
|
||||||
|
but affect the current wallet code implementing them.
|
||||||
|
|
||||||
|
Initially disclosed and discussed via the vulnerability response
|
||||||
|
process*, the discussion has been enlarged to other key developers and
|
||||||
|
MRL contributors. We agreed together that a public announcement had to
|
||||||
|
be made.
|
||||||
|
|
||||||
|
These vulnerabilities affect (i) multisignature wallet creation and
|
||||||
|
(ii) multisignature transaction signing.
|
||||||
|
They can lead to funds being stolen by one of the signing parties.
|
||||||
|
|
||||||
|
Until a fix is released, we strongly recommend not to perform any
|
||||||
|
multisignature transaction unless all signing parties can be trusted.
|
||||||
|
If all signing parties cannot be trusted, no transaction should be
|
||||||
|
attempted. Funds are not at risk if they are not moved and if the
|
||||||
|
wallet-creation process was not abused.
|
||||||
|
|
||||||
|
A fix is currently being reviewed. At this stage we hope to have a
|
||||||
|
pull request ready within a week, together with a more detailed
|
||||||
|
description of the issues.
|
||||||
|
|
||||||
|
Regards,
|
||||||
|
|
||||||
|
binaryFate
|
||||||
|
|
||||||
|
|
||||||
|
* https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL
|
||||||
|
35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua
|
||||||
|
okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee
|
||||||
|
TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32
|
||||||
|
0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x
|
||||||
|
RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0
|
||||||
|
yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb
|
||||||
|
XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq
|
||||||
|
O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE
|
||||||
|
CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX
|
||||||
|
ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe
|
||||||
|
DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY=
|
||||||
|
=HZgv
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
|
```
|
Loading…
Reference in a new issue