mirror of
https://github.com/monero-project/monero-site.git
synced 2024-12-23 03:59:26 +00:00
Merge pull request #1897 from erciccione/vuln-multisig
blog: add post about multisig vulnerability
This commit is contained in:
commit
d38ce6fe59
1 changed files with 63 additions and 0 deletions
63
_posts/2021-12-06-vulnerability-multisig.md
Normal file
63
_posts/2021-12-06-vulnerability-multisig.md
Normal file
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
layout: post
|
||||
title: Vulnerabilities identified in Monero multisignature wallet code
|
||||
summary: Some vulnerabilities have been identified in the implementation of Monero multisignature wallets
|
||||
tags: [urgent]
|
||||
author: binaryFate (Core Team)
|
||||
---
|
||||
|
||||
{% t global.lang_tag %}
|
||||
|
||||
```
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA256
|
||||
|
||||
Dear Monero users and participants of the Monero ecosystem,
|
||||
|
||||
Some vulnerabilities have been identified in the implementation of
|
||||
Monero multisignature wallets.
|
||||
These vulnerabilities do not affect the theory supporting multisigs,
|
||||
but affect the current wallet code implementing them.
|
||||
|
||||
Initially disclosed and discussed via the vulnerability response
|
||||
process*, the discussion has been enlarged to other key developers and
|
||||
MRL contributors. We agreed together that a public announcement had to
|
||||
be made.
|
||||
|
||||
These vulnerabilities affect (i) multisignature wallet creation and
|
||||
(ii) multisignature transaction signing.
|
||||
They can lead to funds being stolen by one of the signing parties.
|
||||
|
||||
Until a fix is released, we strongly recommend not to perform any
|
||||
multisignature transaction unless all signing parties can be trusted.
|
||||
If all signing parties cannot be trusted, no transaction should be
|
||||
attempted. Funds are not at risk if they are not moved and if the
|
||||
wallet-creation process was not abused.
|
||||
|
||||
A fix is currently being reviewed. At this stage we hope to have a
|
||||
pull request ready within a week, together with a more detailed
|
||||
description of the issues.
|
||||
|
||||
Regards,
|
||||
|
||||
binaryFate
|
||||
|
||||
|
||||
* https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL
|
||||
35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua
|
||||
okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee
|
||||
TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32
|
||||
0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x
|
||||
RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0
|
||||
yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb
|
||||
XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq
|
||||
O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE
|
||||
CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX
|
||||
ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe
|
||||
DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY=
|
||||
=HZgv
|
||||
-----END PGP SIGNATURE-----
|
||||
```
|
Loading…
Reference in a new issue