--- layout: post title: Vulnerabilities identified in Monero multisignature wallet code summary: Some vulnerabilities have been identified in the implementation of Monero multisignature wallets tags: [urgent] author: binaryFate (Core Team) --- {% t global.lang_tag %} ``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Monero users and participants of the Monero ecosystem, Some vulnerabilities have been identified in the implementation of Monero multisignature wallets. These vulnerabilities do not affect the theory supporting multisigs, but affect the current wallet code implementing them. Initially disclosed and discussed via the vulnerability response process*, the discussion has been enlarged to other key developers and MRL contributors. We agreed together that a public announcement had to be made. These vulnerabilities affect (i) multisignature wallet creation and (ii) multisignature transaction signing. They can lead to funds being stolen by one of the signing parties. Until a fix is released, we strongly recommend not to perform any multisignature transaction unless all signing parties can be trusted. If all signing parties cannot be trusted, no transaction should be attempted. Funds are not at risk if they are not moved and if the wallet-creation process was not abused. A fix is currently being reviewed. At this stage we hope to have a pull request ready within a week, together with a more detailed description of the issues. Regards, binaryFate * https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL 35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32 0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0 yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY= =HZgv -----END PGP SIGNATURE----- ```