mirror of
https://github.com/monero-project/monero-site.git
synced 2024-12-24 12:39:46 +00:00
63 lines
No EOL
2.4 KiB
Markdown
63 lines
No EOL
2.4 KiB
Markdown
---
|
|
layout: post
|
|
title: Vulnerabilities identified in Monero multisignature wallet code
|
|
summary: Some vulnerabilities have been identified in the implementation of Monero multisignature wallets
|
|
tags: [urgent]
|
|
author: binaryFate (Core Team)
|
|
---
|
|
|
|
{% t global.lang_tag %}
|
|
|
|
```
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA256
|
|
|
|
Dear Monero users and participants of the Monero ecosystem,
|
|
|
|
Some vulnerabilities have been identified in the implementation of
|
|
Monero multisignature wallets.
|
|
These vulnerabilities do not affect the theory supporting multisigs,
|
|
but affect the current wallet code implementing them.
|
|
|
|
Initially disclosed and discussed via the vulnerability response
|
|
process*, the discussion has been enlarged to other key developers and
|
|
MRL contributors. We agreed together that a public announcement had to
|
|
be made.
|
|
|
|
These vulnerabilities affect (i) multisignature wallet creation and
|
|
(ii) multisignature transaction signing.
|
|
They can lead to funds being stolen by one of the signing parties.
|
|
|
|
Until a fix is released, we strongly recommend not to perform any
|
|
multisignature transaction unless all signing parties can be trusted.
|
|
If all signing parties cannot be trusted, no transaction should be
|
|
attempted. Funds are not at risk if they are not moved and if the
|
|
wallet-creation process was not abused.
|
|
|
|
A fix is currently being reviewed. At this stage we hope to have a
|
|
pull request ready within a week, together with a more detailed
|
|
description of the issues.
|
|
|
|
Regards,
|
|
|
|
binaryFate
|
|
|
|
|
|
* https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQIzBAEBCAAdFiEEgaxZH+nEtlxYBq/D8K9NRioL35IFAmGtGA0ACgkQ8K9NRioL
|
|
35JLBw//fZ4tcOCFRgoM+kiLVNVgziqio1PJl7w73BGjP7A3I0ieGPZtHfDk28ua
|
|
okSRzWVKqm94Ruy7qAaDHwASxwmJ4MELaBzufx5WqMjhKWhYi87P6ZLEP2n1eVee
|
|
TXmQ2lIy5JfKBXRI+wtmZsXLjWLajgztP0MCJGF1+QW9RawpsIuTkfyDPkrHsK32
|
|
0u3oC5XsdxETP8wu9LAsGVAsQ+xISZ//zkWlyqOWEkRxXhFUOLBmJ8OOPJ96WZ4x
|
|
RMqijDjE2ZcOXPT5pLKwX+A+p9wHEpe7tDLe6F179F+rkWda3Cy6wqBztR8+LtI0
|
|
yPBDqI5k1eu4kwTke7WcNKBjwzkd8qxvPo1kQ1btj4PukxrlDLPcJc2g4vCvuSkb
|
|
XkYzZB6fcT64bXqVnJJdeWYTBI3mDAQgOMGnU63zIA3pqYpPG44hXpFH9KXeFOwq
|
|
O60xuKd7uYVkCRA0FckkSWABy2008/qk9APwKCWwg9Md07advkCAOlNVqjF9CrTE
|
|
CZvyL3tywbbCpQsV1qeM29WM+yU5mjkz4Q3NvtHdL+c0jWElOmJDgs7RRz2bmsiX
|
|
ZCfbR78Y4fTnUMOdBVqU1yLDUg7nZYRnTyD6ORhpgEc12BJV4nDc+mkBqPiR2hTe
|
|
DLh4ZNqeIRFgX2M1Q1w9Kap2xXLV5dRMe0e/3amASKf2KJ8WBSY=
|
|
=HZgv
|
|
-----END PGP SIGNATURE-----
|
|
``` |