Monero (XMR) Team Identifies Vulnerabilities in the Multisignature Wallet Code
The Monero tech team has identified some vulnerabilities in the implementation of Monero multi-signature wallets. These vulnerabilities affect the wallet code that is currently implementing them. They do not affect the theory supporting the multisigs.
Previous Monero Wallet Bugs That Led to Theft
The issue was first disclosed and discussed by the vulnerability response process. They included the key developers and the MRL contributors in the discussion and they agreed to make a public announcement. The vulnerabilities in the code affect the multi-signature transaction signing and the multi-signature wallet creation. These can lead to loss of funds to one of the signing parties.
The Monero tech team strongly recommends its users avoid performing any multi-signature transactions until a fix is released. One can proceed with transactions if one of the signing parties can be trusted. No transactions should be attempted if there is no trust between all the signing parties. Funds are not at risk if the wallet creation process was not abused and if they are not moved.
Monero was before riddled with security vulnerabilities. They allowed hackers to steal coins from wallets of exchange desks. The hackers forged transaction data and used it to trick supporting staff to manually credit their account with extra XMR. They simply copied the code from Monero’s wallet. With this code, these attackers could manipulate the amounts shown by the wallet when taking part in transactions between addresses.
The bugs appeared to extend to other Monero-based-coins. The attackers were able to also steal ARQ coins from the wallet of the Altex exchange desk. Other bugs include the Python script exploit that made it possible to destroy active nodes on the network. Another is the Denial of Service attack vector that could be used to clog the Monero blockchain. They patched the flaws. They introduced bug bounties to prevent damage to their blockchain.
About Monero Multisig
Multisig means that a transaction requires multiple signatures before it can be submitted to the Monero blockchain network and executed. One will need a group of wallets and collaboration between them to transact. Instead of one Monero wallet signing, creating, and submitting transactions all on its own.
The people controlling these wallets are authorized signers. Not all authorized signers need to sign before the validation of a transaction. This depends on the type of multisig used. You need a subset of them. The corresponding number is called the required signers. It could be equal to or smaller than the number of authorized signers.
