-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[vulnerability] Multisig view secret key disclosure #3389
Comments
There's a warning when running prepare_multisig telling you about it fwiw. |
Hit BP next please. :) |
ok, i close this issue since it's assumed use case |
@naughtyfox don't be a tool, use responsible disclosure. If you don't, you won't eligible for bounty. |
@anonimal thank you for advice. since it's pre-release concern i decided to post it here for some reason. hope to fit in the community soon |
Problem
I've been discovering monero multisignature implementation and figured out that initial keys exchange round is insecure.
Since multisig view secret key is calculated as follows:
the eavesdropper (insecure connection, malicious multisig wallet service, etc) can restore view secret key just summing hashes.
Proof-of-Concept
There is quick poc code (modified
monero-gen-trusted-multisig
utility): https://github.com/naughtyfox/monero/blob/view-key-disclosure/src/gen_multisig/gen_multisig.cpp#L133-L144 (you may build it and run by yourself)Example output:
Here you can see
restored view secret key
isaf9558f8c3e036a088f4d5c66050e5117d3ce35aff2faa8c32cf4ea7d1f49304
the same as each of wallets owns.Consequences
Knowing view secret and spend public keys
(a, B)
an attacker may see incoming money transfers to particular wallet which leads to lower privacy level.Proposed Solution
To make key exchange round secure monero needs to implement key exchange protocol such as
ECDH
for N participants (it may require additional key exchange rounds).The text was updated successfully, but these errors were encountered: