Alert: Monero Multi-Sig Wallet Code May Be Compromised

Participants in the Monero have been exposed to “vulnerabilities” in the implementation of its multi-signature wallet. The vulnerabilities do not affect the temporary supporting multisigs, but rather the current wallet code implementing them, according to Monero developer binaryFate.

Following the Reddit thread, the vulnerabilities were first released through the vulnerability response process. Developers concluded that it would be best to inform the public for security purposes, which has been well received by the community.

Compromised Code Interferes with Multi-signature Creation and Signing

The Monero multi-sig wallet has the ability to form, sign and submit transactions as a group, with the number of signatures needed to sign a transaction varying depending on the type of wallet. The threat means that interference may be experienced with multisig wallet formation, and it may also affect transaction signing.

The compromise could result in funds stolen by one of the parties to the signing. While attending to a solution, Monero has urged its customers to remain calm, and to avoid multisig transactions where possible.

The team at Monero expects a solution within the next week and will provide customer feedback regarding the situation. Monero has however noted that if multisig parties trust each other, transactions can be performed successfully – funds are not at risk when they remain intact, and if the wallet creation is not abused, all is well with the transaction.

Monero Again in a Compromised Position

Monero regularly finds itself associated with scandal and fraud, with many making a negative connotation with the ecosystem. Earlier this year, Monero was implicated when German authorities arrested an Australian man who ran an illegal marketplace dubbed “The Ebay for criminals”. The man had received payments via cryptos with transactions worth 4650 Bitcoin and 12,000 Monero taking place.

In August, Monero was again implicated in a massive fraud case when its former lead maintainer, Riccardo Spagni, aka “Fluffy Pony”, was arrested in the US and extradited to South Africa to face charges of alleged fraud-linked offences between 2009 and 2011. “Fluffy Pony” has been accused of stealing approximately US$100,00 from his former employer by creating false invoices and redirecting payments to his personal bank accounts. If convicted, he faces 20 years in prison.