Author: jan matejek 2019-05-08 07:54:53
Published on: 2019-05-08T07:54:53+00:00
In a bitcoin-dev thread, Dmitry Petukhov suggests that a hardware wallet can sign a message consisting of xpubs of participants and auxiliary text during the setup phase. However, this seems overly complicated, and the purpose of this method is not clear. The thread discusses the threat model and suggests that each individual multisig signature signs the set of signers. Therefore, if an attacker provides bad xpubs, the signature won't be valid for the given multisig output. The input==output check is sufficient to ensure that the change goes to the same multisig wallet. The weak spot in the process is generating the receiving address, which creates the particular multisig wallet. However, this issue has nothing to do with PSBT. The suggestion of distinguishing trusted outputs even when inputs are not all derived from the same xpubs is deemed an attempt at a much broader problem and won't help if the attacker can replay a different trusted-xpub package containing a revoked previously compromised key.
Updated on: 2023-06-13T18:25:30.975846+00:00