Copay Multisig Vulnerability Reported

Coinspect has reported the existence of a bug in the Copay multi-signature Bitcoin wallet produced by BitPay. In affected versions of Copay the vulnerability allowed the compromise of one party to empty the shared wallet by submitting a transaction type which would exploit the protocol used by Copay wallets to automatically sign transactions. Coinspect alleges that after reporting the flaw to BitPay on July 20th the flaw was fixed in Copay version 0.4.1 for this particular exploit scenario. Given the nature of this exploit Qntra advises users considering Copay or any multisignature scheme which involves any protocol for automatically engaging additional signers to use extreme caution recommending potential users default to avoiding the shitware involved entirely on first principles. If you trust keys to software that could automatically sign a transaction it could be tricked just as readily into signing a confession.

9 thoughts on “Copay Multisig Vulnerability Reported

  1. >shitware

    Loving this site's articles.

  2. The Coinspect article is one year old.
    One year ago Copay was on early beta release.

    • The advice to avoid trusting keys to automatic signing mechanisms isn't likely to ever escape relevance.

      • In your report you didn't mentioned that the coinspect report is one year old and you are talking about a preliminary release of software. If you don't mention it, your article can be interpreted as FUD aganist copay instead as an advice to avoid trusting keys to automatic signing mechanisms.

    • >The Coinspect article is one year old.
      >One year ago Copay was on early beta release.

      I'm curious why this is being reported a year later too. Maybe the author confused the Aug 2014 news with Aug 2015? (no sarcasm to be clear)

  3. News so slow you can only find stuff one year old?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>