fixup! fix(core): disallow per-node paths in getaddress

core/src/apps/bitcoin/common.py

@@ -267,8 +267,11 @@ def descriptor_checksum(desc: str) -> str:
 
 
 def multisig_uses_single_path(multisig: MultisigRedeemScriptType) -> bool:
-    if multisig.pubkeys is not None:
+    if not multisig.pubkeys:
+        # Pubkeys are specified by multisig.nodes and multisig.address_n, in this case all the pubkeys use the same path
+        return True
+    else:
+        # Pubkeys are specified by multisig.pubkeys, in this case we check that all the pubkeys use the same path
         return all(
             [hd.address_n == multisig.pubkeys[0].address_n for hd in multisig.pubkeys]
         )
-    return True

core/src/apps/bitcoin/get_address.py

@@ -114,7 +114,15 @@ async def get_address(msg: GetAddress, keychain: Keychain, coin: CoinInfo) -> Ad
 
             await confirm_multisig_warning()
 
-            # An addresss that uses different derivation paths for different xpubs could be difficult to discover
+            # An address that uses different derivation paths for different xpubs
+            # could be difficult to discover if the user did not note all the paths.
+            # The reason is that each path ends with an address index, which can have
+            # 1,000,000 possible values. If the address is a t-out-of-n multisig, the
+            # total number of possible paths is 1,000,000^n. This can be exploited by
+            # an attacker who has compromised the user's computer. The attacker could
+            # randomize the address indices and then demand a ransom from the user to
+            # reveal the paths. To prevent this, we require that all xpubs use the
+            # same derivation path.
             if not multisig_uses_single_path(multisig):
                 if safety_checks.is_strict():
                     raise ValueError(