diff --git a/core/src/apps/bitcoin/common.py b/core/src/apps/bitcoin/common.py index bc107a8061..d8426375dc 100644 --- a/core/src/apps/bitcoin/common.py +++ b/core/src/apps/bitcoin/common.py @@ -267,8 +267,11 @@ def descriptor_checksum(desc: str) -> str: def multisig_uses_single_path(multisig: MultisigRedeemScriptType) -> bool: - if multisig.pubkeys is not None: + if not multisig.pubkeys: + # Pubkeys are specified by multisig.nodes and multisig.address_n, in this case all the pubkeys use the same path + return True + else: + # Pubkeys are specified by multisig.pubkeys, in this case we check that all the pubkeys use the same path return all( [hd.address_n == multisig.pubkeys[0].address_n for hd in multisig.pubkeys] ) - return True diff --git a/core/src/apps/bitcoin/get_address.py b/core/src/apps/bitcoin/get_address.py index eb0736353d..ede6686471 100644 --- a/core/src/apps/bitcoin/get_address.py +++ b/core/src/apps/bitcoin/get_address.py @@ -114,7 +114,15 @@ async def get_address(msg: GetAddress, keychain: Keychain, coin: CoinInfo) -> Ad await confirm_multisig_warning() - # An addresss that uses different derivation paths for different xpubs could be difficult to discover + # An address that uses different derivation paths for different xpubs + # could be difficult to discover if the user did not note all the paths. + # The reason is that each path ends with an address index, which can have + # 1,000,000 possible values. If the address is a t-out-of-n multisig, the + # total number of possible paths is 1,000,000^n. This can be exploited by + # an attacker who has compromised the user's computer. The attacker could + # randomize the address indices and then demand a ransom from the user to + # reveal the paths. To prevent this, we require that all xpubs use the + # same derivation path. if not multisig_uses_single_path(multisig): if safety_checks.is_strict(): raise ValueError(