Fiat-Shamir Transcript Forking in monero-oxide CLSAG Multisig
Description
Security analysis of Fiat-Shamir transcript binding in the monero-oxide CLSAG threshold multi-signature implementation. The analysis identifies that omitting individual nonce binding in the signing challenge derivation reduces the protocol to the ROS problem, enabling forged ring signatures. The vulnerability class is correctly described and the attack geometry is valid. Post-disclosure review confirmed that individual nonce binding is provided by the upstream modular-frost dependency via serai-dex/serai (crypto/frost/src/sign.rs), which was not traced during the initial analysis of monero-clsag directly. The proof of concept demonstrates the ROS attack in isolation. Includes formal description of the transcript fork, severity classification, and proposed remediation patch.
Files
blakframe-monero-oxide-clsag-disclosure-2026-03.pdf
Files
(204.1 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:e7031fa74c11d2007707ce46cdc1ecaf
|
204.1 kB | Preview Download |
Additional details
Related works
- References
- Software: https://github.com/serai-dex/serai/blob/737dbcbaa78ab817cc1c435cb2b6c5d24d1c4391/crypto/frost/src/sign.rs (URL)
Dates
- Created
-
2026-03-07Initial analysis and proof of concept completed
- Submitted
-
2026-03-08Disclosed to monero-oxide maintainers via Immunefi
- Accepted
-
2026-03-08Disclosure reviewed by monero-oxide team
- Copyrighted
-
2026-03-08Copyright BLAKFRAME LTD