Hidden risks of multi-signature Bitcoin wallets: analysis of Copay vulnerability via SIGHASH_SINGLE attack (Digital Signature Forgery Attack) vulnerabilities such as CVE-2025-29774 and CVE-2025-29775 in the xml-crypto library and the SIGHASH_SINGLE bug in the Bitcoin protocol

This paper presents a detailed analysis of the vulnerability of the multi-signature Bitcoin wallet Copay, developed by BitPay, which created a threat to user security due to the peculiarities of the use of the SIGHASH_SINGLE (0x03) signature type.

Introduction to the problem

Copay is a multi-signature Bitcoin wallet designed to increase security by requiring multiple transaction confirmations. However, a critical bug has been identified in the use of the SIGHASH_SINGLE signature type, which allows an attacker to spend funds from the wallet without knowing the private keys, which fundamentally violates the basic principles of transaction authentication in Bitcoin 3 7 .

SIGHASH_SINGLE vulnerability mechanism

The SIGHASH_SINGLE signature type signs all inputs and exactly one output of a transaction with the same index as the signature (e.g. input vin 0 signs output vout 0). This mechanism asserts an agreement to spend all inputs on the condition that the specified output will receive the corresponding amount.

However, if the number of outputs is incorrect, namely when the signature with the input index does not match an existing output, a fixed hash is returned – the numeric value “1”. This approach allowed the attacker to form transactions that spend funds from previously unspent outputs (UTXO) of the target wallet, bypassing the verification of private keys 3 7 .

Technical analysis of transactions and cryptographic verification

Using the Pycryptotools library, a fork of pybitcointools created by Vitalik Buterin and maintained by the community, an investigation was conducted into the structure and signatures of transactions associated with the Copay wallet 3 7 .

Bitcoin transactions are built on a chain of unspent outputs (UTXO), where each input references the previous output, and this process links transactions into a single sequence. In the case of the Copay wallet, transactions in the P2SH (Pay-to-Script-Hash) format were used, which differ from the standard P2PKH (pay-to-public-key-hash) encryption schemes and have a more complex script verification mechanism via redeemScript 3 .

Verification of script signatures in multi-signature addresses involved the use of OP_CHECKMULTISIG, which requires successful verification of two out of three public keys, which allowed us to conclude that there is a multi-signature wallet with three keys and a requirement of at least two signatures to spend funds 3 .

Features of P2SH multi-signature addresses and their impact on security

P2SH addresses starting with “3” facilitate the use of multi-signature schemes and reduce transaction fees, but require all cryptographic procedures to be implemented correctly. Any inconsistency or bug, as in the case of SIGHASH_SINGLE, can lead to bypassing authentication mechanisms and stolen funds 3 .

Illustration of the attack and practical demonstration

Using a Python interpreter and Pybitcointools, the UTXOs of the target wallet were extracted, the scripts were decrypted, and the transaction was replayed, which successfully transferred all the coins to the attacker’s wallet. An important discovery was the ability to use signatures of the SIGHASH_SINGLE type to bypass the output-to-input matching check, which allowed forging valid scriptSig without knowing the private keys 3 .

The commands provided in Python demonstrate creating and signing a transaction where scriptSig is forged for an input with an index without a corresponding output, which is not allowed by standard Bitcoin security but is possible due to bug 3 .

Conclusions and recommendations

Analysis of the identified vulnerability showed that incorrect use of the SIGHASH_SINGLE signature type led to a situation in which a conflict between the number of inputs and outputs in a transaction created a loophole that allowed standard cryptographic protections to be bypassed.

For the security of Copay multi-signature wallet users and Bitcoin users in general, it is recommended to avoid using SIGHASH_SINGLE and carefully check that signatures match specific transaction outputs.

Regular auditing of code and dependencies is also important, as such vulnerabilities can be caused by bugs in third-party libraries and components, as illustrated in the case of Copay 1 9 .

Technologies and libraries used

Pycryptotools (pybitcointools fork) is a library for working with the Bitcoin protocol in Python, including support for ECC cryptography and transaction operations;
Bitcoin Script is a scripting language for verifying the conditions for spending outputs;
SIGHASH_SINGLE is a specific mode for signing Bitcoin transactions;
P2SH is a script storage scheme with multi-signature capability.

This study highlights the importance of a deep understanding of cryptographic mechanisms in blockchain systems and the need for careful testing of the signature types and protocols used to ensure the security of cryptoassets.

Hidden Vulnerabilities in Multi-Sig Bitcoin Wallets: Cryptanalysis of Copay Attack Using SIGHASH_SINGLE

In this paper, we examine a critical vulnerability in the multi-signature Bitcoin wallet Copay, developed by BitPay, which compromises user security through the use of the signature type SIGHASH_SINGLE (0x03).

Problems and features of SIGHASH_SINGLE

The Copay wallet uses a multi-signature mechanism, where several key owners must sign the transaction. The signature type SIGHASH_SINGLE implies signing all inputs and exactly one of the outputs with the same index as the input, thereby confirming the transfer of coins to this address.

However, this method has a vulnerability: if the output index is missing (i.e. there is no corresponding output for the input with index n), the system uses a fake hash (“1”) when forming the signature. This allows attackers to spend funds from unspent outputs (UTXO) without having private keys by forging signatures.

Transaction structure and verification mechanisms

Bitcoin transactions are a chain of unspent outputs (UTXO), where each input points to the previous output. For multi-signature addresses like P2SH (Pay-to-Script-Hash), which start with “3”, multiple signatures are required to spend funds, depending on the configuration of the redeemScript.

Signatures are verified in Bitcoin Script using the OP_CHECKSIG and OP_CHECKMULTISIG operations, ensuring that all signatures match one of the public keys specified in advance in the redeemScript. In the case of Copay, a two-out-of-three signature scheme is used.

Analysis and reproduction of the attack

Using the Pycryptotools library (a fork of pybitcointools), the transactions associated with the vulnerable address were analyzed. UTXOs were extracted, scripts were decoded, and the multi-signature structure was confirmed via redeemScript.

During the experiment, a transaction was created where signatures of the SIGHASH_SINGLE type were used to create valid signatures on inputs without corresponding outputs. This allowed the creation of a transaction that transferred the entire amount to the attacker’s address, bypassing private key checks.

Practical demonstration in Python

Example Python code using Pybitcointools:

python# Мой адрес
addr = '1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3'

# Получаем UTXO моего адреса
unspent(addr)
# [{'output': '23e81960ba8bb95c33c2336c84c126e378e4d1123921f881da9247c25f524161:1', 'value': 300000}]

# Целевой уязвимый адрес Copay
target = '32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe'

# Получаем UTXO адреса Copay
unspent(target)
# [{'output': '8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd:0', 'value': 677200},
#  {'output': 'bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786:0', 'value': 5000000}]

# Комбинируем входы для новой транзакции
ins = unspent(addr) + unspent(target)

# Рассчитываем сумму, учитывая комиссию майнеру
amount = 300000 + 5000000 + 677200 - 10000

# Единственный выход на мой адрес с итоговой суммой
outs = [{'address': addr, 'value': amount}]

# Создаем и подписываем транзакцию
tx = mktx(ins, outs)
tx = sign(tx, 0, priv)
tx = deserialize(tx)

# Добавляем поддельные скрипты подписей SIGHASH_SINGLE для уязвимых входов
tx['ins'][1]['script'] = '<поддельный scriptSig с SIGHASH_SINGLE>'
tx['ins'][2]['script'] = '<поддельный scriptSig с SIGHASH_SINGLE>'

# Сериализуем транзакцию и отправляем в сеть
serialize(tx)

This transaction was confirmed and published on the blockchain (txid: 791fe035d312dcf9196b48649a5c9a027198f623c0a5f5bd4cc311b8864dd0cf), which resulted in the theft of funds from the Copay wallet.

Conclusion

The vulnerability discovered is related to the peculiarities of SIGHASH_SINGLE signatures and their incorrect implementation in multi-signature wallets such as Copay. These flaws allow attackers to spend BTC without private keys, which poses a serious threat to user security.

It is recommended that SIGHASH_SINGLE not be used in multi-signature solutions on Bitcoin, and that cryptographic algorithms used in wallets and related software be thoroughly checked and audited.

This study highlights the critical importance of properly implementing all aspects of cryptographic security in blockchain protocols to prevent potential loss of user funds.