Situation: (2 of three multisig) one of the most {hardware} wallets is operating malware and makes use of an attackers xpub as a substitute of the only derived from the restoration word. This swapped xpub is reported to all of the different cosigners and the tool pockets. All signing gadgets corroborate that they’re all the use of the similar set of xpubs, and that their respective units of obtain addresses fit the ones displayed at the tool pockets. However the budget despatched to those addresses don’t belong to the landlord, as their redeem scripts have been created the use of an xpub the landlord does no longer have wisdom of.
If the landlord have been to wipe the gadgets and get well their multisig setup on a brand new set of gadgets freed from malware, they’d be proven a fully other pockets with empty addresses. With a purpose to get well their budget they would wish the lacking xpub from the prior to now malware inflamed {hardware} pockets.
Query: If this situation is conceivable, is not multisig in reality much less protected than unmarried sig, since a unmarried malware inflamed {hardware} pockets nonetheless compromises all of the setup, however now as a substitute of an assault floor of one {hardware} pockets, you currently have 3 (from other manufacturers with other vulnerabilities) that may be compromised?
