Not co-signed multi-signatures transactions get confirmed

[4miners]

Affected version:

0.5.0f

Steps to replicate:

• init multi-signature creation on owner
  curl -k -H "Content-Type: application/json" -X PUT -d '{"secret":"owner_secret","lifetime":72,"min":2,"keysgroup":["+co-owner1_pubkey","+co_owner2_pubkey"] }' https://testnet.lisk.io/api/multisignatures

• sign tx from co-owner1
  curl -k -H "Content-Type: application/json" -X POST -d '{"secret":"co-owner1_secret","transactionId":"tx_init_id"}' https://testnet.lisk.io/api/multisignatures/sign

• sign tx from co-owner2
  curl -k -H "Content-Type: application/json" -X POST -d '{"secret":"co-owner1_secret","transactionId":"tx_init_id"}' https://testnet.lisk.io/api/multisignatures/sign

Now we have valid multi-signature account. Every transaction sent from that account (owner) should require sign from co-owner1 and co-owner2 to get confirmed. But instead all transactions get confirmed immediately, same as normal transactions.

That can affects previously created multi-signatures accounts and compromise their funds, so suspension of push this version to mainnet until that issue is resolved is strongly recommended.

[karmacoma]

@4miners: Thanks for bring this to our attention.

We have a reasonable test suite which passing all ok. I've also repeated the above steps and the multisignature tx remains in /api/transactions/multisignatures pool until both co-signers have signed the tx. Once signed the tx is moved into /api/transactions/queued and then finally /api/transactions/unconfirmed.

Unless I'm missing something, all is good here.

[4miners]

After more tests with @Isabello I can also confirm that it working as intended. Cause was different, so closing it now.