-snip-
Is the above true? If an attacker were to randomly come across my private key, he can move the funds without requiring the origin keys that resulted in the multi sig?
It's true, but not in that scenario (
are those the actual words from the source?).
The attacker could come across a different private key that can produce a "
scriptHash" that's exactly the same as your MultiSig's scriptHash.
In that case, he can use his own "
redeem Script" to spend your funds.
It's about the "
collision" explained by BlackHatCoiner.
I used to think that multi sig is enforced on chain and the chain would require signature of both keys to move the funds.
If we disregard the collision of the scriptHash, just base it from your question above:
if the attacker came across your private key and want to spend the funds of the MultiSig setup, then he needs to come across the cosigners' private keys too.