Version 3.1.0 and below have an integer overflow when used on 16-bit platforms that makes elliptic curves unusable. (The fix has been back ported to versions 2.0.7 and 1.1.2.)
Version 2.0.3 and below have a critical vulnerability that cause
crypto_check()to accept bogus signatures as genuine. (The fix has been back ported to version 1.1.1.) Full disclosure.
Version 2.0.2 and below read uninitialised memory when computing BLAKE2b hashes, which is undefined behaviour under the C and C++ standards. Current compilers generate correct code.
Versions between 1.1.0 and 2.0.1 fail to compile when we turn on Ed25519 compatibility.
Versions 1.0.1 and below use
crypto_memcmp(), which could not be guaranteed to run in constant time in practice, despite the absence of secret-dependent branch in the original source code. The fear of subsequent timing attacks led to its deprecation. Version 1.1.0 and above use the fixed size
Versions 2.0.1 and below fail to wipe some of their internal buffers.
Versions 1.0.0 and below do not wipe their internal buffers. This can facilitate the exfiltration of data if the computer Monocypher runs on is compromised.