A Critical Flaw Was Exposed, And Resolved, At Tron: How $500M Was Almost Wiped Out

by Murtuza Merchant, Benzinga Staff Writer
May 31, 2023 11:59 AM | 2 min read | Make a Comment
Zinger Key Points
  • The recently discovered vulnerability exploited an assumption in TRON's multisig transaction verification process.
  • 0d listed possible attack scenarios leveraging the vulnerability.

There was a serious security flaw in the TRON TRON/USD blockchain network, according to dWallet Labs' cybersecurity research team, 0d.

The issue, reported on Feb. 19, has since been resolved.

What Happened: The vulnerability could have bypassed the multisig security protocols of TRON. As a result, more than $500 million in digital assets held in TRON multisig accounts were threatened.

Also Read: XRP Breaks Chains: Epic Surge Amid Tense Ripple-SEC Showdown

Why It Matters: TRON is a significant player in the global blockchain arena. It boasts over 144 million users and ranks second to Ethereum ETH/USD in terms of Total Value Locked (TVL) and stablecoin circulation.

The blockchain network utilizes multisig or Multi-Party Computation (MPC) for creating joint accounts.

In this setup, a threshold of signers is required to approve a transaction, effectively providing enhanced security.

The recently discovered vulnerability exploited an assumption in TRON's multisig transaction verification process: that there cannot be two different valid signatures for the same message by the same individual. This was proven false in light of TRON's ECDSA signature scheme.

This flaw could allow the generation of multiple valid signatures for the same message using the same private key.

0d Suggests Two Attack Scenarios

  1. An attacker with at least one weight permission could execute transactions in every multisig wallet, regardless of the threshold.
  2. An attacker could exploit a transaction partially signed by someone with permissions, but without reaching the threshold.

The vulnerability has been addressed by TRON after the report from 0d.

The solution was simple: Checking the signed address against the list of addresses instead of matching the signature against the list of signatures.

This fix effectively secures the TRON blockchain network, protecting the assets of its vast user base.

Meanwhile, a TRON representative told The Block that they indeed received a bug report from HackerOne. The team sprung into action to rectify the issue and implemented the needed fixes to prevent any possible exploitation of the vulnerability.

The detected problem has been successfully dealt with, thus reinstating the security of the system.

Now Read: India To Leverage G-20 Presidency To Spark Global Crypto Conversation

Market News and Data brought to you by Benzinga APIs

© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.

Posted In: CryptocurrencyNewsMarketsBlockchainCrypto Bugcryptocurrency securityDigital AssetsdWalletHackerOne Bug BountyMultisig AccountsStablecointotal value locked
Benzinga simplifies the market for smarter investing

Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.

Join Now: Free!