Security Researcher Reveals TRON Blockchain Vulnerability May 30th This previously put $500 million in cryptocurrency at risk.
One signer may have accessed multiple accounts
The 0d research team at dWallet labs said the TRON blockchain has a critical zero-day vulnerability that puts multisig accounts at risk of theft.
Multisig accounts, as the name suggests, must be signed with multiple signatures before any transaction can be executed. However, a vulnerability found in TRON allows the signer associated with a particular multisig-her account to have sole access to funds within that account.
We found that due to an oversight in TRON’s approach to multisig, the verification process did not verify all the necessary information. According to the 0d researchers, this attack would have “completely overcome” TRON’s multisig security.
Team member Omer Sadhika I have written:
” … the multisig verification process [could have been] It’s circumvented by signing the same message with a nondeterministic nonce… Simply put, one signer can create multiple valid signatures for the same message. ”
According to the researchers, the solution to this problem was simple. Signatures are now matched against a list of addresses, not just a list of signatures.
The vulnerability was reported in February
The 0d research team said they reported the issue through TRON’s bug bounty program on February 19th. The team added that TRON patched the vulnerability in a matter of days, and said that now most TRON validators have been patched.
In a separate Twitter statement, the researchers stressed that the vulnerability was fixed so “user assets are not at risk.”
TRON has yet to release its own official statement.
The TRON-avoided $500 million multisig vulnerability first appeared in CryptoSlate.
