en
Back to the list

Security firm exposes $500m vulnerability in TRON’s multisig accounts

source-logo  crypto.news 31 May 2023 06:48, UTC

Security researchers have recently disclosed a critical zero-day vulnerability in the TRON blockchain that could potentially expose $500 million worth of cryptocurrency to theft.

The vulnerability, discovered by the 0d research team at dWallet labs, specifically targeted multisig accounts on the TRON blockchain.

0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk – it was disclosed and fixed so there are no user assets at risk now.

A technical breakdown:https://t.co/nMj6kV6Oc3

— dWallet Labs (@dWalletLabs) May 30, 2023

Multisig accounts require multiple signatures to authorize a transaction. However, the flaw in TRON’s approach to multisig allowed any signer associated with a particular multisig account to gain access to the funds within that account independently, without requiring the approval of other signers.

This oversight in TRON’s verification process enabled the attack to bypass the blockchain’s multisig security entirely.

Omer Sadika, a member of the 0d research team, explained:

“The multisig verification process could have been bypassed by signing the same message with non-deterministic nonces…Simply put, one signer can create multiple valid signatures for the same message.”

The solution to this critical vulnerability was relatively straightforward, as signatures are now checked against a list of addresses rather than solely relying on a list of signatures.

You might also like: TON Foundation introduces new liquidity mining rewards program

TRON’s swift response to multisig security flaw

The 0d research team promptly reported the vulnerability through TRON’s bug bounty program on Feb. 19. TRON swiftly patched the vulnerability within days, and the researchers confirmed that most TRON validators had implemented the necessary patches.

In a separate statement on Twitter, the researchers emphasized that no user assets are currently at risk since the vulnerability has been successfully resolved.

As of now, TRON has not issued its public statement regarding the incident.

More recent vulnerabilities

The latest development coincides with the discovery of a significant privacy vulnerability within the Monero blockchain. Notably, the Monero bug remained undetected on the network for over three years before it was identified and promptly resolved.

You might also like: Monero (XMR) Team Identifies Vulnerabilities in the Multisignature Wallet Code

In yet another blow to the DeFi sector, the Jimbos Protocol, built on the Arbitrum network, fell victim to a severe exploit resulting in the loss of 4,000 Ether, equivalent to approximately $7.5 million.

The recent developments highlight the importance of rigorous security measures and thorough auditing processes in blockchain technologies. Identifying and addressing vulnerabilities swiftly is crucial to maintaining the security and integrity of cryptocurrency networks.

Read more: UAE and Hong Kong central banks collab on bolstering crypto regulations
crypto.news