Tron Blockchain MultiSig Accounts Risked $500 Million
On May 30, security experts revealed a flaw in the TRON blockchain that had previously exposed $500 million in cryptocurrency.
In a significant discovery, the 0d research team at dWallet Labs uncovered a critical zero-day vulnerability in the TRON blockchain that could have potentially led to the theft of funds from multisig accounts.
The theft could have easily happened as the Zero-Day vulnerability allowed any signatory to “completely overcome the multisig security provided by TRON.”
Multisig accounts require multiple signatures to authorize transactions, ensuring added security. However, the vulnerability found in TRON allowed any signatory associated with a multisig account to gain unauthorized access to the funds within it.
The failure was attributed to oversights in TRON’s approach to multisig, where the verification process failed to validate all the necessary information. The Tron multisig account focused on ensuring the uniqueness of signatures rather than verifying the uniqueness of the signers themselves.
This loophole would have completely bypassed TRON’s multisig security, which, highlighted by the 0d researchers, allows signatories to potentially “double vote” or sign twice. Simply put, one signer can create multiple valid signatures for the same message.
Fortunately, the solution to this vulnerability was relatively straightforward. Researchers proposed check signatures against a list of addresses, instead of relying only on a signature list. This simple solution will prevent unauthorized access and improve the overall security of multisig accounts.
The 0d research team promptly reported the vulnerability to TRON through its bug bounty program on February 19. Within days, TRON patched the security issue, ensuring that most TRON validators have implemented the necessary fixes.
In a reassuring statement on Twitter, the researchers emphasized that no user resources are currently at risk since the vulnerability has been resolved.
Also read: TRON DAO collaborates with Nansen for Blockchain In-depth Insights
Although TRON has yet to issue a public statement on the matter, the swift action taken to address the vulnerability demonstrates the importance of proactive security measures and the significant role that responsible researchers play in identifying and reporting such vulnerabilities.