Security firm exposes $500m vulnerability in TRON’s multisig accounts
Security researchers have recently disclosed a critical zero-day vulnerability in the TRON blockchain that could potentially expose $500 million worth of cryptocurrency to theft.
The vulnerability, discovered by the 0d research team at dWallet labs, specifically targeted multisig accounts on the TRON blockchain.
Multisig accounts require multiple signatures to authorize a transaction. However, the flaw in TRON’s approach to multisig allowed any signer associated with a particular multisig account to gain access to the funds within that account independently, without requiring the approval of other signers.
This oversight in TRON’s verification process enabled the attack to bypass the blockchain’s multisig security entirely.
Omer Sadika, a member of the 0d research team, explained:
“The multisig verification process could have been bypassed by signing the same message with non-deterministic nonces…Simply put, one signer can create multiple valid signatures for the same message.”
The solution to this critical vulnerability was relatively straightforward, as signatures are now checked against a list of addresses rather than solely relying on a list of signatures.
TRON’s swift response to multisig security flaw
The 0d research team promptly reported the vulnerability through TRON’s bug bounty program on Feb. 19. TRON swiftly patched the vulnerability within days, and the researchers confirmed that most TRON validators had implemented the necessary patches.
In a separate statement on Twitter, the researchers emphasized that no user assets are currently at risk since the vulnerability has been successfully resolved.
As of now, TRON has not issued its public statement regarding the incident.
More recent vulnerabilities
The latest development coincides with the discovery of a significant privacy vulnerability within the Monero blockchain. Notably, the Monero bug remained undetected on the network for over three years before it was identified and promptly resolved.
In yet another blow to the DeFi sector, the Jimbos Protocol, built on the Arbitrum network, fell victim to a severe exploit resulting in the loss of 4,000 Ether, equivalent to approximately $7.5 million.
The recent developments highlight the importance of rigorous security measures and thorough auditing processes in blockchain technologies. Identifying and addressing vulnerabilities swiftly is crucial to maintaining the security and integrity of cryptocurrency networks.