Tron vulnerability put $500 million at risk; now 'resolved'

Quick Take

  • Tron had a critical vulnerability in its multisig accounts that put $500 million at risk, but it is now “resolved.”
  • The bug was found in February, fixed “within days,” and made public now.

The Tron blockchain network had a critical vulnerability that put $500 million at risk but is now fixed — according to 0d — the cybersecurity research team at dWallet Labs that found the bug.

The critical zero-day vulnerability pertained to Tron's multisig accounts, which could have allowed any single signer to gain unrestricted access, potentially jeopardizing the digital assets held within, 0d said Tuesday. The vulnerability was reported on Feb. 19 by 0d to Tron via the latter's bug bounty program on HackerOne and fixed "within days."

A Tron spokesperson confirmed to The Block that the network's team received a bug report from HackerOne, and the team then "swiftly addressed the issue and applied necessary patches to ensure that the vulnerability could not be exploited."

"We can confidently affirm that the identified problem has been effectively resolved, thereby securing the system," the spokesperson added.

Root cause 

The root cause of the vulnerability lied in an "assumption behind the verification process," said Omer Sadika, cofounder of Odsy Network, which manages 0d and dWallet Labs.

"The verification process on Tron checked whether a specific signature was already tallied before it was tallied towards the threshold," Sadika said. "So the assumption is that two different valid signatures for the same message can't be created by the same person."

While the vulnerability was critical, its solution was easy, according to 0d. "Instead of checking the signature against the list of signatures, check the signed address against the list of addresses," it said.

Tron paid 0d $1,000 in bounty, the Tron spokesperson said, adding that "both parties reached a consensus that it was a high-priority bug instead of a critical vulnerability."

Tron is the second-largest blockchain network behind Ethereum, in terms of total value locked and stablecoin circulation, according to DefiLlama. The Tron TVL currently stands at around $6 billion and its circulation of stablecoins stands at over $45 billion.

(Updates with a bounty amount)

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.