Security researchers disclosed a vulnerability in the TRON blockchain on May 30 that previously put $500 million of crypto at risk.
One signer could have accessed mulitisig accounts
The 0d research team at dWallet labs said that a critical zero-day vulnerability in the TRON blockchain left multisig accounts open to theft.
Multi-sig accounts must be signed by multiple signatures before they execute a transaction, as the name suggests. However, the vulnerability found in TRON would have allowed any signer associated with any given multisig account to single-handedly access the funds within that account.
Oversights in TRON’s approach to multisig meant that its verification process did not verify all necessary information. This line of attack would have “completely overcome” TRON’s multisig security, according to 0d researchers.
Team member Omer Sadika wrote:
” … The multisig verification process [could have been] bypassed by signing the same message with non-deterministic nonces…Simply put, one signer can create multiple valid signatures for the same message.”
The solution to this problem was simple, according to researchers. Signatures are now checked against a list of addresses, not just a list of signatures.
Vulnerability was reported in February
The 0d research team said that they reported the issue via TRON’s bug bounty program on Feb. 19. The team added that TRON patched the vulnerability in days, and they said that most TRON validators are now patched.
Researchers emphasized in a separate Twitter statement that “there are no user assets at risk” now that the vulnerability has been fixed.
TRON has not yet issued its own public statement.