TRON Avoids $500 Million Multi-Signature Vulnerability

The bug has been patched and no user assets are at risk.

Security researchers disclosed a vulnerability in the TRON blockchain on May 30 that previously put $500 million in the cryptocurrency at risk.

A signer may have accessed a multi-signature account

A critical zero-day vulnerability in the TRON blockchain makes multi-signature accounts vulnerable to theft, according to the 0d research team at dWallet Labs.

As the name suggests, multi-signature accounts must go through multiple signatures before a transaction can be executed. However, a vulnerability discovered in TRON would allow any signer associated with any given multisig account to individually access the funds in that account.

TRON's negligence with its multi-signature approach means its verification process does not verify all necessary information. According to the 0d researchers, this type of attack would "completely overcome" TRON's multi-signature security.

Team member Omer Sadika wrote:

"...the multi-signature verification process could have been circumvented by signing the same message using a non-deterministic random number...In short, a single signer could create multiple valid signatures for the same message."

According to the researchers, the solution to this problem is simple. Signatures are now checked against a list of addresses, not just a list of signatures.

Vulnerability reported in February

The 0d research team said they reported the issue via TRON's bug bounty program on February 19. The team added that TRON had patched the vulnerability within a few days, and they stated that most TRON validators are now patched.

In a separate Twitter statement, the researchers emphasized that "no user assets are at risk" now that the vulnerability has been fixed.

TRON has yet to issue a public statement of its own.