Tron vulnerability put $500 million at risk; now ‘resolved’

The Tron blockchain network had a critical vulnerability that put $500 million at risk but is now fixed — according to 0d — the cybersecurity research team at dWallet Labs that found the bug.

The critical zero-day vulnerability pertained to Tron’s multisig accounts, which could have allowed any single signer to gain unrestricted access, potentially jeopardizing the digital assets held within, 0d said Tuesday. The vulnerability was reported on Feb. 19 by Od to Tron via the latter’s bug bounty program on HackerOne and fixed “within days.”

A Tron spokesperson confirmed to The Block that the network’s team received a bug report from HackerOne, and the team then “swiftly addressed the issue and applied necessary patches to ensure that the vulnerability could not be exploited.”

“We can confidently affirm that the identified problem has been effectively resolved, thereby securing the system,” the spokesperson added.

Root cause 

The root cause of the vulnerability lied in an “assumption behind the verification process,” said Omer Sadika, cofounder of Odsy Network, which manages 0d and dWallet Labs.

“The verification process on Tron checked whether a specific signature was already tallied before it was tallied towards the threshold,” Sadika said. “So the assumption is that two different valid signatures for the same message can’t be created by the same person.”

While the vulnerability was critical, its solution was easy, according to Od. “Instead of checking the signature against the list of signatures, check the signed address against the list of addresses,” it said.

It is not clear the size of the bounty Od received from Tron. Both Od and Tron did not immediately respond to The Block’s requests for comment.

Tron is the second-largest blockchain network behind Ethereum, in terms of total value locked and stablecoin circulation, according to DefiLlama. The Tron TVL currently stands at around $6 billion and its circulation of stablecoins stands at over $45 billion.

© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.