News

Security firm discovers $500M vulnerability in Tron multisig accounts

Security firm discovers $500M vulnerability in Tron multisig accounts


A research team at dWallet Labs has discovered a zero-day vulnerability in Tron multisig accounts, allowing an attacker to bypass the multi-signature mechanism and sign transactions with a single signature. 

In a technical breakdown post, the research team said the vulnerability could have impacted $500 million in assets held within Tron multisig accounts. This is because it allows any signer to “completely overcome the multisig security offered by TRON.”

0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk – it was disclosed and fixed so there are no user assets at risk now.

A technical breakdown:https://t.co/nMj6kV6Oc3

— dWallet Labs (@dWalletLabs) May 30, 2023

As its name suggests, multisignature wallets require multiple signers defined in an account to approve transactions and move funds, allowing the creation of joint accounts in crypto. Each signer of the account holds their own keys and the account requires a certain threshold for approving transactions. 

According to the research team, the vulnerability with Tron’s multisig allows generating many valid signatures. They wrote:

“We can bypass the multisig verification process by signing the same message with non-deterministic nonces of our choice. By doing so, we will be able to generate many valid different signatures for the same message by the same private key.”

According to the cybersecurity team, Tron makes sure that the signatures are unique instead of checking if the signers are unique. Because of this, signers can potentially “double vote” or sign twice. Omer Sadika, who works with dWallets, said that the fix was simple — verify the address instead of the number of signatures.

Omer Sadika discussed the vulnerability in a thread. Source: Twitter

The researchers noted that the vulnerability was reported to Tron back in February and was already fixed days after being reported. 

Related: Justin Sun issues apology after Sui LaunchPool clashes with Binance CEO

Cointelegraph reached out to Tron for comments but did not receive a response.

In other news, another decentralized finance (DeFi) protocol recently suffered a $7.5 million exploit. On May 28, blockchain security firm PeckShield reported that Arbitrum-based Jimbos Protocol was hacked, resulting in the loss of 4,000 Ether (ETH).

Magazine: US and China try to crush Binance, SBF’s $40M bribe claim





Source: https://cointelegraph.com/news/tron-multisig-accounts-vulnerability-discovered-by-security-team

Leave a Reply

Your email address will not be published. Required fields are marked *