Researchers Discover Zero-Day Vulnerability in Tron Multisig Accounts, Promptly Resolved
A team of researchers from dWallet Labs recently discovered a zero-day vulnerability within Tron’s multisig accounts, which enabled attackers to bypass the multisignature mechanism and sign transactions with just a single signature.
In a detailed technical breakdown, the research team emphasized the potential impact of this vulnerability on Tron multisig accounts, which hold approximately $500 million worth of assets. The vulnerability effectively allowed any signer to completely circumvent the security measures provided by Tron’s multisig feature.
Multisignature wallets, as the name suggests, require multiple authorized signers to approve transactions and facilitate fund transfers, enabling the establishment of joint accounts in the crypto space. Each account signer possesses their own unique keys, and a specific threshold of signatures is necessary for transaction approval.
According to the research team, the vulnerability in Tron’s multisig system enables the generation of multiple valid signatures. They explained that Tron’s security mechanism verifies the uniqueness of signatures rather than ensuring the uniqueness of signers. As a result, signers have the potential to “double vote” or sign twice. Omer Sadika, CEO of dWallet Labs, stated that the solution was straightforward: verifying the address instead of relying solely on the number of signatures.
The researchers promptly reported the vulnerability to Tron in February, and the issue was swiftly addressed and resolved within a matter of days.
Cointelegraph reached out to Tron for comments but did not receive a response.
In unrelated news, another decentralized finance (DeFi) protocol recently fell victim to an exploit, resulting in a loss of $7.5 million. Blockchain security firm PeckShield reported on May 28 that Jimbos Protocol, which operates on the Arbitrum network, experienced a hack that led to the theft of 4,000 Ether.
2 Comments