Security researchers recently uncovered a critical zero-day vulnerability in the TRON blockchain, potentially jeopardizing $500 million worth of cryptocurrencies. The flaw allowed unauthorized access to multi-sig accounts, enabling a single signer to exploit the vulnerability and gain control over the funds. This article delves into the nature of the vulnerability, the impact it had on TRON’s security, and the steps taken to address the issue.
The Vulnerability:
TRON’s multi-sig accounts, which require multiple signatures for transaction execution, suffered from a verification oversight. The flaw allowed any signer associated with a mult-isig account to unilaterally access the funds without requiring the remaining signatures. Researchers from the 0d research team at dWallet labs discovered that by signing the same message with non-deterministic nonces, a single signer could generate multiple valid signatures, bypassing the multi-sig verification process entirely.
The Solution:
The researchers proposed a simple yet effective solution to rectify the vulnerability. Instead of solely relying on a list of signatures, TRON’s verification process now cross-references signatures against a list of addresses. This additional check ensures that all necessary information is properly verified, enhancing the security of multi-sig accounts within the TRON blockchain.
Reporting and Patching:
The 0d research team responsibly disclosed the vulnerability to TRON through the platform’s bug bounty program on February 19. TRON promptly patched the vulnerability within a matter of days, demonstrating its commitment to maintaining a robust and secure blockchain infrastructure. The researchers also clarified that the majority of TRON validators have implemented the necessary patches to address the vulnerability, minimizing the risk to user assets.
While the recent disclosure of a zero-day vulnerability in the TRON blockchain raised concerns about the security of multi-sig accounts, the issue has been effectively resolved. Thanks to the timely efforts of the 0d research team and TRON’s swift response, the vulnerability has been patched, and there are no longer any user assets at risk. TRON’s commitment to maintaining a secure ecosystem is commendable, and its proactive approach to addressing vulnerabilities demonstrates its dedication to protecting the investments and assets of its users.
