Critical Vulnerability in Tron’s Multisig Mechanism Exposed $500M in Digital Assets: Report
Publikováno: 30.5.2023
According to a report published by the cybersecurity research team known as 0d, a division of Dwallet Labs, researchers discovered a critical vulnerability in the Tron network’s native multi-sig mechanism. The cybersecurity experts explained that the vulnerability could have impacted more than $500 million worth of digital assets held in Tron multi-sig accounts. 0d specified […]
According to a report published by the cybersecurity research team known as 0d, a division of Dwallet Labs, researchers discovered a critical vulnerability in the Tron network’s native multi-sig mechanism. The cybersecurity experts explained that the vulnerability could have impacted more than $500 million worth of digital assets held in Tron multi-sig accounts. 0d specified that Tron’s development team addressed the problem by creating a patch for the bug.
Cybersecurity Researchers Summarize Bug Found Tied to Tron’s Multisig Mechanism, Tron Devs Patch the Vulnerability
On May 30, 2023, the research team 0d from Dwallet Labs published a report that uncovers a vulnerability in Tron’s native multisig scheme. The vulnerability enables any signer of a multi-sig account to bypass the network’s security measures, irrespective of the designated threshold and number of signers. “This vulnerability impacts over $500M in digital assets that are held in Tron multi-sig accounts,” 0d reported on Tuesday.
The researchers further stated that Tron’s developers were notified about the bug on February 19, 2023, and the programmers created a patch to address the problem. 0d said that the majority of Tron’s validators have already implemented the patch to prevent any potential exploitation of the vulnerability. “We have received a bounty reward for a high severity vulnerability via the Tron bounty program,” the cybersecurity research team disclosed.
0d explained that the vulnerability originated from the verification process of multisig transactions within the Tron network. The network depends on the uniqueness of signatures for identical messages from an individual. However, because of the deterministic nature of the signature generation process outlined in RFC 6979, an untrustworthy signer can utilize various nonces (random numbers) to generate multiple valid signatures for the same message while employing the same private key.
The revelation of the Tron multi-sig mechanism bug coincides with the discovery of a privacy vulnerability in the Monero blockchain. The bug is said to have existed on the Monero network for three years and has since been addressed. While discussing the Tron multi-sig problem, 0d researcher Omer Sadika explained that with the deployment of the fix, $500 million is now “secured.”
What are your thoughts on the recent vulnerability discovered in Tron’s multi-sig mechanism? Share your insights and opinions in the comments section below.