$500M vulnerability found in Tron multisig accounts by security firm

A research team at dWallet Labs has found a vulnerability in Tron multisig accounts, which allows an attacker to bypass the multisignature mechanism and sign transactions with a single signature. In a post detailing the technical breakdown of the vulnerability, the research team stated that this could have affected $500 million in assets held in Tron multisig accounts. This is because it allows any signer to “completely overcome the multisig security offered by TRON.”

0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk – it was disclosed and fixed so there are no user assets at risk now. A technical breakdown: https://t.co/nMj6kV6Oc3

— dWallet Labs (@dWalletLabs) May 30, 2023

As the name suggests, multisignature wallets require multiple signers defined in an account to approve transactions and move funds, allowing for the creation of joint accounts in crypto. Each account signer holds their own keys, and the account requires a certain threshold for approving transactions.

According to the research team, Tron’s multisig vulnerability allows for generating many valid signatures. They wrote:

“We can bypass the multisig verification process by signing the same message with non-deterministic nonces of our choice. By doing so, we will be able to generate many valid different signatures for the same message by the same private key.”

The cybersecurity team stated that Tron ensures the signatures are unique instead of checking if the signers are unique. Because of this, signers can potentially “double vote” or sign twice. Omer Sadika, the CEO of dWallet Labs, said that the fix was simple: verify the address instead of the number of signatures.

The researchers noted that the vulnerability was reported to Tron in February and fixed days after.

In other news, another decentralized finance protocol recently suffered a $7.5 million exploit. On May 28, blockchain security firm PeckShield reported that Arbitrum-based Jimbos Protocol was hacked, resulting in the loss of 4,000 Ether (ETH).

We will continue to update Phone&Auto; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

BlockChain

Swell Introduces Layer-2 Restaking Rollup in Partnership with AltLayer and EigenLayer

Swell teamed up with Ethereum scaler AltLayer and a16z-backed crypto-staking project EigenLayer to create the rollup,...

Market

Ether.Fi will launch the ETHFI token on Binance Launchpool next week.

Liquid restaking protocols, such as Ether.Fi, utilize Ethereum's proof-of-stake blockchain to enhance the security of...

Bitcoin

HTX Crypto Exchange Bounces Back in Style

HTX crypto exchange resumes Bitcoin transactions after recovering from $30 million hot wallet hack.

DeFi

Decentralized Finance and the Rise of Liquid Restaking Tokens (LRTs) on Ethereum

The emergence of popular liquid restaking platforms such as Puffer and Ether.Fi has generated billions of dollars in ...

BlockChain

DeFi Dilemma: Staking Ether Goes Liquid!

Fashion company Ether.fi secures $5.3 million in seed funding from North Island VC in March.

Opinion

EigenLayer's Sreeram Kannan on Ethereum's risky 'restaking' trend

In an exciting interview, Sreeram Kannan, the visionary founder of EigenLayer and a trailblazer in the field of resta...