Skip to main content

Security firm discovers $500M vulnerability in Tron multisig accounts

After reporting the vulnerability to Tron in February, the researchers highlighted that the issue was promptly addressed and resolved within a few days.

A research team at dWallet Labs has discovered a zero-day vulnerability in Tron multisig accounts, allowing an attacker to bypass the multisignature mechanism and sign transactions with a single signature.

In a technical breakdown post, the research team said the vulnerability could have impacted $500 million in assets held in Tron multisig accounts. This is because it allows any signer to “completely overcome the multisig security offered by TRON.”

As its name suggests, multisignature wallets require multiple signers defined in an account to approve transactions and move funds, allowing the creation of joint accounts in crypto. Each account signer holds their own keys and the account requires a certain threshold for approving transactions. 

According to the research team, the vulnerability with Tron’s multisig allows for generating many valid signatures. They wrote:

“We can bypass the multisig verification process by signing the same message with non-deterministic nonces of our choice. By doing so, we will be able to generate many valid different signatures for the same message by the same private key.”

According to the cybersecurity team, Tron ensures the signatures are unique instead of checking if the signers are unique. Because of this, signers can potentially “double vote” or sign twice. Omer Sadika, the CEO of dWallet Labs, said the fix was simple: verify the address instead of the number of signatures.

Sadika discussed the vulnerability in a thread. Source: Twitter

The researchers noted that the vulnerability was reported to Tron in February and fixed days after.

Related: Justin Sun issues apology after Sui LaunchPool clashes with Binance CEO

Cointelegraph reached out to Tron for comments but did not receive a response.

In other news, another decentralized finance protocol recently suffered a $7.5 million exploit. On May 28, blockchain security firm PeckShield reported that Arbitrum-based Jimbos Protocol was hacked, resulting in the loss of 4,000 Ether (ETH).

Magazine: US and China try to crush Binance, SBF’s $40M bribe claim



from https://ift.tt/gVIDPWB
https://ift.tt/8PINn5Y
Labels:

Comments

Post a Comment

Any questions, Please.

Popular posts from this blog

ENS DAO delegates offer perspective on DAO governance and decentralized identity

AlphaWallet CEO and Spruce co-founder talk about their roles as contributors to the Ethereum Name Service following the project's recent airdrop. Earlier this month, the Ethereum Name Service, or ENS, formed a decentralized autonomous organization, or DAO, for the ENS community.  Cointelegraph spoke to two ENS DAO delegates who applied for the opportunity to represent the community and stay involved in the decision making process: Victor Zhang, CEO of AlphaWallet, an open source Ethereum wallet, and Gregory Rocco, co-founder of Spruce, a decentralized ID and data toolkit for developers. Zhang spoke about his experience as an external contributor to ENS and an early supporter since 2018. Zhang initially sought to help ENS by offering Alpha Wallet as a user-friendly tool for  resolving .eth names and cryptocurrency wallet addresses. Essentially, if a user inputs an .eth name in the AlphaWallet, it will show the wallet address, and vice versa using reverse resolution. Alpha...
Post a Comment
Read more

How Social Platform Chingari is Using Web 3.0 to Transform the Traditional Way We Use Social Media

The world is changing. This isn’t news to anyone, but sometimes it is nice to realize that—contrary to news headlines—not all the change is bad.  In fact, the last decade has seen so much innovation and so many improvements to technology that even 2015 seems like a different world.  Internet speeds, connecting with anyone globally (for free), and our ability to reach large groups of people without a middleman is nothing short of revolutionary. When it comes to technology evolution, this often happens with different iterations.  Once a system is mature, there’s a better idea of what we would like to change and improve.  We go back to the drawing board, target our creative minds at the issues, and create a new version that has evolved to better meet our needs.  The Internet has followed this model since its inception, evolving through three distinct stages.  We are only at the cusp of the third stage, called Web 3.0, with technologies such as blockchain and ...
Post a Comment
Read more

Osprey sues Grayscale for misrepresenting likelihood of GBTC ETF approval

Osprey alleges its only competitor on the BTC OTC trust asset market gained its 99.5% market share by misrepresenting the likelihood of its trust becoming an ETF. Digital asset manager Osprey Funds filed suit against Grayscale Investments in Connecticut Superior Court on Jan. 30, alleging violation of the state’s Unfair Trade Practices Act. The suit concerns Grayscale advertising and promotion of the Bitcoin ( BTC ) exchange-traded fund (ETF) it is seeking to create.  Osprey stated in the suit that it is the only competitor to Grayscale on the over-the-counter traded Bitcoin trust asset management market, and Grayscale maintained its leading position through deceit: “Only because of its false and misleading advertising and promotion has Grayscale been able to maintain to date approximately 99.5% market share in a two-participant market despite charging more than four times the asset management fee that Osprey charges for its services.” Specifically, Osprey alleged that Graysc...
Post a Comment
Read more