Security firm discovers $500M vulnerability in Tron multisig accounts

After reporting the vulnerability to Tron in February, the researchers highlighted that the issue was promptly addressed and resolved within a few days.

A research team at dWallet Labs has discovered a zero-day vulnerability in Tron multisig accounts, allowing an attacker to bypass the multisignature mechanism and sign transactions with a single signature.

In a technical breakdown post, the research team said the vulnerability could have impacted $500 million in assets held in Tron multisig accounts. This is because it allows any signer to “completely overcome the multisig security offered by TRON.”

0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk - it was disclosed and fixed so there are no user assets at risk now.

A technical breakdown:https://t.co/nMj6kV6Oc3
— dWallet Labs (@dWalletLabs) May 30, 2023

As its name suggests, multisignature wallets require multiple signers defined in an account to approve transactions and move funds, allowing the creation of joint accounts in crypto. Each account signer holds their own keys and the account requires a certain threshold for approving transactions.

According to the research team, the vulnerability with Tron’s multisig allows for generating many valid signatures. They wrote:

“We can bypass the multisig verification process by signing the same message with non-deterministic nonces of our choice. By doing so, we will be able to generate many valid different signatures for the same message by the same private key.”

According to the cybersecurity team, Tron ensures the signatures are unique instead of checking if the signers are unique. Because of this, signers can potentially “double vote” or sign twice. Omer Sadika, the CEO of dWallet Labs, said the fix was simple: verify the address instead of the number of signatures.

*Sadika discussed the vulnerability in a thread. Source: Twitter*

The researchers noted that the vulnerability was reported to Tron in February and fixed days after.

Cointelegraph reached out to Tron for comments but did not receive a response.

In other news, another decentralized finance protocol recently suffered a $7.5 million exploit. On May 28, blockchain security firm PeckShield reported that Arbitrum-based Jimbos Protocol was hacked, resulting in the loss of 4,000 Ether (ETH).

Magazine: US and China try to crush Binance, SBF’s $40M bribe claim

from https://ift.tt/gVIDPWB
https://ift.tt/8PINn5Y

Comments

DeFi isn’t dead, it just needs to fix these 3 critical problems

It’s been a rough year for DeFi, and it may not get any better until projects focus more on security, regulation and usability. The persistent challenges decentralized finance face have been well documented by a handful of analysts and the recent collapse of the Terra ecosystem re-enforced the fact that something is critically wrong with DeFi. I think DeFi today is completely broken for 99% of the population. The promise of a more transparent financial system has been overtaken by greed. UST/LUNA is just the latest in a string of bad developments: — Peter Yang (@petergyang) May 11, 2022 Let's take a look at what experts say DeFi needs to do in order to have another revival. Improved usability To date, the promise of open and uncensored access to a global decentralized financial system has been largely hampered by the complicated interface, confusing multi-step staking processes and lack of clarity surrounding the yields on various tokens. What do you thi...

ENS DAO delegates offer perspective on DAO governance and decentralized identity

AlphaWallet CEO and Spruce co-founder talk about their roles as contributors to the Ethereum Name Service following the project's recent airdrop. Earlier this month, the Ethereum Name Service, or ENS, formed a decentralized autonomous organization, or DAO, for the ENS community. Cointelegraph spoke to two ENS DAO delegates who applied for the opportunity to represent the community and stay involved in the decision making process: Victor Zhang, CEO of AlphaWallet, an open source Ethereum wallet, and Gregory Rocco, co-founder of Spruce, a decentralized ID and data toolkit for developers. Zhang spoke about his experience as an external contributor to ENS and an early supporter since 2018. Zhang initially sought to help ENS by offering Alpha Wallet as a user-friendly tool for resolving .eth names and cryptocurrency wallet addresses. Essentially, if a user inputs an .eth name in the AlphaWallet, it will show the wallet address, and vice versa using reverse resolution. Alpha...

Institutional demand for crypto isn’t subsiding, but impact will be gradual

As another $2-trillion stimulus package looms in the U.S., institutions will continue to look at BTC as a hedge against inflation. For example, just last week, when the currency was hovering around the $30,000 threshold, a whole host of pundits was warning investors to brace for impact, suggesting that the premier crypto asset was on the verge of a correction and could once again dip to around the $20,000 region. However, in just one day, Bitcoin was once again playing with the bulls, retesting the $38,500 limit, only to witness a selloff and eventually settle around the $33,500 region. While for most crypto veterans that might have been another day at the office, others branded the upsurge as “Elon’s Candle,” which relates to Elon Musk, the CEO of Tesla, who included “Bitcoin” in his Twitter bio as well as sent out the following cryptic message “in retrospect, it was inevitable” to his 40 million-odd followers online. Regardless of the cause, has the recent price volatility sca...

Crypto Coin Search

Search This Blog