Security firm dWallet Labs has discovered a vulnerability in the Tron (TRX) network that compromises $500 million worth of altcoins/tokens.
“Detected and fixed, no risk at this time”
The dWallet Labs team first reported the vulnerability to the Tron team in February. After that, it was emphasized that the problem was dealt with immediately and resolved within a few days.
According to the report, a vulnerability existed in Tron multisig accounts that could allow an attacker to bypass the multi-signature mechanism and sign transactions with a single signature. The research team said in the whitepaper that the vulnerability could affect $500 million worth of altcoins held in Tron multisig accounts. This is because it allows any signer to “completely overcome the multi-signature security offered by TRON.”
0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk – it was disclosed and fixed so there are no user assets at risk now.
A technical breakdown:https://t.co/nMj6kV6Oc3
— dWallet Labs (@dWalletLabs) May 30, 2023
As the name suggests, multi-signature wallets require multiple signers defined to an account to confirm transactions and move funds. This allows the creation of joint accounts in crypto. Each signer has its own key. Transactions require a certain number of confirmations to be approved.
According to the research team, the vulnerability in Tron’s multisig allowed many valid signatures to be created. According to the report, “You could bypass the multi-signature verification process by signing the same message with our preferred non-deterministic nons. By doing this, you could generate many different valid signatures for the same message with the same private key.”
What was Tron’s mistake?
According to the dWallet team, Tron ensures that the signatures are unique rather than checking if the signers are unique. Therefore, signers could potentially “double-vote” or sign twice. Ömer Sadika, CEO of DWallet Labs, said the fix is simple. He stated that “verifying the address rather than the number of signatures” is sufficient.
8/ There are two attack scenarios where this could be exploited, and that allow to completely bypass the multisig mechanism. The fix, deployed by TRON, is actually quite simple – just verify the address instead of # of signatures only.
Fix deployed – $500M secured.
— Omer Sadika (@omersadika) May 30, 2023
The researchers noted that the vulnerability was reported to Tron in February and was fixed days later. On the other hand, Arbitrum network has come to the fore in recent days in terms of security vulnerability. In particular, in May, two major DeFi protocols delivered nearly $10 million to attackers.
Arbitrum network witnessed two major hacking attempts
The first was due to a lack of liquidity operations targeting Jimbos, which resulted in a loss of $7.5 million. Arbitrum-based DeFi project Jimbos lost 4,000 Ether (ETH) as a result of the attack.
It appears today's @jimbosprotocol hack leads to the 4090 ETH loss (w/ ~$7.5M).
This hack is due to the lack of slippage control of liquidity-shifting operation — such that the protocol-owned liquidity is invested into a skewed/imbalanced price range, which is exploited in… https://t.co/wnQAeksojz pic.twitter.com/TPlqNlvnZD
— PeckShield Inc. (@peckshield) May 28, 2023
In its latest hack attempt, Ede Finance has come under fire for intentionally leaving a vulnerability. The DeFi project was the victim of a hack attempt that resulted in the seizure of nearly half a million dollars today. cryptocoin.comAs we have mentioned, the project team accepts that they have a share in what happened.
