Security Firm Discovers Multisig Vulnerability in Tron
A skilled team of researchers at dWallet Labs recently identified a zero-day vulnerability in Tron multisig accounts. The flaw would have allowed an attacker to sidestep the multisignature mechanism, facilitating the signing of transactions with a single signature. In an in-depth technical analysis, the team revealed that this vulnerability could have affected $500 million in assets held within Tron’s multisig accounts.
The Tron Multisig Mechanism
Multisignature wallets, as implied by their name, necessitate multiple predefined signers within an account to approve transactions and move funds. This functionality promotes the establishment of shared accounts in cryptocurrency. Every signer in the account maintains their individual keys, and the account mandates a set threshold for the endorsement of transactions.
The vulnerability discovered in Tron’s multisig system could produce many valid signatures, as the dWallet Labs team explains: “We can bypass the multisig verification process by signing the same message with non-deterministic nonces of our choice. By doing so, we will be able to generate many valid different signatures for the same message by the same private key.”
A Simple Fix for a Complex Problem
Tron, according to the cybersecurity specialists, ensures the uniqueness of the signatures rather than checking if the signers are unique. This misstep could potentially allow signers to “double vote” or sign twice. However, Omer Sadika, the CEO of dWallet Labs, pointed out that the solution was straightforward: verify the address rather than the quantity of signatures.
Prompt Response to the Vulnerability
The research team at dWallet Labs disclosed the vulnerability to Tron in February. Tron acted swiftly, rectifying the flaw within a few days of its identification.
Blockchain Security Remains Paramount
In related news, a decentralized finance protocol recently fell victim to a $7.5 million exploit. On May 28, blockchain security firm PeckShield reported a hack on Arbitrum-based Jimbos Protocol, resulting in the loss of 4,000 Ether. These occurrences underscore the critical importance of security within the rapidly evolving cryptocurrency and blockchain landscape.