Cybersecurity team 0d from dWallet Labs has recently identified a critical multi-signature vulnerability in the Tron network that has affected approximately $500 million in assets.
According to the researchers:
“The bug allowed any signer (without regard to weight) of a multisig account to completely overcome Tron security settings, regardless of the threshold and the number of signers.”
They contacted on February 19 the blockchain project team through the bounty program interface. The developers of the network “quickly acknowledged the vulnerability” and made a fix within a few days.
The 0d experts were rewarded for identifying a high-severity issue. They did not disclose the amount.
The researchers explained that the multisig transaction verification mechanism used in Tron matched signatures with a list to avoid their double use.
However, the attacker could generate random signature addresses in addition to the deterministic one by bypassing the protection and gaining enough weight to confirm the operation.