0d, a subsidiary of Dwallet Labs, conducted investigations that unveiled a significant security vulnerability in Tron's proprietary multi-signature mechanism. This discovery is crucial as it could have put over $500 million worth of cryptocurrency stored in Tron's multi-signature accounts at risk.
However, Tron's development team swiftly addressed the issue by creating a patch to rectify the flaw. This vulnerability allowed any co-signer of a multi-signature account to bypass network safeguards, disregarding predefined limits and total co-signers. On Tuesday, the team acknowledged that this vulnerability had the potential to impact more than half a billion dollars in cryptocurrencies held in Tron's multi-signature accounts.
The diligent researchers reported the flaw to Tron's developer team on February 19, 2023. In response, the technical experts devised a solution to mitigate the issue. 0d confirmed that the majority of Tron's network validators have already implemented this solution to reduce the risk of potential abuse stemming from the security gap. The cybersecurity researchers received a significant bounty from Tron's bounty program as recognition for their efforts in identifying this high-priority vulnerability.
0d clarified that the root of the issue lies in the unique procedure for verifying multi-signature transactions within the Tron network. The network's security heavily relies on the distinctiveness of signatures for repetitive messages from a user. However, the deterministic nature of the signature generation protocol, as defined in RFC 6979, allows dishonest co-signers to generate multiple valid signatures for the same message using different nonces (random numbers) while using the same private key.
In parallel with this revelation, a privacy flaw in the Monero blockchain was also discovered, which had remained in the network for three years. Fortunately, this issue has also been resolved. Regarding the Tron multi-signature mechanism, Omer Sadika, a researcher at 0d, expressed relief, stating that the implementation of the patch has effectively safeguarded the substantial sum of $500 million.