A Critical Flaw Was Exposed, And Resolved, At Tron: How $500M Was Almost Wiped Out
A Critical Flaw Was Exposed, And Resolved, At Tron: How $500M Was Almost Wiped Out
Also Read: XRP Breaks Chains: Epic Surge Amid Tense Ripple-SEC ShowdownThere was a serious security flaw in the TRON (CRYPTO: TRON) blockchain network, according to dWallet Labs' cybersecurity research team, 0d.
那裡有一個嚴重的安全漏洞創(密碼:TRON)區塊鏈網路,根據DWallet實驗室‘網路安全研究團隊,0d。
The issue, reported on Feb. 19, has since been resolved.
2月19日報道的這個問題自那以後已經得到解決。
What Happened: The vulnerability could have bypassed the multisig security protocols of TRON. As a result, more than $500 million in digital assets held in TRON multisig accounts were threatened.
怎麼了:該漏洞可能繞過了TRON的多簽名安全協定。因此,Tron Multisig賬戶中持有的超過5億美元的數位資產受到威脅。
Also Read: XRP Breaks Chains: Epic Surge Amid Tense Ripple-SEC Showdown
另請閱讀:XRP斷鏈:Epic在緊張的漣漪中飆升-美國證券交易委員會攤牌
Why It Matters: TRON is a significant player in the global blockchain arena. It boasts over 144 million users and ranks second to Ethereum (CRYPTO: ETH) in terms of Total Value Locked (TVL) and stablecoin circulation.
為什麼這很重要:TRON是全球區塊鏈領域的重要參與者。它號稱擁有超過1.44億用戶,排名第二,僅次於以太(CRYTO:ETH)在總價值鎖定(TVL)和穩定流通方面。
The blockchain network utilizes multisig or Multi-Party Computation (MPC) for creating joint accounts.
區塊鏈網路利用多簽名或多方計算(MPC)來創建聯合賬戶。
In this setup, a threshold of signers is required to approve a transaction, effectively providing enhanced security.
在這種設置中,需要一定的簽名者閾值才能批准交易,從而有效地提供了增強的安全性。
The recently discovered vulnerability exploited an assumption in TRON's multisig transaction verification process: that there cannot be two different valid signatures for the same message by the same individual. This was proven false in light of TRON's ECDSA signature scheme.
最近發現的漏洞利用了Tron的多簽名交易驗證過程中的一個假設:同一個人對同一郵件不能有兩個不同的有效簽名。根據Tron的ECDSA簽名方案,這被證明是錯誤的。
This flaw could allow the generation of multiple valid signatures for the same message using the same private key.
該漏洞可能允許使用相同的私鑰為同一消息生成多個有效簽名。
0d Suggests Two Attack Scenarios
0D建議了兩種攻擊場景
- An attacker with at least one weight permission could execute transactions in every multisig wallet, regardless of the threshold.
- An attacker could exploit a transaction partially signed by someone with permissions, but without reaching the threshold.
- 具有至少一個權重許可權的攻擊者可以在每個多簽名錢包中執行交易,而不考慮閾值。
- 攻擊者可以利用由有權限的人部分簽名的事務,但不會達到閾值。
The vulnerability has been addressed by TRON after the report from 0d.
在來自0d的報告之後,Tron已經解決了該漏洞。
The solution was simple: Checking the signed address against the list of addresses instead of matching the signature against the list of signatures.
解決方案很簡單:根據地址列表檢查簽名的地址,而不是將簽名與簽名列表匹配。
This fix effectively secures the TRON blockchain network, protecting the assets of its vast user base.
這一修復有效地保護了TRON區塊鏈網路,保護了其龐大用戶群的資產。
Meanwhile, a TRON representative told The Block that they indeed received a bug report from HackerOne. The team sprung into action to rectify the issue and implemented the needed fixes to prevent any possible exploitation of the vulnerability.
與此同時,TRON的一名代表告訴The Block,他們確實收到了HackerOne的錯誤報告。該團隊立即採取行動糾正該問題,並實施了必要的修復程式,以防止任何可能的漏洞利用。
The detected problem has been successfully dealt with, thus reinstating the security of the system.
檢測到的問題已成功處理,從而恢復了系統的安全性。
Now Read: India To Leverage G-20 Presidency To Spark Global Crypto Conversation
現在閱讀:印度將利用20國集團輪值主席國引發全球加密對話
