A zero-day vulnerability in Tron multisig accounts was discovered by a research team at dWallet Labs, which could have put at risk $500 million worth of assets.
Tron Multisig Bug Put $500 Million Worth of Crypto Assets at Risk
A zero-day vulnerability in Tron multisig accounts was discovered by a research team at dWallet Labs, which could have put at risk $500 million worth of assets. The vulnerability allowed any signer to bypass the multisig security and approve transactions with a single signature, instead of requiring multiple signers as intended. dWallet Labs reported the issue to Tron in February and it was fixed within days.
Multisig accounts are designed to create joint accounts in crypto, where each signer holds their own keys and a certain threshold of signatures is needed to move funds. However, the dWallet Labs research team found that Tron's multisig verification process was flawed, as it checked the uniqueness of signatures instead of signers. This enabled signers to generate multiple valid signatures for the same message with the same private key, effectively "double voting" or signing twice.
dWallet Labs CEO Omer Sadika said that the solution was to verify the address instead of the number of signatures. According to the research team, no user assets were harmed by the vulnerability, as it was disclosed and fixed promptly. The vulnerability highlights the importance of security audits and testing for crypto projects, especially those involving large amounts of funds.
