The dWallet Labs research team discovered a vulnerability in Tron multisig accounts that could allow an attacker to bypass the multi-signature mechanism.
In a post on the subject, the research team said that the vulnerability could affect $500 million in assets held in Tron multisig accounts. As the name suggests, multi-signature wallets (multisig) require multiple signatures defined in an account to confirm transactions and move funds. Each person who signs the account has their own key and the account requires a certain limit to confirm transactions.
Tron Was Late in Fixing the Issue
According to the research team, the vulnerability in Tron multisig wallets allows the creation of numerous valid signatures.
In the post shared by the research team on the subject: “We can bypass the multisig verification process by signing the same message with non-deterministic nonces of our choosing. “By doing this, we will be able to generate many different valid signatures for the same message with the same private key.”
According to the cybersecurity team, Tron ensures that the signatures are unique rather than checking if the signers are different people. Therefore, signers could potentially double-vote and sign signatures twice.
The researchers noted that the vulnerability was reported to Tron in February and was fixed days later.