Last Updated on May 30, 2023 by Bitfinsider

Tron multisig accounts have a zero-day vulnerability that allows an attacker to sidestep the multisignature system and sign transactions with a single signature, according to a report done by dWallet Labs.

The research team estimated that the flaw might have affected $500 million in funds housed in Tron multisig accounts in a technical breakdown report. This is due to the fact that it enables anyone to “completely overcome the multisig security offered by TRON.”

Multisignature wallets enable the formation of joint cryptocurrency accounts by requiring several signers, as the name implies, to authorize transactions and transfer funds. Each signer on the account has their own set of keys, and the account has transaction approval requirements.

The research team claims that Tron’s multisig vulnerability enables the creation of several valid signatures. They said: “We can bypass the multisig verification process by signing the same message with non-deterministic nonces of our choice. By doing so, we will be able to generate many valid different signatures for the same message by the same private key.”

The cybersecurity team claims that rather than verifying the uniqueness of the signers, Tron makes sure that each signature is distinct. As a result, signatories may “double vote” or sign twice. The solution, according to dWallet Labs CEO Omer Sadika, is straightforward: validate the address rather than the quantity of signatures.

The issue was reported to Tron in February and resolved a few days later, according to the researchers.