Tron vulnerability put $500 million at risk; now 'resolved'

Companies • May 31, 2023, 7:02AM EDT
UPDATED: June 1, 2023, 6:10AM EDT
Partner offers
The Block may may earn a commission if you use our partner offers, at no extra cost to you.

Quick Take

  • Tron had a critical vulnerability in its multisig accounts that put $500 million at risk, but it is now “resolved.”
  • The bug was found in February, fixed “within days,” and made public now.

The Tron blockchain network had a critical vulnerability that put $500 million at risk but is now fixed — according to 0d — the cybersecurity research team at dWallet Labs that found the bug.

The critical zero-day vulnerability pertained to Tron's multisig accounts, which could have allowed any single signer to gain unrestricted access, potentially jeopardizing the digital assets held within, 0d said Tuesday. The vulnerability was reported on Feb. 19 by 0d to Tron via the latter's bug bounty program on HackerOne and fixed "within days."

A Tron spokesperson confirmed to The Block that the network's team received a bug report from HackerOne, and the team then "swiftly addressed the issue and applied necessary patches to ensure that the vulnerability could not be exploited."

"We can confidently affirm that the identified problem has been effectively resolved, thereby securing the system," the spokesperson added.

Root cause 

The root cause of the vulnerability lied in an "assumption behind the verification process," said Omer Sadika, cofounder of Odsy Network, which manages 0d and dWallet Labs.

"The verification process on Tron checked whether a specific signature was already tallied before it was tallied towards the threshold," Sadika said. "So the assumption is that two different valid signatures for the same message can't be created by the same person."

While the vulnerability was critical, its solution was easy, according to 0d. "Instead of checking the signature against the list of signatures, check the signed address against the list of addresses," it said.

Tron paid 0d $1,000 in bounty, the Tron spokesperson said, adding that "both parties reached a consensus that it was a high-priority bug instead of a critical vulnerability."

Tron is the second-largest blockchain network behind Ethereum, in terms of total value locked and stablecoin circulation, according to DefiLlama. The Tron TVL currently stands at around $6 billion and its circulation of stablecoins stands at over $45 billion.

(Updates with a bounty amount)


© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

AUTHOR

Yogita Khatri profile picture Yogita Khatri

Yogita Khatri is a senior reporter at The Block and the author of The Funding newsletter. As our longest-serving editorial member, Yogita has been instrumental in breaking numerous stories, exclusives and scoops. With over 3,000 articles to her name, Yogita is The Block's most-published and most-read author of all time. Before joining The Block, Yogita wrote for CoinDesk and The Economic Times. You can reach her at [email protected] or follow her latest updates on X at @Yogita_Khatri5.

See More
Connect on

Editor

To contact the editor of this story: Tim Copeland at [email protected]

WHO WE ARE

The Block is a news provider that strives to be the first and final word on digital assets news, research, and data.

+ Follow us on Google News
Connect with the block on

More by Yogita Khatri