TRON critical security flaw could break the entire blockchain

A severe bug has been found that could have rendered the TRON blockchain unusable.
Written by Charlie Osborne, Contributing Writer

A critical security flaw has been discovered in the TRON network which had the potential to render the ecosystem's blockchain useless.

Developed by the Tron Foundation, TRON's native cryptocurrency TRX was released in 2017 and has a market cap of $1.61 billion.

According to a HackerOne bug bounty program advisory recently published and made public, as spotted by The Next Web, a barrage of requests sent by a single PC could be used to squeeze the power of the blockchain's CPU, overload the memory, and perform a distributed denial-of-service (DDoS) attack.

The advisory says that "using a single machine an attacker could send DDOS attack to all or 51 percent of the Super Representative (SR) node and render Tron network unusable or make it unavailable."

The vulnerability is labeled as "high" with a severity rate of 7 to 8.9.

In order to exploit the issue, an attacker would submit a post to /wallet/deploycontract, a means to request the deployment of a contract on the blockchain. Each request needed to contain several megabytes of bytecode.

With enough requests -- ranging from 1,000 to 10,000 depending on available memory -- a single system would be able to take up all request slots and cause the DDoS, preventing legitimate users to access the network.

The security flaw was disclosed by bug bounty hunter Danish Shrestha in January to the Tron Foundation, leading to a bug bounty award of $1,500.

CNET: Google will now let you automatically delete location and activity history. Here's how

Separately, another security flaw impacting the TRON network was also disclosed this month, earning researcher Jacob Wood $3,100. However, details of the vulnerability have not been made public.

Bug bounty programs are a means to outsource cybersecurity expertise. HackerOne and Bugcrowd are two of the most well-known platforms for bug bounty hunting and both are used by enterprise firms worldwide to improve the security of their products.

See also: 50,000 enterprise firms running SAP software vulnerable to attack

Cryptocurrency and blockchain-based startups are also present on such platforms. Last year, a single security researcher was able to earn at least $80,000 in only 24 hours by finding and reporting vulnerabilities impacting the EOSIO blockchain and Eos.js libraries.

As the TRON blockchain vulnerability has highlighted, a single bug can render an entire cryptocurrency ecosystem unavailable. However, it is not only security flaws which can put the cryptocurrency of investors at risk.

TechRepublic: Why consumers still don't trust IoT devices

In February, $136 million in cryptocurrency was frozen after the death of the QuadrigaCX exchange's CEO. The executive was the only one who had access to the company's cold wallet, and without his access credentials, the funds are believed to be permanently lost and the trading platform has now been forced to file for bankruptcy

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards