Researcher Finds Critical TRON Bug That Could've Crashed Its Blockchain

A researcher has recently found a critical bug that could’ve crashed TRON’s $1.6 billion blockchain with just one computer, if bad actors consumed its CPU power with Distributed Denial of Service (DDoS) attacks.

According to a HackerOne disclosure report, a potential DDoS attack on the TRON blockchain could’ve consumed all of its resources. Potential attacks could, for example, see bad actors call for smart contracts to be deployed, loaded with malicious code.

The report reads:

Using a single machine, an attacker could send DDOS attack to all or 51 percent of the [Super Representative] nodes and render TRON network unusable, or make it unavailable.

As first reported by The Next Web, a flaw in TRON’s wallet allowed all of the network’s memory to be consumed by one single computer. The bug was first discovered on January 14, and the researcher who found it was rewarded with $1,500 on February 1.

A second bounty worth $3,100 was paid out, although the TRON Foundation hasn’t disclosed any further details on the flaw, according to TNW. HackerOne bounties have, over time, become an industry norm, with the TRON Foundation itself already having paid out $78,800 in bounties to researchers for 15 separate reports.

The highest single bounty TRON paid out was of $10,000. As CryptoGlobe covered, however, Coinbase has paid a hacker $30,000 for a critical vulnerability earlier this year, although details on the vulnerability weren’t disclosed.

Cryptocurrency-related bug bounties are a lucrative business. Data has shown that blockchain companies have received “at least” 3,000 vulnerability reports last year, and paid out nearly $900,000 to security researchers for these.

As of March of this year, 43 different vulnerability reports had been filed to blockchain-related firms. Some of these found vulnerabilities were in some of the largest cryptocurrency networks in the world, including Brave, EOS, and Monero.

P2P Token Trading Platform AirSwap Discloses ‘Critical Vulnerability’

  • Peer-to-peer trading platform AirSwap claims to have identified a "critical vulnerability" in one of its smart contracts. 
  • Ten addresses have been identified so far as being at risk of exploitation. 

Peer-to-peer token trading network AirSwap has disclosed a “critical vulnerability” in a newly released smart contract. 

AirSwap's Critical Vulnerability

According to the disclosure, which was published on Sept. 13, AirSwap’s internal security team identified a potential exploit in a newly released mainnet smart contract. The vulnerability would allow an attacker to “perform a swap without requiring a signature from a counterparty.” 

AirSwap claims that the offending code was only present for twenty-four hours on the network before being identified and removed. However, users of AirSwap Instant between Sept. 11 and Sept. 12 may have been affected by the vulnerability, with the report claiming that 10 accounts have been recognized so far as being at risk. 

AirSwap has published the addresses to the vulnerable accounts, telling all other users that no further action is required. The report also outlines the step-by-step actions taken by the exchange in the aftermath of discovering the vulnerability, including an apology to its client base, 

We would like to deeply apologize to our affected users for any inconvenience these vulnerabilities may have caused, and hope that the important lessons we continue to learn throughout these processes form the basis for a more open, secure, and efficient trading environment.

Featured Image Credit: Photo via Pixabay.com