- TRON made the report public after they fixed the flaw
- The flaw could have crippled the entire blockchain
- TRON has paid the third largest vulnerability report bounty
The TRON Foundation has disclosed it recently identified a critical vulnerability. The bug could have crashed its entire $1.6 billion blockchain with one computer if bad actors consumed its CPU power using Distributed Denial of Service (DDoS) attacks.
Loaded With Malicious Code
The firm announced the disclosure on the vulnerability via a HackerOne disclosure report on May 2, 2019.
As per the report, a potential bad actor would have called for smart contracts to be deployed, loaded with the malicious code. Tron paid the researcher who discovered and disclosed the bug $1,500 for the issue that was reported on January 14, 2019, but was only made public after Tron Foundation fixed it. The report further explains the impact of such an attack:
“Using a single machine, an attacker could send a DDoS attack to all or 51 percent of the [Super Representative] nodes and render TRON network unusable, or make it unavailable.”
The potential DDoS attacks involved a repeated calling for the deployment of smart contracts loaded with the malicious “bytecode”. The flaw in TRON’s wallet would have allowed a single party to consume all the network’s available memory with one computer breaking down the entire Tron blockchain at that time.
3,000 Vulnerability Reports
Crypto-related bug bounties have become a lucrative business with data showing that blockchain companies received about 3,000 vulnerability reports in 2018 and paid out at least $900,000 to security researchers.
The TRON Foundation has in the first 10 months since its launching paid out $78,800 in bounties to security researchers for 15 different vulnerability reports. Out of the 15 reports, 12 have been marked as resolved with TRON’s highest bounty payout being some $10,000.
The problem is not unique to Tron since most of the other popular blockchains have had vulnerabilities discovered in them. Last September the Bitcoin Core development team disclosed a potentially crippling vulnerability in their network during which nodes were similarly exposed to being flooded with traffic. Several other cryptocurrency projects that have crowdsourced security fixes with HackerOne include Augur, Monero, and even major exchange Coinbase.
Out of the $900,000 paid out as crypto bug bounties, over 50 percent came from Block.one, the firm behind the controversial “blockchain” EOS. The second largest spender was Coinbase cryptocurrency exchange that paid out $290,381 and Tron holds the third position. It is hoped that the reward paid out for fixing the flaws will continue to outweigh the returns made by exploiting them.