This article was published on May 6, 2019

TRON suffered from a critical bug that could’ve crashed its entire blockchain

Malicious bytecode would have caused havoc


TRON suffered from a critical bug that could’ve crashed its entire blockchain

Just one computer could have brought TRON’s entire blockchain to a screeching halt, a new HackerOne disclosure has revealed.

Until quite recently, bad actors were reportedly able to maliciously consume the CPU power of the network with Distributed Denial-of-Service (DDoS) attacks.

“Using a single machine, an attacker could send a DDoS attack to all or 51 percent of the [Super Representative] nodes and render TRON network unusable, or make it unavailable,” reads the report, labeled high severity.

Potential DDoS attacks involved repeatedly calling for smart contracts to be deployed, loaded with malicious “bytecode” (the code format accepted by the TRON Virtual Machine.)

This flaw in TRON’s wallet allowed all of the network’s available memory to be taken up by a single party with just one computer, which would have effectively broken the blockchain during that time.

The researcher who discovered the bug first flagged the issue on January 14, and was subsequently rewarded with $1,500 for their efforts on February 1.

A second bounty (worth $3,100) was also paid, but the TRON Foundation chose not to disclose further details.

Hard Fork reached out to the TRON Foundation for more information, and will update this piece should we learn more about either bug bounty.

These HackerOne bounties are an industry norm

In the 10 months since first launching its bug disclosure program, the TRON Foundation has handed out $78,800 worth of bounties to security researchers for 15 separate vulnerability reports.

Twelve of those reports are marked as “resolved,” and the highest single TRON bounty collected so far is $10,000.

Similar vulnerabilities in other popular blockchains have been discovered. Indeed, Bitcoin Core devs disclosed a potentially crippling security flaw in Bitcoin last September, in which nodes were similarly exposed to being flooded with traffic.

There are also plenty more cryptocurrency projects crowdsourcing security fixes with HackerOne, like Augur, Monero, and even major exchange Coinbase.

In total, independent security researchers earned $878,000 from cryptocurrency bug bounties in 2018, and over half of that came from Block.one, the software firm behind controversial “blockchain” EOS.

Hopefully, the rewards for fixing these flaws continue to outweigh returns made by exploiting them. For TRON, it seems $1,500 was enough to cut it  this time, at least.

Did you know? Hard Fork has its own stage at TNW2019, our tech conference in Amsterdam. Check it out.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with