Fatal Flaw in Wallet Could Have Frozen Entire TRON (TRX) Network
Due to a bug, the TRON wallet could send a request to consume the resources of the entire TRON network.
A flaw in the TRON (TRX) wallet could have led to a network-wide freeze, showed a recent disclosure on HackerOne, the bug bounty service that is used widely by cryptocurrency projects. A wallet feature allowed any user with a single machine to consume the resources of multiple SuperRepresentatives, essentially breaking the network consensus and freezing transactions.
“A single request to submit a post to /wallet/deploycontract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap. With enough requests (lets say 1K-10K depending upon available memory), its enough to use all the available threads to service incoming HTTP request, fill up the memory and render DDOS,” the HackerOne disclosure revealed.
The TRON network depends on 26 elected Super Representatives, which run dedicated hardware and achieve consensus. The attack could have affected all Representatives, but even a DDoS on half of the validators would have been disastrous.
The TRON network already includes more than 2.79 million accounts, with 1.9 million daily transactions. The network supports a growing number of distributed apps, as well as tokens and smart contracts.
TRON has paid around $78,000 for bug discovery, as HackerOne is one of the most popular ways for digital asset projects to outsource flaw and security audits. The DDoS flaw brought the hacker a bounty of just $1,500. In the past, TRON has paid average bounties between $1,000 and $3,000.
TRON is also one of the high-stakes network, as it will support the BitTorrent Token (BTT), a digital asset potentially tied to 150 million users of the BitTorrent client. The network is also starting to carry the Tether (USDT) token, promising faster and cheaper transactions.
EOS, the competing network with 21 delegates, has accumulated more than 90 HackerOne bug reports, many with a price tag of $10,000. Vulnerabilities range from website technicalities to critical consensus or smart contract bugs.