Wallet Bug Could’ve Incapacitated the TRON (TRX) Blockchain
A hazardous bug was found on the TRON blockchain that could’ve disrupted the entire network by causing it to overload and crash. The bug could’ve brought the entire TRON blockchain to a standstill, as reported by The Next Web on May 6, 2019.
Malicious Bug in TRON Smart Contracts
The bug on TRON’s blockchain was disclosed by HackerOne, a cybersecurity company that helps projects list bug bounties, with limited information regarding the intricate details of the bug. The potential loophole in the network was reported by a user by the name of “danish1970” on January 14, 2019.
The report was sent to the TRON foundation which awarded the user their bug bounty of $1,500 on February 1, 2019.
Until the bug was resolved, a single computer could maliciously consume the entire CPU power of the network with DDoS attacks, rendering the network unusable. The DDoS attacks repeatedly ordered the deployment of smart contracts from the node’s wallet that were filled with malicious “bytecode,” the code format of the TRON Virtual Machine.
The flaw was rooted in the wallet function in the code of the Virtual Machine. This means there was a chance of downing the blockchain to launch an attack on wallets and potentially steal funds. Another bounty of $3,100 was paid, but TRON has yet to disclose the issue for which the bounty was paid.
Getting More for Less
Since July 2018, there have been 15 vulnerability reports filed with TRON on HackerOne. Twelve of these have been resolved for a cumulative bounty of $78,800.
Bug bounties are an efficient and cost-effective way to outsource network stress tests in a decentralized environment. Most cryptocurrency projects have active bug bounty programs with the latest being Gnosis’ testing of the DutchX decentralized protocol.
In September 2018, developers for Bitcoin Core, the leading software to run a node on the Bitcoin blockchain, reported a similar flaw that would’ve subjected users to a flood of incoming traffic. Monero (XMR) and Augur (REP) are also known for crowdsourcing cybersecurity through bug bounties.
Bug bounty initiatives are slowly becoming an innate feature of crypto projects as it gives them access to a large talent pool for a relatively low cost.