Posted on May 7, 2019 at 3:56 PM
An independent cybersecurity researcher has found a critical flaw in Tron’s blockchain code. This flaw could have allowed a malicious actor to crash the entire Tron blockchain with just one computer’s worth of CPU power doing DDOS attacks.
HackerOne helps another company
The disclosure report by HackerOne gives further details on the flaw. Any potential DDOS attack could have consumed all the resources of the $1.6 billion rated blockchain. Attackers would be able to use the attack to call for the deployment of smart contracts that are infected with malicious code.
In the report, it states that “Using a single machine, an attacker could send DDOS attack to all or 51 percent of the [Super Representative] nodes and render TRON network unusable, or make it unavailable. “
The flaw in Tron’s wallet allowed the entire memory resources of the network to be used by a single computer. The bug, which was discovered on January 14th received a bug bounty of $1500 on February the 1st. A second bug bounty has been paid out, this one worth $3100, though the Trn Foundation is keeping mum regarding the flaw.
The bounties paid via HackerOne have become the go-to industry standard over time and the organization has helped many a hacker to turn their skills into a positive move. The Tron Foundation itself has already paid out well over $78 800 in bug bounties over 15 unique reports. The highest bounty they paid out was $10 000. That pales in comparison to the $30 000 bug bounty paid up by Coinbase to a hacker that found a truly critical vulnerability that has not yet been disclosed despite being found earlier this year.
Tron is not alone to suffer from the bug
There have been similar vulnerabilities found in other blockchains. In fact, Bitcoin Core, the OG cryptocurrency actually disclosed something similar last September. The security flaw would have had crippling consequences for the cryptocurrency as nodes were exposed to being flooded with traffic in a similar way to the Tron bug.
The cryptocurrency ecosystem is a big customer of HackerOne with Monero, Augur, and Coinbase being among the clients that offer bug bounties via HackerOne. Independent researchers have earned a grand total of $878 thousand from cryptocurrency companies, and that is just for 2018.
The biggest portion of that money came from Block.one’s EOS platform, which paid out $534 500. This accounts for close to 60% of all the bounties paid in 2018 but has the dubious honor of being the all-time highest paid in the cryptocurrency ecosystem. Second place is taken by Coinbase with $290 thousand even though they have been running a disclosure program since 2014. Block.one opened its program in May followed by a hacker claiming over $100 000 in bug bounties in a single week.
HackerOne has stated that there are currently 64 blockchain companies on its platform. This might not seem like many, especially when the total number of companies involved in blockchain number around 2000 currently. The critical bugs found in both Bitcoin and Bitcoin Cash show that perhaps cryptocurrency is not as safe as it might seem, particularly taking into account the absolutely critical flaw that Bitcoin found just last year.
The severity of these bugs is compounded by the immutability aspects of blockchain. There is no way to reverse transactions unlike in a centralized system. This has many people rethinking if blockchain is all that it has been made out to be. There are systems such as EOS and others that have a built-in backdoor but those have never truly been considered part of the “real” cryptocurrency ecosystem by purists.
The fact of the matter is that with all the news coming out of the hackerspace, it might not be such a smart idea to keep too much of your funds locked up in blockchain. There is a calamity looming, and it could hit sooner rather than later.