Tron has been growing its Dapp ecosystem at a really great speed and has been boasting about its agility, non-congested network, and security. But this statement is slowly falling apart as Tron’s Dapp TronBank recently got targeted with fake coins. Now the question lies ahead has this attack open doors to vulnerabilities in Tron’s dapp ecosystem.
TRON DApps May Become A New Target for Hackers feels Beosin security team
On April 10, 2019, TRON DApp TronBank was targeted by fake coins and nearly 170 million BTT tokens were stolen. The attacker created fake coins called BTTx to initiate “Invest” function to the contract, and the contract did not determine whether the sender’s token ID was consistent with real BTT ID 1002000.
While the attack came as a shock to many, security firm SlowMist released a tweet explaining how the vulnerabilities of TRC 10 token standard was exploited.
Slowmist concluded that the TronBank contract was could not judge msg.tokenid , which is the tag value in the message call, in the invest function allowing any token (even fake tokens) to be transferred in and the contract considered it as real BTT. With fake BTT accepted, the attacker now has balance and can call for withdrawal thus extracting the real value of the BTT from the contract.
SlowMist Security Team: TronBank "Fake Token Attack" Analysis pic.twitter.com/xdKC9Dttv8
— SlowMist (@SlowMist_Team) April 11, 2019
While SlowMist took some time to come up with this explanation, On April 11, when checking other open-source codes on Github, China-based security firm Beosin’s risk-control platform, Beosin-Eagle Eye, found that there are other projects with this security issue. The following are the contract addresses with this kind of security issue:
According to the analysis of the Beosin security team, there are two reasons for the above problems:
- The developer’s research on the mechanism of the TRON token is insufficient, and the mechanism of the token may just learn from Ethereum’s;
- The attacker follows other existing attack methods, like the method of fake EOS.
As a solution to this, Beosin security team suggested that the project parties should simultaneously determine whether “msg.tokenvalue” and “msg.tokenid” meet expectations when receiving the cryptocurrencies. Beosin security team also gives the repaired method of the vulnerable codes. The following Invest functions increase the code: require (msg.tokenid == 1002000); require (msg.tokenvalue >= minimum); minimum is the minimum investment amount.
While there was no direct official communication on this, Justin Sun did tweet of working closely with security firms
While a detailed statement could be awaited, Beosin has clearly pointed out how Tron Dapp’s are vulnerable and could be exploited if not repaired soon. Hope this vulnerability doesn’t open flood gates for Tron and ultimately hamper the complete Dapp ecosystem.
Will Tron step up to save its Dapp ecosystem with these vulnerabilities? Do let us know your views on the same.