Tron has been growing its Dapp ecosystem at a really great speed and has been boasting about its agility, non-congested network, and security. But this statement is slowly falling apart as Tron’s Dapp TronBank recently got targeted with fake coins. Now the question lies ahead has this attack open doors to vulnerabilities in Tron’s dapp ecosystem.
TRON DApps May Become A New Target for Hackers feels Beosin security team
On April 10, 2019, TRON DApp TronBank was targeted by fake coins and nearly 170 million BTT tokens were stolen. The attacker created fake coins called BTTx to initiate “Invest” function to the contract, and the contract did not determine whether the sender’s token ID was consistent with real BTT ID 1002000.
While the attack came as a shock to many, security firm SlowMist released a tweet explaining how the vulnerabilities of TRC 10 token standard was exploited.
Slowmist concluded that the TronBank contract was could not judge msg.tokenid , which is the tag value in the message call, in the invest function allowing any token (even fake tokens) to be transferred in and the contract considered it as real BTT. With fake BTT accepted, the attacker now has balance and can call for withdrawal thus extracting the real value of the BTT from the contract.
SlowMist Security Team: TronBank "Fake Token Attack" Analysis pic.twitter.com/xdKC9Dttv8
— SlowMist (@SlowMist_Team) April 11, 2019
While SlowMist took some time to come up with this explanation, On April 11, when checking other open-source codes on Github, China-based security firm Beosin’s risk-control platform, Beosin-Eagle Eye, found that there are other projects with this security issue. The following are the contract addresses with this kind of security issue:
According to the analysis of the Beosin security team, there are two reasons for the above problems:
- The developer’s research on the mechanism of the TRON token is insufficient, and the mechanism of the token may just learn from Ethereum’s;
- The attacker follows other existing attack methods, like the method of fake EOS.
As a solution to this, Beosin security team suggested that the project parties should simultaneously determine whether “msg.tokenvalue” and “msg.tokenid” meet expectations when receiving the cryptocurrencies. Beosin security team also gives the repaired method of the vulnerable codes. The following Invest functions increase the code: require (msg.tokenid == 1002000); require (msg.tokenvalue >= minimum); minimum is the minimum investment amount.
While there was no direct official communication on this, Justin Sun did tweet of working closely with security firms
While a detailed statement could be awaited, Beosin has clearly pointed out how Tron Dapp’s are vulnerable and could be exploited if not repaired soon. Hope this vulnerability doesn’t open flood gates for Tron and ultimately hamper the complete Dapp ecosystem.
Will Tron step up to save its Dapp ecosystem with these vulnerabilities? Do let us know your views on the same.
Disclaimer The views, opinions, positions or strategies expressed by the authors and those providing comments are theirs alone, and do not necessarily reflect the views, opinions, positions or strategies of CoinGape. Do your market research before investing in cryptocurrencies. The author or publication does not hold any responsibility for your personal financial loss.
Nilesh Maurya has been associated for past 8 years as an Investment Banker with Omega Capital, a bespoke Investment Banking outfit having offices in Mumbai, New York, Singapore, and Dubai. He has been a regular contributor to business publications such as Business India and Market Express and has been a mentor to many start-up companies. Nilesh Maurya has been associated for past 8 years as an Investment Banker with Omega Capital, a bespoke Investment Banking outfit having offices in Mumbai, New York, Singapore, and Dubai. He has been a regular contributor to business publications such as Business India and Market Express and has been a mentor to many start-up companies. Follow him on Twitter at @KoinKing1 or connect with me on linkedin.