Researchers from Digital Asset Research (DAR) have discovered multiple instances of code copied from other projects in the Tron codebase.
It seems that Tron developers plagiarised code from Ethereum among other projects and changed filenames to make it difficult to identify the source of the code. DAR published an article on Medium about the plagiarism and the legal and technical problems that may now affect the Tron mainnet going forward.
“On December 31, 2017, the project was initially accused of violating the GNU Lesser General Public License v3.0 (LGPL) because the project does not mention that its client, Java-Tron, was derived from EthereumJ, which is one of the first Ethereum libraries,” DAR wrote, adding:
Although the project later added the relevant LGPL license language to 14 of the files, we found several instances of code that was copied verbatim or slightly modified from EthereumJ, still without appropriate reference.“
CCN.com spoke to Lucas Nuzzi of DAR who provided the following image in support of the plagiarism allegations, which follow a previous instance of Tron apparently lifting extensive portions of its whitepaper from other projects.
Nuzzi told CCN.com:
“In the commit above, developers went through the hassle of changing the title of some functions to hide the plagiarism, as evidenced by commit d4ad9c9. There is no valid reason to change the EthereumJ’s public class “name,” for example, to “dataBaseName,” other than to make it difficult to track the similarities between both repositories.”
Nuzzi went on to explain that apart from the potential legal and ethical concerns surrounding plagiarised code, the codebase now faces technical problems as well that could prove to be very significant.
“The problem is when you repurpose code originally developed for a completely different system architecture, and don’t have enough time to fully test it. Vulnerabilities that were not applicable to the original system are now applicable to new one. Plagiarism is bad, but the concern here relates to the unknown vulnerabilities that may arise when you combine all of these modules together, on steroids. Nothing wrong with experimenting, but the community should definitely adjust expectations.”
DAR researchers were not funded specifically to research the Tron codebase — the project is a sell-side research firm that focuses on the analysis of digital assets for institutional investors, and generates revenue from subscribers who pay to gain access to exclusive material that will help inform them when investing in cryptocurrency projects like Tron.
“My job is to perform deep technical due diligence for our clients, which involves reviewing the entire codebase of the projects we cover, which is what I did with TRON,” Nuzzi said. “Most of our research is exclusive to our clients, but whenever we find something that the entire community can benefit from, we share it.”
With the mainnet migration due to take place on June 25, it’s possible that Tron may face multiple technical and legal problems that will negatively impact the performance and success of the project. Tron staff did not immediately respond to a request for comment on the matter.
In the meantime, Nuzzi has another suggestion for Tron — one they are free to copy, attribution or not.
Featured Image from Shutterstock
Last modified: March 4, 2021 5:09 PM