By CCN: According to The Next Web and explosive data from HackerOne, a security bounty website, a single computer could have shut down the Tron network by draining the cryptocurrency network's resources. Bytecode Attack Threatened to Bring Tron to Its Knees We could dub the…
By CCN: According to The Next Web and explosive data from HackerOne, a security bounty website, a single computer could have shut down the Tron network by draining the cryptocurrency network’s resources.
We could dub the vulnerability a “bytecode” attack. The method involves using a massive piece of bytecode to consume the resources on Tron’s network, effectively shutting it down for things like processing smart contract requests and even transactions.
The report’s summary reads:
“A single request to submit a post to /wallet/deploycontract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap. With enough requests (lets say 1K-10K depending upon available memory), its enough to use all the available threads to service incoming HTTP request, fill up the memory and render DDOS.”
The Tron Foundation paid the security researcher $1,500 for discovering the bug, and has marked the issue as “resolved.”
First reported on January 13th, Tron didn’t disclose the bug until May 2nd. Presumably, they implemented a patch in the meantime. The last version of Tron was released on April 9th.
According to the bug reporter, the “impact” of the bug was:
“Using a single machine an attacker could send DDOS attack to all or 51% of the SR node and render Tron network unusable or make it unavailable.”
Tron Foundation has neglected to blog on the subject, which would seem a serious matter to anyone who believes in the Tron network. According to the Next Web, cryptocurrency projects have paid out a total of $878,000. Numerous crypto companies use the HackerOne platform to encourage white hat hackers to disclose flaws discovered in the various platforms. Even Monero has bounties on HackerOne.
That $1,500 check will pay the rent in many parts of the country, but it seems a rather small bounty, given the severity of the bug discussed. The Tron Network is currently worth about $1.6 billion. Nearly half that amount was traded over the past 24 hours.
If the exploit had ever been used, Tron prices would surely have seen a severe dip. Other consequences might include a delisting from exchanges who demand that a network be usable. An exploit of that sort, however, would not garner a hacker any financial gain unless they were able to get a short position in on Tron somewhere.
Poloniex no longer has margin trading. Few exchanges offer margins for altcoins. Therefore, probably the only profitable way to exploit the bug was to report it.
Last modified: January 10, 2020 3:10 PM UTC