The TRON Foundation has disclosed that they have identified a critical vulnerability which could have crashed its entire $1.6 billion blockchain with one computer if hackers consumed its CPU power using Distributed Denial of Service (DDoS) attacks.
The organization revealed the vulnerability through a HackerOne disclosure report on May 2, 2019. According to the report, a cyber-criminal could have called for smart contracts to be deployed, loaded with the malicious code.
The security researcher, Danish Shrestha who had discovered the bug was rewarded with a bug bounty of $1,500 for the issue that was reported on January 14, 2019. The issue was however made public after Tron Foundation fixed it.
By using a single machine, it is possible for an attacker to send a DDoS attack to all or 51 percent of the [Super Representative] nodes and render TRON network unusable, or make it unavailable.
In order to exploit the issue, an attacker would submit a post to /wallet/deploycontract, a means to request the deployment of a contract on the blockchain. Each request needed to contain several megabytes of bytecode.
When the requests are enough that ranges from 1,000 to 10,000 depending on available memory, a single system would be able to take up all request slots and cause the DDoS, thereby preventing legitimate users to access the network.
Another security vulnerability was also revealed this month that had affected the TRON network for which the researcher Jacob Wood was rewarded with $3,100. But, details of the vulnerability were not made public.
With Bug bounty programs, it is possible to outsource cybersecurity expertise. The two famous platforms for bug bounty hunting are HackerOne and Bugcrowd which are used by enterprise firms worldwide to improve the security of their products.
As in the case of TRON blockchain vulnerability, a single bug can make an entire cryptocurrency ecosystem unavailable. It is also important to note that only security flaws are not responsible for putting the cryptocurrency of investors at risk. In February, $136 million in cryptocurrency was frozen after the death of the QuadrigaCX exchange’s CEO as he was the only one who had access to the company’s cold wallet. Without his access credentials, the funds will be permanently lost and the trading platform has now been forced to file for bankruptcy.