The 0d team works as part of dWallet Labs. 0d specialists claim that the vulnerability in Tron allowed the owner of the signature part to get unlimited access to the multisignature-protected wallet and all the assets stored there.
The 0d team reported the vulnerability to Tron developers back in February via Project HackerOne, and the issue was fixed a few days later.
A Tron spokesperson confirmed that the developers received Project HackerOne’s report and “fixed the issue as quickly as possible by applying the necessary patches, so the vulnerability could not and could not be exploited.”
The amount of compensation paid to the cybersecurity specialists was not disclosed. According to Omer Sadika, co-founder of Odsy Network, the mistake was trivial enough to fix:
“Tron’s multi-signature verification verified that the signature in question had already been counted and assumed: two different signatures for the same transaction could not have been created by the same person.
In order to fix the vulnerability, it was necessary to check the address of the signatory against the list of addresses, not the signature.
In 2019, Tron developers patched a vulnerability that allowed an entire network to crash from a single computer.