A newly discovered security flaw in Tron’s blockchain has compromised over 14,500 wallets, putting millions of dollars in digital assets at risk. The vulnerability, linked to the UpdateAccountPermission feature, has already led to the hacking of 2,130 wallets, with nearly $31.5 million stolen in the final quarter of 2024.
Rather than stealing funds outright, hackers exploit the flaw by taking control of affected wallets and blocking the legitimate owners from making transactions. As a result, victims are locked out of their accounts, but they may unknowingly continue adding more funds to the compromised wallets, which only benefits the attackers.
The Exploit Behind the Flaw
The UpdateAccountPermission feature is designed to enhance account security by incorporating multisig-like functionality. It allows users to assign specific roles to keys and establish transaction approval thresholds. For example, a threshold might require two keys with equal weight to approve a transaction, improving security by preventing unauthorized access.
However, this system becomes a potential weakness if an attacker gains access to the owner’s private key. Once compromised, the attacker can add their key to the account and manipulate the system to meet the required approval threshold, effectively locking the rightful owner out of their own funds while still allowing new deposits.
Mykhailo Tiutin from AMLBot explained, “Wallets do not have any kind of notifications or information to say that somebody has added another key to your wallet. There is absolutely no indication that your wallet is gone until you send an outgoing transaction yourself.”
The Consequences and Lack of Recovery
Once a wallet is hijacked, victims are unable to access their funds without the attacker’s private key. As security expert Sattvik Kansal, co-founder of Rome Protocol, pointed out, this breach is particularly concerning because the affected user cannot recover their funds on their own.
UpdateAccountPermission: A Double-Edged Sword
While the UpdateAccountPermission feature is designed to enhance security by enabling shared control over wallets—ideal for businesses, decentralized organizations, and individual users—it also comes with inherent risks. Multiple signatures for transactions provide added protection against unauthorized access, but the feature can be exploited if an attacker gains access to a private key.
A Broader Issue Across Blockchains
The exploitation of blockchain functions is not limited to Tron. Ethereum has also seen its fair share of attacks, with attackers exploiting features like “approve” and “permit” on decentralized finance platforms. A recent Scam Sniffer report revealed that phishing scams across multiple blockchains, excluding Tron, led to $9.38 million in losses in November 2024, with Ethereum accounting for nearly $7 million of that total.
How to Protect Your Wallet from Exploits
To safeguard against silent wallet hijackers, security experts recommend regularly reviewing account permissions and understanding Tron’s permission system. The most critical measure, however, is securing private keys and avoiding sharing them with untrusted parties. In some cases, victims’ private keys were exposed during smart contract testing, leading to the vulnerability.
Additionally, experts suggest limiting the amount of Tron (TRX) in wallets, particularly for USDT transactions, as this can make wallets harder for attackers to exploit. Using wallets that do not require burning TRX for USDT transactions is also recommended.
As the crypto community grapples with these vulnerabilities, proactive security practices are crucial to protecting digital assets from increasingly sophisticated attacks.
Related topics:
Rep. Guy Reschenthaler Reveals Holdings in Bitcoin, XRP, and Solana
XRP vs SEC: Expert Discusses Potential Outcome Post-January 20
Reliance Jio Introduces Jiocoin in Blockchain-Based Rewards Program
