Smart contract and dapp blockchain platform Tron (TRX) would have been history by now, according a report by HackerOne. The bug bounty solutions company reported that a flaw in Tron’s wallet was found to be potential weak point for a DDoS attack which could have crashed the system.
The report which was published on HackerOne website said:
“A single request to submit a post to /wallet/deploy contract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap.”
“With enough requests (let’s say 1K-10K depending upon available memory), it’s enough to use all the available threads to service incoming HTTP request, fill up the memory and render DDOS,” it added.
This bug in Tron was capable of exposing it to an attack of this kind but luckily, it was discovered in time and revealed in January, which was acted upon and is currently labelled as resolved in the report.
Tron officially handed over its bug bounty program to HackerOne in July 2018 and since then has entrusted the security of its network to the company. The bounty program encourages security experts to find potentially damaging flaws in a blockchain network for some (mostly) financial reward as incentive. This has been largely effective as bugs get discovered before they do any real harm.
So far, the company has spent a total almost $80,000 on bug bounties and most of the security concerns have been resolved and the threats eliminated. Its bounty reward program has four categories of threats with varying rewards based on severity of the threats. The first are critical bugs that attack passwords which attract a $10,000 reward. High bugs attract $6,000, while medium and minor threats which attract rewards of $3,000 and $100 respectively.
Tron isn’t the only network that conducts bug hunting programs. Even Bitcoin Core, the main Bitcoin network that contains the entire Bitcoin blockchain was found to contain a bug that could have shut down a significant part of the network in 2018.
As reported by CoinDesk the bug was so serious and kind of embarrassing that the Bitcoin developers decided to keep some of the information on it a secret. No network is therefore safe and regular checks through bounty programs could save several from a complete crash.