A hidden security flaw has affected around 14,545 Tron cryptocurrency wallets and put millions of dollars in digital assets at risk.
2,130 wallets, holding nearly $31.5 million, were hacked with a weakness related to the UpdateAttackPermissions transaction in Q4 2024 alone.
Instead of stealing funds right away, the hackers take control of the wallet and block the owner from making any transactions. This locks the person out of their funds without them knowing, and they may continue adding more money to the compromised wallet, unknowingly helping the hackers.
Tron UpdateAccountPermission Exploit Puts Wallets at Risk
The UpdateAccountPermission feature on Tron is meant to improve account security by including multisig-like functions. This enables account owners to assign specific roles to keys, set their weight values, and establish thresholds for transaction approval.
For example, if the threshold is set to 10, and two keys each have a weight of 5, both must sign to approve a transaction. While this system is designed to enhance security, it becomes a weakness if an attacker gains access to the owner’s private key.
An attacker can use the compromised key to add their key to the account and set it up so that it meets the transaction threshold when paired with the original key. Since they cannot complete transactions on their own, the legitimate owners are essentially locked out, but they are still free to deposit money into the compromised wallet.
Mykhailo Tiutin from AMLBot explained, “Wallets do not have any kind of notifications or information to say that somebody has added another key to your wallet. There is absolutely no indication that your wallet is gone until you send an outgoing transaction yourself.”
After discovering the breach, victims can only stop depositing funds into the hacked wallet. As per Sattvik Kansal, co-founder of Rome Protocol, this attack is alarming because users can’t get their funds back without the attacker’s private key.
UpdateAccountPermission: Useful but Not Without Risks
The UpdateAccountPermission feature is designed to help businesses and users share control over their funds. This means multiple people need to approve any transactions, which reduces the chances of unauthorized transactions.
It’s also useful for decentralized organizations, where community members manage funds together. Requiring multiple approvals prevents one person from taking control of the funds. Even regular users can use UpdateAccountPermission by adding more keys to their accounts. This makes it less likely they’ll lose access to their funds if one of their devices or keys gets hacked.
Exploitation Happens Beyond Tron
The misuse of blockchain functions does not only happen to Tron. On Ethereum, attackers often take advantage of commonly used features like “approve” and “permit,” which are key for using decentralized finance platforms.
A Scam Sniffer report says that phishing scams across blockchains, excluding Tron, led to $9.38 million in losses in November 2024. Ethereum alone contributed close to $7 million. This is a decrease from the $20 million in losses reported in October 2024, potentially due to Ethereum wallets now asking users to confirm suspicious transactions before approval.
How to Protect Your Wallet from Silent Hijackers
To exploit the UpdateAccountPermission feature, attackers need access to the private key. Once leaked, the account is compromised, and hackers can steal more funds.
Axel Leloup, a security expert, advises understanding Tron’s permission system and regularly reviewing account permissions. He also stressed the importance of securely storing private keys and never sharing them with untrusted sources.
The victim’s wallet was vulnerable due to poor security practices, with the private key exposed in code across multiple devices during smart contract testing.
To prevent this, limit the amount of Tron (TRX) in wallets, especially for USDT transactions. Since 100 TRX is needed for the UpdateAccountPermission function, wallets with little TRX are harder for attackers to exploit. Tiutin recommends using wallets that allow USDT transactions without burning TRX.
Also Read: Apple & Google Ban Crypto Apps Tied to Huione Group Cyberscam
