Background

In the previous instalment of our Web3 Security Beginner’s Guide, we covered the risks associated with downloading or purchasing wallets, identifying official websites, verifying wallet authenticity, and the dangers of private key/seed phrase leaks. While the adage “Not your keys, not your coins” underscores the importance of control over your private keys, there are scenarios where having the private key/seed phrase alone doesn’t guarantee control over your assets. For instance, your wallet could be maliciously multi-signed. Based on data collected from MistTrack’s stolen forms, some users were perplexed about why their wallet had a balance but couldn’t transfer any funds after a malicious multi-signature attack. In this issue, we will use the TRON wallet to illustrate the concept of multi-signature phishing, including the multi-signature mechanism, typical hacker tactics, and strategies to prevent malicious multi-signature attacks.

Multi-signature mechanism

Multi-Signature Mechanism

Let’s begin with a brief overview of what multi-signature entails. The multi-signature mechanism is designed to enhance wallet security by enabling multiple users to jointly manage and control access to a single digital asset wallet. This means that even if some administrators lose or expose their private keys/seed phrases, the wallet’s assets may remain secure.

TRON’s multi-signature permission system is structured around three types of permissions: Owner, Witness, and Active, each serving a distinct purpose:

Owner Permission:

• Grants the highest level of authority to execute all contracts and operations.
• Only the holder of this permission can modify other permissions, including adding or removing other signatories.
• By default, a newly created account has Owner permission.

Witness Permission:

This permission is mainly related to Super Representatives, allowing the account to participate in the election and voting process for Super Representatives and manage related operations.

Active Permission:

Used for routine operations such as transferring funds and calling smart contracts. This permission can be set and adjusted by the Owner permission and is typically allocated to accounts for performing specific tasks. It encompasses a collection of authorized actions (e.g., TRX transfers, staking assets).

When a new account is created, it automatically receives Owner permission (the highest authority). The account holder can then adjust its permission structure, determine which addresses to authorize, set the weight of these addresses, and configure thresholds. A threshold represents the number of signatures needed to execute a specific action. In the diagram below, a threshold of 2 means that for an action to be carried out, 2 out of 3 authorized addresses must sign off.

(https://support.tronscan.org/hc/article_attachments/29939335264665)

Process of Malicious Multi-Signature

If a hacker obtains a user’s private key/seed phrase and the user hasn’t employed the multi-signature mechanism (i.e., the wallet is controlled solely by the user), the hacker can either grant Owner/Active permissions to their address or transfer the user’s Owner/Active permissions to themselves. These actions are often referred to as malicious multi-signature attacks, but they can be differentiated based on whether the user still holds Owner/Active permissions:

Exploiting the Multi-Signature Mechanism: If the hacker grants themselves Owner/Active permissions while the user’s permissions remain intact, the account is co-managed by both the user and the hacker (with a threshold of 2). Both the user’s and the hacker’s addresses have a weight of 1. Even though the user possesses the private key/seed phrase and holds Owner/Active permissions, they cannot transfer their assets because the transaction requires signatures from both the user’s and the hacker’s addresses.

While multi-signed accounts need multiple signatures to authorize asset transfers, depositing funds into a wallet does not. If a user does not routinely check their account permissions or hasn’t recently conducted a transfer, they may not notice changes to their wallet’s authorizations, leading to continuous risk. Hackers might exploit this by waiting until the account accumulates a significant amount of assets before making a large-scale theft.

Using TRON’s Permission Management Design: Another scenario involves hackers leveraging TRON’s permission management design to directly transfer the user’s Owner/Active permissions to their address (with the threshold still at 1), causing the user to lose these permissions and their “voting rights.” In this case, the hacker isn’t using the multi-signature mechanism to prevent asset transfers but is still called malicious multi-signature in common terminology.

Both scenarios lead to the same result: whether or not the user retains Owner/Active permissions, they lose effective control over the account, and the hacker gains full control, including the ability to modify permissions and transfer assets.

Common Causes of Malicious Multi-Signature Attacks

Based on stolen data collected by MistTrack, we’ve identified several common causes of malicious multi-signature attacks. Be vigilant if you encounter any of the following situations:

1.Downloading from Incorrect Sources: Clicking on fake official links sent via Telegram, Twitter, or from acquaintances c can lead to counterfeit wallets and subsequent private key/seed phrase leaks and malicious multi-signature attacks.

2.Entering Private Keys/Seed Phrases on Phishing Sites: Inputting private keys/seed phrases on phishing websites offering fuel cards, gift cards, or VPN services, which results in loss of control over the wallet account.

3.OTC Transactions: During over-the-counter transactions, if someone captures private keys/seed phrases or gains account authorization through other means, the wallet may be maliciously multi-signed, leading to asset loss.

4.Scam Offers: Scammers may provide private keys/seed phrases and claim they cannot withdraw assets from the wallet, offering a reward if you help. Despite the presence of funds in the wallet, you won’t be able to withdraw them if the withdrawal rights have been transferred to another address by the scammer.

5.Phishing Links on TRON: A less common situation where users click on phishing links on TRON and sign malicious data, leading to a malicious multi-signature attack.

Summary

In this guide, we’ve used the TRON wallet to explain the multi-signature mechanism, the process and tactics of malicious multi-signature attacks, and strategies for avoiding them. We hope this provides a clearer understanding of the multi-signature mechanism and enhances your ability to prevent malicious multi-signature attacks. Additionally, there are special cases where novice users might inadvertently set up their wallets for multi-signature due to operational mistakes or misunderstandings, requiring multiple signatures for transfers. In such cases, users should either meet the multi-signature requirements or adjust permissions to grant Owner/Active permissions to a single address to restore single-signature functionality.

Finally, the SlowMist Security team recommends that users regularly check their account permissions for any abnormalities, download wallets from official sources (as outlined in our guide on fake wallets and private key/seed phrase leaks), avoid clicking on unknown links, and refrain from entering private keys/seed phrases without caution. Additionally, install antivirus software (such as Kaspersky, AVG) and phishing risk blockers (such as Scam Sniffer) to improve device security.

Disclaimer：

1. This article is reprinted from [SlowMist], All copyrights belong to the original author [SlomMist Security Team]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.