The ElephantsLab team would have found a vulnerability in some smart contracts of DeFi projects on the TRON blockchain.
Nowadays it is impossible not to talk about decentralized finance (DeFi), both in a positive way, mentioning the birth of several projects on different blockchains, and in a negative way considering that every day there are new vulnerabilities, like the one that involved the exchange Gate.io and SushiSwap.
We are obviously talking about new projects and a new sector, hence it is also very risky to invest in them because, if the necessary smart contract audits have not been carried out, backdoors can be hidden in the protocols that can cause users to lose money, as was the case with Chick Finance.
Tron vulnerability: A bug in the smart contracts of DeFi
The ElephantsLab team analyzed a series of DeFi smart contracts and identified a loophole, or rather a design flaw, that allows stealing all the funds of those who interact with it.
The team explained that in this type of protocols, where the user is required to deposit and stake an amount of tokens in order to receive new ones, there are two fundamental parameters:
- Address_spender, which is the address where the tokens created by the project are located;
- Uint256_value, which is the contract that can hold the tokens.
An in-depth research carried out on the TRON blockchain has shown that some smart contracts have been poorly written.
This bug allows to actually withdraw the entire amount of tokens from the user’s address, so even if a certain value is put at the end, they can all be taken.
To check the fault, it is first necessary to check the value it returns, which must be 0. If it returns the value -1 then the tokens would be in danger and the wallets could be emptied.
As if that were not enough, the smart contracts involved in this vulnerability, which can also be checked on the Ethereum blockchain, are the most used in the DeFi sector.
These vulnerabilities are found in the smart contracts of Tether (USDT), the TRON USDJ stablecoin and the Just (JST) governance token.
As far as Tether is concerned, however, the CTO Paolo Ardoino has denied that it is a real bug:
“It’s not a bug. When Tether on Tron was released it was just not 100% compatible with the full ERC20 specification. It’s not a bug, but we are working to create a wrapper to align the specification to ERC20.”