HomeBlockchainSecurityDeFi: a vulnerability on TRON?

DeFi: a vulnerability on TRON?

The ElephantsLab team would have found a vulnerability in some smart contracts of DeFi projects on the TRON blockchain.

Nowadays it is impossible not to talk about decentralized finance (DeFi), both in a positive way, mentioning the birth of several projects on different blockchains, and in a negative way considering that every day there are new vulnerabilities, like the one that involved the exchange Gate.io and SushiSwap.

We are obviously talking about new projects and a new sector, hence it is also very risky to invest in them because, if the necessary smart contract audits have not been carried out, backdoors can be hidden in the protocols that can cause users to lose money, as was the case with Chick Finance.

Tron vulnerability: A bug in the smart contracts of DeFi

The ElephantsLab team analyzed a series of DeFi smart contracts and identified a loophole, or rather a design flaw, that allows stealing all the funds of those who interact with it.

The team explained that in this type of protocols, where the user is required to deposit and stake an amount of tokens in order to receive new ones, there are two fundamental parameters:

  • Address_spender, which is the address where the tokens created by the project are located;
  • Uint256_value, which is the contract that can hold the tokens.

An in-depth research carried out on the TRON blockchain has shown that some smart contracts have been poorly written.

This bug allows to actually withdraw the entire amount of tokens from the user’s address, so even if a certain value is put at the end, they can all be taken.

To check the fault, it is first necessary to check the value it returns, which must be 0. If it returns the value -1 then the tokens would be in danger and the wallets could be emptied.

As if that were not enough, the smart contracts involved in this vulnerability, which can also be checked on the Ethereum blockchain, are the most used in the DeFi sector.

These vulnerabilities are found in the smart contracts of Tether (USDT), the TRON USDJ stablecoin and the Just (JST) governance token.

As far as Tether is concerned, however, the CTO Paolo Ardoino has denied that it is a real bug:

“It’s not a bug. When Tether on Tron was released it was just not 100% compatible with the full ERC20 specification. It’s not a bug, but we are working to create a wrapper to align the specification to ERC20.”


Alfredo de Candia
Alfredo de Candia
Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.