Background

In the previous installment of the Web3 Security Guide, we discussed the risks associated with downloading or purchasing wallets, how to find official websites, methods to verify the authenticity of wallets, and the dangers of private key/seed phrase leaks. The phrase “Not your keys, not your coins” emphasizes the importance of controlling your private keys. However, there are situations where even possessing the private keys or seed phrases does not guarantee control over your assets, such as when a wallet is compromised by a malicious multisignature setup.

Based on data collected from MistTrack’s stolen funds report, some users find that their wallets contain funds, but they cannot transfer them due to malicious multisignature configurations. In this guide, we use the TRON wallet as an example to explain the concept of multisignature phishing, the mechanics of multisignature systems, common tactics used by hackers, and strategies to prevent your wallet from being maliciously configured with multisignature settings.

Multisignature Mechanism

A multisignature (multisig) mechanism is designed to enhance wallet security by allowing multiple users to collectively manage and control access to a digital asset wallet. This setup means that even if some managers lose or leak their private keys/seed phrases, the assets within the wallet may remain secure.

TRON’s multisignature system includes three distinct permission levels: Owner, Witness, and Active, each serving specific functions and purposes.

Owner Permissions:

• Hold the highest level of authority, capable of executing all contracts and operations.

• Only an owner can modify other permissions, including adding or removing signers.

• When a new account is created, the account itself is assigned the owner permission by default.

Witness Permissions:

• Primarily associated with Super Representatives, this permission allows an account to participate in the election and voting processes for Super Representatives, as well as manage operations related to them.

Active Permissions:

• Used for daily operations such as transfers and smart contract execution. The owner can set and modify these permissions, typically assigning them to accounts that need to perform specific tasks. Active permissions encompass a range of authorized actions, such as TRX transfers and asset staking.

As mentioned earlier, a new account’s address automatically receives owner permissions (the highest level) by default. This owner can then adjust the account’s permission structure, deciding which addresses receive permissions, the weight of these permissions, and setting thresholds. The threshold determines the required weight of signatures to execute specific actions. For example, if the threshold is set to 2, and each of the three authorized addresses has a weight of 1, then at least two signatories must approve for the operation to proceed.

The Process of Malicious Multisignature

When a hacker obtains a user’s private key or seed phrase, and the user has not implemented a multisignature mechanism (meaning the wallet is solely controlled by the user), the hacker can either grant themselves Owner/Active permissions or transfer the user’s Owner/Active permissions to their own address. These actions are commonly referred to as malicious multisignature, but this term can be broadly defined. In reality, the situation can be categorized based on whether the user still retains any Owner/Active permissions:

Exploiting the Multisignature Mechanism

In the scenario depicted below, the user’s Owner/Active permissions have not been removed; instead, the hacker has added their own address as an authorized Owner/Active party. The account is now jointly controlled by the user and the hacker, with the threshold set at 2. Both the user’s and the hacker’s addresses have a weight of 1. Despite the user possessing the private key/seed phrase and retaining Owner/Active permissions, they cannot transfer their assets. This is because any request to transfer assets requires the approval of both the user and the hacker, as both signatures are necessary for the operation to proceed.

While the process of transferring assets from a multisignature wallet requires multiple signatures, depositing funds into the wallet does not. If users do not regularly check their account permissions or have not made any recent transfers, they may not notice changes to their wallet’s permissions, leading to prolonged losses. If the wallet contains only a small amount of assets, hackers might wait until the account accumulates more assets before stealing everything at once.

Exploiting TRON’s Permission Management System

In another scenario, hackers exploit TRON’s permission management system by directly transferring the user’s Owner/Active permissions to the hacker’s address, with the threshold still set at 1. This action strips the user of their Owner/Active permissions, effectively removing their control over the account, even the “voting rights.” Although this is not technically a case of malicious multisignature, it is commonly referred to as such.

In both cases, whether the user retains any Owner/Active permissions or not, they lose actual control over the account. The hacker, now possessing the highest permissions, can alter account settings and transfer assets, leaving the legitimate owner unable to manage their wallet.

Methods of Malicious Multisignature Attacks

Based on data collected from MistTrack’s stolen funds report, we have identified several common causes of malicious multisignature attacks. Users should be vigilant in the following situations:

1. Downloading Fake Wallets: Users may download fake wallets by clicking on links to fraudulent websites sent via Telegram, Twitter, or other sources. This can lead to the leak of private keys or seed phrases, resulting in malicious multisignature attacks.

2. Entering Private Keys on Phishing Sites: Users who enter their private keys or seed phrases on phishing sites offering services like fuel cards, gift cards, or VPNs can lose control of their wallets.

3. OTC Trading: During OTC (over-the-counter) transactions, someone may capture or otherwise acquire the user’s private keys or permissions, leading to a malicious multisignature attack.

4. Scams Involving Private Keys: Scammers may provide a private key, claiming they cannot withdraw assets and offering a reward for assistance. Although the associated wallet appears to have funds, the withdrawal permissions are configured to another address, preventing any transfer.

1. Phishing Links on TRON: Users might click on phishing links on TRON and sign malicious data, resulting in a malicious multisignature setup.

Conclusion

In this guide, we used the TRON wallet as an example to explain the multisignature mechanism, how hackers conduct malicious multisignature attacks, and common tactics used. This information aims to enhance understanding and improve prevention against malicious multisignature attacks. Additionally, some users, especially beginners, may accidentally configure their wallets for multisignature, requiring multiple signatures for transfers. In such cases, users need to meet the multisignature requirements or revert to a single signature by assigning Owner/Active permissions to only one address.

Disclaimer：

1. This article is reprinted from []. All copyrights belong to the original author [**]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.