
Tron wallet vulnerability allows attackers to take control, experts warn
- Attackers are using the UpdateAccountPermission function to target Tron wallets.
- The vulnerability allows bad actors to stealthily take over control.
- Experts warns that thousands of users may be at risk.
Follow Invezz on Telegram, Twitter, and Google News for instant updates >
Researchers at security firm AMLBot have warned of a vulnerability within Tron crypto wallets that could allow bad actors to drain the crypto assets of millions of users.
In a recent report, the security firm alerted Tron crypto wallet users that attackers were exploiting a vulnerability stemming from the UpdateAccountPermission function, which allows them to transfer controls of a crypto wallet without the owner’s knowledge.
Attackers are then able to add their key to the wallet, configure it to meet transaction thresholds and block legitimate outgoing transactions.
Victims are also locked out of their wallets and can unknowingly continue to deposit funds, enriching the attackers.
According to AMLBot, these vulnerabilities have led to attacks on roughly 2,130 wallets in just the fourth quarter of 2024.
What is the UpdateAccountPermission function?
Copy link to sectionFor Tron wallets, the UpdateAccountPermission function is a security feature designed to enhance account control by enabling users to assign specific roles to keys, define weight values for each key, and set transaction thresholds.
This serves use cases such as shared wallet management, where multiple parties can oversee and approve transactions, and decentralized governance, allowing community-controlled accounts to require multi-signature approvals when accessing funds.Â
It also benefits users by allowing them to assign multiple keys to their wallets, thereby reducing the risks of losing access due to a single compromised key.
However, when exploited, this feature can be misused by attackers to gain control over wallets.
This typically happens when an attacker gains access to a compromised private key via, according to AMLBot.
With this, the attacker can add their key and lock out the original user.
This is especially risky because users are not notified when a key is added, and researchers claim that the only way a user realizes their wallet has been compromised is when they try transferring funds.
There’s also limited recourse after the compromise, as the attacker’s private key is required to authorize any future transactions.Â
Without access to this key, victims cannot regain control of their wallets or recover the locked funds.
As a result, the only immediate action users can take is to stop depositing funds into the compromised wallet to prevent further losses.
AMLBot estimated that roughly 14,545 users were at risk due to this vulnerability.
Scammers continue stealing billions
Copy link to sectionLosse from hacks and scams led to over $2.3 billion in losses across the crypto sector in 2024, according to a report from blockchain security firm CertiK.
Comprised private keys were one of the leading causes behind the year’s losses, and such attacks surged 75% compared to 2023.
Scammers are known to use malware and complicated phishing tactics to gain access to users’ keys.
Experts advise securely storing private keys and avoiding sharing sensitive information online to mitigate losses.
They also recommend regularly checking account permissions as an added safety measure.
Advertisement
Want easy-to-follow crypto, forex & stock trading signals? Make trading simple by copying our team of pro-traders. Consistent results. Sign-up today at Invezz Signalsâ„¢.
More industry news





