Recently, some community users have reported that the TRON wallet has been inexplicably multi-signed, causing the Token to become inoperable. In response to this type of problem, we have compiled this popular science on TRON multi-signature, hoping to help users understand the principles of TRON multi-signature, recognize the dangers of maliciously changing permissions, and better protect asset security.
Tron multi-sign scenario
Based on communication with users and verification of relevant data, the following scenarios that may lead to multiple signatures have been obtained.
1. If you set up multi-signature by yourself, you need to manage the address yourself to execute the signature;
2. Using a fake wallet causes the private key mnemonic to be leaked, and the multi-signature is set up after being obtained by the other party;
3. Import the private key mnemonic phrase obtained from the network into the wallet, and the address has been multi-signed;
4. A third-party malicious link was executed, and the signature completed the permission change operation.
One sentence summary:
After the TRON wallet address is created, it has a default single-weight setting and can perform any on-chain operation. If the address is multi-signed, it must be due to the leakage of the private key or mnemonic phrase or the change of permissions caused by the execution of malicious links.
Introduction to Tron Multi-Signature
TRON's multi-signature mechanism is a security measure that limits specific operations by setting thresholds and weights, and can only be executed with the joint confirmation of multiple signatories.
In the TRON multi-signature mechanism, the threshold refers to how many signers need to be confirmed to perform a specific operation. For example, if the threshold is 2, then when performing a specific operation, at least the signer's weight must be greater than or equal to the threshold for confirmation. Thresholds can be set in multi-signature contracts and adjusted according to specific needs.
Weight refers to the weight of each signer, which determines the proportion of each signer in the multi-signature operation. For example, if the threshold is set to 2 and the weight of two signers is 1, then when performing a specific operation, confirmation from two signers with a weight of 1 is required to take effect. The setting of the weight needs to be set in the contract, and must meet the requirement that the sum of the weights of all signatories is greater than or equal to the total weight.
One sentence summary:
By setting thresholds and weights, the Tron multi-signature mechanism can improve the security of the contract and prevent the contract from being tampered with by unauthorized operations or used by attackers to perform malicious operations.
Tron multi-sig scam
There is a difference between TRON's change permissions and Approve (authorization). After authorization, only the authorized Token is affected; while changing permissions will lead to changes in TRON's address permissions, thereby losing the management permission for the address.
Tron's malicious changes to permissions mostly occur in the process of using TRC20 to recharge, such as purchasing gas cards and gift cards at very low prices, using some verification code platforms to recharge, etc. Basically, it takes advantage of people's greedy mentality for layout. When users use the link they provide to recharge, the code that maliciously changes permissions will be called. When the user confirms and enters a password to sign, the permissions of the address are changed.
The following is a typical case of maliciously changing permissions.
The user obtained a third-party link through some channel, and jumped to the wallet to open the interface through the malicious link's recharge entrance (as shown below). The payment address is filled in with the Token’s contract address. Click Pay Immediately and you will be prompted not to copy the address for transfer. This is a “friendly reminder” given by scammers to prevent users from copying their own addresses and bypassing malicious code to perform transfers.
After clicking Confirm, the details interface pops up. In the figure below, the positions shown by three arrows indicate the ongoing operation and the risks that may result from the operation. Click on the second arrow position to view the effects and risks of changing permissions. If you ignore the risk prompt and perform the operation, it will result in malicious changes to permissions. If you try to transfer money at this time, you will see an error message. In fact, you have lost control of the address change.
One sentence summary:
The original intention of the multi-signature setting is to better protect user assets, but if carefully used by scammers, it will become a tool for stealing assets. So please be sure to carefully check every prompt that appears in the wallet. These contents are information added after extensive research and are suitable for the vast majority of users.
Prevention of multi-signature scams
TokenPocket has long supported early warning prompts for Tron's permission change operations. You only need to carefully check the prompt information that appears in the wallet to bypass most scams. At the same time, please do not believe the various websites that falsely promote gift cards, gas cards, verification codes, etc. on the Internet, and do not participate in their recharges, especially links that provide recharge jump services. For normal recharge services, you only need to use the other party's payment address to transfer funds to complete the operation.
One sentence summary:
If you encounter a similar fraudulent link, please send it to our email: service@tokenpocket.pro to report it. After verification, we will localize the link to prevent more TokenPocket users from being deceived.
