Security Director of Taurus, a company specializing in providing infrastructure for digital assets, Jean-Philippe Aumasson argues that the TronLink wallet for the Tron blockbuster has vulnerabilities.
"These are basic-level flaws that any competent auditor would have noticed," he said in a conversation with Decrypt.
According to him, TronLink uses weak encryption methods for mnemonic phrases used to restore wallet access. "It looks like the official Tron Wallet is using AES-ECB to encrypt a 12-word mnemonic phrase," Aumasson added.
He explained that ECB mode does not allow effective data encryption. "ECB mode perceives each data block individually, while there must be some correlation between the blocks to guarantee high security," the expert said.
This encryption method is criticized by many cybersecurity researchers. "ECB is the simplest and most popular encryption method, but at the same time it is quite weak," says the firm NotSoSecure.
The vulnerability can only be exploited on the user's device. This is explained by the fact that the problem doesn't show up at block level, which can be accessed from any place. Successful attack will allow hacker to bring cryptographic assets to his wallet.
"This is not a niche application, which would be used by 15 people, - said Aumasson. - I recommend that Tron holders: a) make sure that the problem will be fixed in the next release; b) make sure that you have a strong password; c) consider an alternative wallet application".