$632 000 USD

MAY 2019




"TronBank - A financial game that runs entirely on Tron smart contract, with daily ROI 3.6%~6.6%. It's an open transparent contract that automatically generates revenue every second." "TronBank is a 3.6 - 6.6% daily ROI game of Tron. You can withdraw every second."


"Dapps like Tronbank's funding disk attributes often open the code to make the contract and logic transparent and trustworthy to attract investors. In the most obvious position of the website, it is also marked by the third-party verification tool tronsmartcontract.space (hereinafter referred to as TSC). ) Code information after the contract code verification."


"3. We deployed the first release version contract of TBpro complied by tronbox at 4/28/2019 10:01 PM. Then we tried many times to verify the code on TSC (TronSmartContract.space), with the contract code, but it doesn’t work. TSC always returns “Can not be verified”. (We think TSC changed verify function that can not be verified at this time)"


"4. Then we can only try to use TSC to deploy again and verify (after searching on google we found some answers in discord that you can use TSC to compile and deploy). This time compiling and deploying takes a long time but finally the code verification passed on TSC. That’s how Khanh(TSC) can inject the backdoor code to our contract. He can do anything during compiling and deploying."


"At 4:12 AM on May 3, Beijing time, a contract call transferred 26.73 million TRX (valued at RMB 4.27 million) from the TronBank contract, and the contract balance returned to zero."


"About two hours after the theft, wojak, who transferred the 26.73 million TRX address, appeared. According to wojak, he wrote a script to analyze the bytecode of the TRON virtual machine, scan the contracts in batches and initiate transactions to see if there is any way to make money, but accidentally hit a bug in the Tronbank contract. At first he didn't even know that the money came from Tronbank."


"According to wojak, he wrote a script to analyze the wavecode of the wavefield virtual machine, scan the contract in batches and initiate a transaction to see if there is any way to make money. As a result, he accidentally hit the Tronbank contract. At first he didn't even know that the money was from Tronbank."


Wojak was inspired by a paper in August 2018, "TEETHER: Gnawing at Ethereum to Automatically Exploit Smart Contracts" "The TEETHER tool is proposed, which can automatically identify the vulnerability of the smart contract bytecode and generate the corresponding exploit code. A large-scale vulnerability analysis was conducted on 38,757 smart contracts deployed in the Ethereum blockchain. The TEETHER tool discovered vulnerabilities in 815 contracts and the entire process was fully automated."


"1. Adapt the TEETHER tool to the wave field virtual machine. 2. Collect all smart contracts on the wave field. 3. Perform TEETHER tools on all contracts for analysis. 4. Find possible arbitrage opportunities, such as buying a Token from Contract A at the price of X and then selling it at Contract Y at Y (Y is greater than X). The entire process is automated and legal. 5. The tool will generate a list of transactions that may generate revenue. 6. The script automatically executes and starts these transactions."


"The reality has become that the actual execution logic of TRX Pro's contracts is not consistent with the so-called "open source" code logic." "The amount sent is 0.011911 TRX. Note that under Tronbank's normal business logic, the withdraw function should not send any TRX. The amount should be 0. This is It can be verified in the source code." "This line of code means that the TRX amount sent by the transaction must be zero, otherwise the execution will not be continued and the transaction will be REVERT."


"1. The contract deployed on the main network, through decompilation, finds that when the withdraw function is called, if the sending amount is equal to 0.011911 TRX, the entire contract balance will be transferred; 2. In the open source code certified on the TSC, if the sending amount is not zero and the withdraw function is called, the transaction will be withdrawn."


"In the withdraw function, one more judgment else if ((0x2E87 == msg.value)), if the condition is met, then the balance of the contract will be transferred to the transaction initiator! We convert the hexadecimal number 0x2E87 into decimal, which is 11911. To know that the precision of TRX is 6 bits, the TRX amount corresponding to 11911 is 0.011911TRX ... and this part is judged in the open source code of TSC. Non-existent, it looks like it is a back door that has been hidden and not published."


"It is a very sad day on the tron blockchain, it looks like Tronbank scammed us"


"TSC developer Khanh deployed a contract with the same backdoor on the day of the Tronbank beta release and knew how the backdoor was invoked and tested it on April 30th. In other words, the back door is not related to the TSC." "The Tronbank team is currently communicating with Khanh several times and posting some of the dialogue screenshots. The Tronbank team insisted that no backdoors were placed [by them]. It is the culprit that points to the TSC to really place the back door. Although there is no definitive evidence that the back door was placed by Khanh, TSC and Khanh themselves and the back door have been unable to get rid of it."


"Some people in the community suggested that wojak return the money to the Tronbank developers, but wojak believes that this is not his problem. Developers should write test examples, do audits, and at least run some formal verifications (obviously they didn’t do anything). He is willing to return the money intact to every investor in Tronbank, not the developer of the project."


"Then everything is very clear, the actual occurrence is completely consistent with the first point, the code of the main network runs without problems, that is, TronBank has a backdoor code in the contract deployed on the main network that can directly withdraw the contract balance, and interestingly, The second point is how the different code logic is copied and passed the TSC certification process."


"TronLink team has decided to delist TronBank because of the recurrence of smart contract vulnerabilities. TronBank will no longer be available in TronLink until the team improves its security measures and provides a suitable solution to its users."


"TronLink team wants to emphasize that all listed DApps were developed by third party community developers. TronLink will review the application usability, account security, etc., but still can’t ensure its fully security. If you have noticed any unusual situation, please report to TronLink customer service."


"After Tron Bank operated for some months, it disappeared with all the funds of its investors. There have been accusations and counter-accusations on how this happened but a popular explanation posits that a backdoor was placed in the code of the contract which allowed all the funds to be moved.


The above incident highlights the added risk of investing in such schemes as very few investors have the technical knowledge to review the code of a blockchain smart contract to verify if they contain any backdoors.'


"After the promised refund and the loss of the investor to send the transaction information, wojak lost more than 12 hours, during which most of the money in the wojak account was transferred to the currency exchange. Some people began to suspect that wojak did not intend to refund money to prepare for donation."


"Wojak reappeared and said that he spent more than four hours writing scripts to get tronbank investment data from the chain to compare with the collected loss information. Many of them falsified losses, even those who did not participate in the investment. It also came to falsely report losses, and only a few people reported the figures honestly."


"In this incident, although Tronbank promised to pay the injured investor's interests, the injury is undoubtedly the entire Dapp ecology of the wave field. The trust and endorsement generated by the TSC-certified open source code is worthless. Before coming out of the verification tool, DappReview suggested that Dapp players should not be convinced of the project's so-called code open source speech."


"Since the wojak appeared at 9 pm on May 3 and posted a refund comparison list, it disappeared from Discord again. During this period, many people began to label the wojak with Scammer and thought that he would not refund."


Wojak appeared again, claiming that "I invested 8 hours to write tools to give everyone a refund. When I finished writing the code, I found that everyone was thinking of me as a liar, but I didn't realize that Tronbank was putting the back door pit. Your people. You would have lost all your investment. But after seeing you treat me as a liar instead of a developer, I don’t think I have any reason to return TRX to you."

TronBank was a smart contract deployed on the Tron network, which was verified through the Tron Smart Contract (TSC) service. However, the TSC service was in actuality run by a malicious developer who would install backdoors into smart contracts. In this case, the backdoor installed was one which withdrew the entire balance when a particular balance amount was requested. Another developer was running code to scan for profitable exploits, and succeeded in accidentally invoking the backdoor to his own wallet.


Originally Wojak was willing to return funds to investors and even invested considerable time to analyze the blockchain to determine who were real investors. However, there's no evidence any funds were returned and he issued a public statement to affected users that "I don’t think I have any reason to return TRX to you."


The safest storage for funds is offline multi-signature storage held by at least 3 of 4 known and trained individuals. The remaining hot wallet balance can be insured using a industry-based insurance fund, and would only be approved after review by two separate validation firms, which in the case of a smart contract would include an audit. Any one of these measures would have avoided the loss.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.