As blockchain technology becomes more widespread, the security of digital assets is increasingly critical. Towards this end, the multisignature (multisig) mechanism is a security measure that's gaining attention and adoption among users. Through this system, a wallet can be controlled by multiple users, requiring several signatures to complete a transaction. This can be compared to a safe that needs multiple keys to open — only when all keyholders cooperate can the safe be accessed.
TRON wallets adopt multisig transactions to help safeguard user assets. However, the product is inevitably the target of scams as bad actors seek out vulnerabilities in order to steal funds. In this article, we'll delve into the application of multisig in TRON wallets and how you can guard against potential scams.
TL;DR
Although TRON ecosystem wallets use multisignatures for robust security, bad actors have found ways to manipulate the technology to commit fraud.
Multisignature wallets can be programmed to require more than one private key to be used to complete transactions, adding an additional layer of security.
Multisignature wallets are an alternative to single-signature wallets, which allows transactions to be made using a single private key.
Common TRON multisignature scams include bad actors claiming to need TRX for transaction fees to convince victims to share TRX tokens. Another scam involves tricking victims into sharing their private keys or seed phrases before changing the signing mechanism to maliciously gain control of assets.
You can prevent TRON wallet multisignature scams by protecting private keys, avoiding clicking suspicious links, frequently checking account permissions for unauthorized addresses, and only downloading wallet software from official sources.
Difference between single-signature and multisignature wallets
On cryptocurrency networks, standard transactions are called single-signature transactions because they require only one wallet signature to be completed. Single-signature wallets also need only one private key to authorize transactions, making them user-friendly for individual users or scenarios without complex permission management.
In contrast, blockchains like TRON support multisig mechanisms. A multisig wallet allows an account to be managed by multiple private keys, and transactions need several private key signatures to be executed. Each signer in a multisig setup is given a weight, indicating their importance in the transaction process. The total weight of signatures must reach a predefined threshold to authorize the transaction. For instance, if the threshold is two, it means either one signer with a weight of two or multiple signers with combined weights equal to or exceeding two are required. The number of signatures needed is based on the threshold and can be configured according to specific requirements.
TRON multisig scenarios
Based on user interactions, the following scenarios may lead to multisig setups:
1. User self-initiated multisig setup
Some users might accidentally enable multisig while exploring wallet functions. When transferring assets, they find that at least two wallet addresses are required to sign and confirm the transaction, causing a transaction failure.
Solution: This issue stems from user error. The assets remain secure, and users only need to meet the multisig requirements or disable the multisig setting to execute transactions with a single signature.
2. Importing private keys or seed phrases from the web
Users might import private keys or seed phrases from online sources, unaware that these wallets are already set as multisig. When attempting to transfer assets, they find the wallet requires multiple signatures.
Solution: Avoid importing private keys or seed phrases from untrusted sources. Make sure that the source of private keys and seed phrases is reliable.
3. Leaking private keys or seed phrases to scammers
Users unknowingly disclose their private keys or seed phrases to scammers, who then set up the wallet as multisig, preventing the user from independently transferring assets.
Solution: Never share your private keys or seed phrases with anyone, even if they claim to be technical support or a friend. Keep these details in a secure place that only you can access.
4. Clicking on third-party malicious links
Users click on phishing links that lead to wallet permission changes. Scammers create websites offering discounted gift cards or top-ups, enticing users to click the links and make purchases. These sites execute code to elevate permissions maliciously. Once users confirm and input their password for the transaction, their wallet permissions are altered, granting scammers multisig control.
Solution: Avoid clicking on links from unknown sources. Regularly check wallet account permissions to ensure no unauthorized accounts have been added as multisig accounts.
Common multisig scams
Criminals use various tactics to perform multisig scams that you need to be aware of.
1. Shared private key or seed phrase scam
Scammers share private keys or seed phrases of wallets with assets, claiming they lack the TRX (the TRON network's token) for transaction fees, and therefore need assistance. Users send TRX to cover transaction fees into the wallet, but discover they can't transfer the wallet assets.
Example: Recently, some users on X and Telegram received such requests from scammers: "I have 100-1000 USDT in my wallet, but the wallet doesn't have enough TRX, which is needed for transaction fees. Here are my wallet address, private key, and seed phrase. If you can help me transfer, I'll reward you with a few hundred USDT from the wallet." A user responds, thinking the wallet holder is a new user, and offers help. After importing the private key or seed phrase, they see the balance but can't transfer it. The scammer then asks for TRX for transaction fees, but even after sending it, the transfer still fails, as the wallet was initially set up as a multisig wallet and users won’t have the full authorization to transfer the asset out of the wallet.
2. Private key or seed phrase leak scam
Scammers obtain users' private keys or seed phrases and change the signing mechanism without consent. When users attempt to transfer assets, they find the wallet requires multiple signatures, and the scammer can transfer the assets.
Example: When scammers get hold of a user's seed phrase or private key, they can modify the account permissions, making the wallet jointly controlled by the user and scammer address. The scammer sets a threshold of three, giving their own address a weight of two and the user address a weight of one. The user can’t perform any transaction alone, as their address weightage is insufficient. However, the scammer, with their higher weightage, can transfer assets out of the wallets. Users might not notice until they try to use the wallet, but by then their assets could already be compromised.
How to Identify a TRON multisig wallet
Using TRON block explorer: Enter the wallet address in the search bar and check if "Owner Permission" or "Active Permission" is authorized to two or more accounts.
2. Checking account permissions: In the TRON wallet app, review the account permission settings.
How to prevent multisig scams
Protect private keys and seed phrases: Never share these sensitive details with anyone.
Avoid clicking suspicious links: Don't click on links from unknown sources, especially those disguised as transaction or authorization links.
Regularly check account permissions: Make sure no unauthorized addresses are added to your multisig account. Deactivate any wallets compromised by third-party multisig.
Use official channels only: Download wallet software from official sources and avoid using software from unknown origins.
The final word
The multisig mechanism is an effective security measure, but it's essential you remain alert to security risks and protect your private keys and seed phrases. Understanding the multisig mechanism and common scams can help you to protect your digital assets and avoid falling into traps. Let’s work together to safeguard our digital assets, stay vigilant, and enhance the security of the crypto world.
FAQs
The TRON network supports multiple different wallets built for a variety of user needs. This includes hardware wallets, software wallets, and web-based wallets. These wallets support users in storing and transacting with their TRX tokens, and allow users to also interact with decentralized applications built on the TRON blockchain.
In the context of wallets, multisignature refers to a security measure built into the wallet. Multisignature wallets can be controlled by multiple users and can be programmed to require numerous different keys to complete a transaction. As a result, it's possible that no single user can access the wallet and its assets alone.
Where a multisignature wallet can be accessed and used with multiple private keys, single-signature wallets only require one private key for transactions to be completed. In multisignature wallets, a minimum weighting threshold must be met to authorize a transaction. Each signer is given a weight which demonstrates their importance in the transaction process. For example, if the minimum weightage is three, a transaction can be made using one signer with a weighting of two and one signer with a weighting of one. Alternatively, the same transaction can be made by one signer with a weighting of three.
A multisignature wallet is theoretically more secure than a single-signature wallet because it requires multiple parties to sign off on a transaction. However, that's not to say multisignature wallets aren't without their risk. The technology is still a target for scammers who attempt to manipulate the multisignature process to gain control of a wallet and its assets.
© 2024 OKX. This article may be reproduced or distributed in its entirety, or excerpts of 100 words or less of this article may be used, provided such use is non-commercial. Any reproduction or distribution of the entire article must also prominently state: “This article is © 2024 OKX and is used with permission.” Permitted excerpts must cite to the name of the article and include attribution, for example “Article Name, [author name if applicable], © 2024 OKX.” No derivative works or other uses of this article are permitted.