This is a LIMITED REVIEW: a time-bound effort to provide security insights on a codebase without reviewing it fully.
Summary
Due to the complexity of Java-Tron and the limited allocated time, this review cannot uncover all the bugs inside of it. Instead, the goal of this review was to uncover as many bugs as possible while focusing on the following parts of the code:
• Tron Virtual Machine (TVM)
• Consensus
• Peer-to-Peer (P2P)
Some of the most significant findings are:
• PBFT Messages Create State Expansion
• Unpermissioned Censoring of Fork Blocks
• Resource Consumption by Blocks Not Signed by Witnesses
These three findings have all been addressed through code corrections. For some other issues, the risks have been accepted based on the assumption of economically acting super representatives. Lastly, some issues with non-critical severity have been redacted to prevent malicious actors from creating disturbances.
It is important to note that such reviews are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Java-Tron
Tron uses Java-Tron as the node software to run the Tron network. Hence, Java-Tron is (among other things) responsible for executing transactions, generating blocks, achieving consensus and operating the peer-to-peer network.
"TRON is dedicated to accelerating the decentralization of the Internet via blockchain technology and decentralized applications (DApps)."