Same-Permission-Key Detection: How Permission Rotation Reveals Control Changes on TRON

TRON’s permission system creates two on-chain signals that no other major blockchain produces in the same form. The first is that the same signing address can appear in multiple accounts’ permission key lists — making operator clustering visible without any cryptographic correlation. The second is that every change to an account’s permission structure is an explicit on-chain transaction with all-or-nothing semantics — making ownership transitions readable as precise events with verifiable timestamps.

This article is the methodology layer that builds on those two signals. For the protocol mechanics — what Owner and Active permissions are, how threshold signatures work, what AccountPermissionUpdateContract actually does, and how to read wallet/getaccount responses — see /learn/account-model/. The focus here is what the signals mean for attribution, what attack patterns they expose, what false positives degrade the signal, and how TRONORIGIN scores them.

Why permission state is the cleanest control signal

Every TRON account encodes the answer to “who can authorize transactions on this account” directly in its protocol state. The Owner permission lists the keys that can do anything — including reconfiguring the account itself — and the threshold those keys must collectively meet. Active permissions list the keys scoped to specific operation sets. All of it is queryable through one API call: POST /wallet/getaccount returns the complete current permission state of any account.

No other major chain exposes this as a first-class protocol feature. Ethereum’s equivalent — Safe (formerly Gnosis Safe) — is a smart contract layered on top of the account model. The keys that control a Safe live inside the contract’s storage and are reachable only by reading and decoding contract state. TRON’s permissions live in the account itself, named in the same response that returns the account’s balance.

The investigative consequence is direct. Permission state is the most authoritative on-chain answer to who controls a wallet right now. Transaction history reveals who has interacted with the account over time. Permission state reveals who has the present right to move funds. When the two diverge — when the most recent senders are different addresses than the current Owner-permission keys — the divergence itself is the signal.

TRONORIGIN’s three-phase scoring model weights this accordingly. Phase 3 (current control) carries 50% of the confidence score, and a candidate identified as a controlling Owner-permission key holder earns +90 — among the highest single-signal scores in that phase. See /how-it-works/ for the full scoring methodology.

Cross-wallet key reuse as a clustering signal

A TRON permission key is a TRON address — not a raw public key. The protocol records each authorized signer as an address-and-weight pair, identical in form to addresses that appear in transaction histories. When an investigator queries wallet/getaccount for two unrelated wallets and sees the same address listed in both accounts’ key arrays, those two accounts share an operator. The shared address is the operator.

This is a more direct attribution mechanism than anything available through transaction-graph analysis. A funding-flow connection between two wallets could mean shared control, or it could mean a payment. A shared permission key is unambiguous: someone deliberately granted that specific address the right to sign on both accounts. The grant is itself an on-chain transaction (AccountPermissionUpdateContract) attributable to whoever held Owner permission at the moment of grant.

The strength hierarchy

Not all permission-key reuse carries the same evidentiary weight. From strongest to weakest:

1. Owner permission key reuse across accounts. The strongest signal. Owner permission can execute any contract type, including reconfiguring the account itself. An address appearing in the Owner key list of two accounts holds the master keys to both — no scope restriction.

2. Active permission key reuse across accounts. Weaker than Owner reuse because Active permissions are bounded by an operations bitmask — the protocol’s encoded list of which contract types the permission can authorize. Active permissions typically exclude AccountPermissionUpdateContract (the default operations bitmask 7fff1fc0033efb07... is explicitly all contracts except permission updates), so an Active-only signer cannot rotate the keys. The signal points to operational sharing, not root-level control.

3. Same address appearing as the transaction payer on permission-update transactions for multiple accounts. Weakest of the three. The transaction payer broadcast and paid for the update, but is not necessarily a key holder of the account being modified. Someone with Owner permission could have signed an update transaction broadcast from any address with TRX to spare.

What it looks like across a wallet network

A coordinated set of wallets controlled by the same operator typically shows one of two patterns. In the personal-operator pattern, every wallet’s Owner permission lists the same key — the operator’s address — at weight ≥ threshold, single-key. Active permissions may add session keys or hot-wallet delegates that vary across the set. In the institutional pattern, every wallet’s Owner permission lists the same multi-sig committee — often 2-of-3 or 3-of-5 — with the same key addresses recurring across all the institution’s custody accounts.

One architectural gap to note. TRONORIGIN’s current scoring engine examines permission state for the analyzed wallet but does not yet enumerate the same permission key across other wallets as a first-class clustering signal. A controller who holds Owner permission on a wallet via a permission update but who has never sent a transaction to or from that wallet is invisible to the scoring engine — it never creates a candidate for them. Cross-wallet permission-key clustering is identified in TRONORIGIN’s internal research as an architectural gap requiring synthetic candidate creation from permission data. For the present, the cross-wallet view is built manually by the investigator via repeated wallet/getaccount queries against the suspected key.

Reading permission-rotation events as ownership history

AccountPermissionUpdateContract (contract type 46) is the only transaction that modifies an account’s permission structure. It carries a 100 TRX protocol fee plus an additional 1 TRX multi-signature fee when the current Owner permission requires a quorum to sign — together, an intentionally high cost that makes permission updates infrequent by design. Most TRON wallets never execute one.

The all-or-nothing forensic feature

Each permission-update transaction specifies the complete desired state of all permissions on the account. The TRON developer documentation is direct on this:

“This interface will override the original account permissions, so even if you only want to modify the owner permission, you still need to configure the witness (if it is a witness account) and active permissions.”

The forensic consequence: each AccountPermissionUpdateContract transaction in a wallet’s history contains the full permission snapshot at that moment. Diffing two consecutive updates reconstructs precisely which keys were added, which were removed, which weights changed, and which thresholds moved. There is no “partial update” mode that obscures the picture.

The block-level guarantee tightens the timestamp further. A block containing a permission-update transaction excludes any further transactions from the same account in that block — the change takes effect from the next block. The transaction’s block timestamp is therefore the exact moment of the new permission state’s activation, not an approximate window.

Routine rotation vs ownership transfer vs hostile takeover

A permission update can mean any of three different things. Three diagnostics resolve which:

Persistence of original keys. A rotation that adds a new key while keeping the original keys at meaningful weight is consistent with routine security hygiene — a hardware wallet upgrade, a multi-sig expansion, the addition of a co-signer. A rotation that removes all original keys and replaces them with previously-unseen addresses is consistent with either a sale or a takeover.

Threshold direction. A threshold increase (e.g., 1-of-1 → 2-of-3) is consistent with security hardening or governance multi-sig adoption. A threshold decrease accompanied by key changes — particularly threshold-reduced-to-1 with all original keys replaced — is the attack pattern.

Activity after the rotation. A rotation followed by months of normal usage of the new keys is consistent with legitimate transfer. A rotation followed within hours or days by complete drain of the wallet’s TRX, TRC-20, and other assets is the takeover signature.

The chronological ordering reads cleanly. The AccountPermissionUpdateContract’s block timestamp is the earliest moment of new-key control. Every outbound transfer after that point is attributable to whoever held the new keys.

The hostile-takeover playbook

Security firms working on TRON have documented permission-rotation attacks in three variants. SlowMist’s casework distinguishes the first two; OKX’s wallet-security guidance documents the third.

Variant 1 — Add attacker as co-signer with raised threshold. The user’s original key is preserved in the Owner permission key list, but the attacker’s address is added as a second key and the threshold is raised to 2. The user can still sign, but cannot meet threshold alone. The account is “jointly controlled” in form. In practice the attacker can refuse to co-sign and the user cannot transact. From SlowMist’s writeup:

“the hacker has added their own address as an authorized Owner/Active party. The account is now jointly controlled by the user and the hacker, with the threshold set at 2.”

Variant 2 — Transfer all permissions to the attacker. The user’s key is removed from the Owner permission entirely; the attacker’s address becomes the sole Owner key at threshold 1. The user is locked out. SlowMist’s description:

“hackers exploit TRON’s permission management system by directly transferring the user’s Owner/Active permissions to the hacker’s address, with the threshold still set at 1.”

Variant 3 — Weight-asymmetric multi-sig. OKX documents a configuration where the attacker assigns themselves weight 2, the user weight 1, and threshold 3. Neither party can sign alone. In appearance, the wallet is “multi-sig secured”; in practice, the user can never reach threshold without the attacker’s cooperation.

A concrete on-chain example

Token Trace’s November 2023 case writeup documented a specific instance of the permission-trap pattern. The victim wallet TPpAzAmpY5PAJ72XtSKVayfCcHfRHevMPu had its Owner permission pre-assigned to scammer-controlled TYgYr17S9Zi1DocuuBCNiPLw6vq8VnEjAU before the victim ever imported the seed phrase the scammer had handed them. Despite possessing the seed phrase, the victim could not move the wallet’s funds — the Owner permission was no longer his.

Both addresses are verifiable directly on Tronscan, and the configuration persists on-chain as of May 2026: the victim’s Owner permission still lists the scammer address as sole key at weight 1, threshold 1. The scammer address itself is uninitialized — no balance, no permission state of its own, no outbound transaction history. The scammer holds the private key but never funds the address; it operates purely as a permission-holder. This is what an investigator should look for in a permission-trap case: an Owner permission whose key is an address that has no observable on-chain footprint of its own.

The silent-hijack scale claim

AMLBot, a blockchain-security firm, reported figures in January 2025 — shared with and published by Cointelegraph — characterizing the scale of the pattern: an estimated 14,545 TRON wallets at risk via the UpdateAccountPermission attack pattern, with 2,130 compromised in Q4 2024 alone, holding approximately $31.5M in assets. AMLBot’s CTO Mykhailo Tiutin emphasized the silent quality of the attack: wallet UI does not notify users when a new key is added, so the only way a victim discovers the takeover is by attempting an outbound transaction.

These figures originate in AMLBot’s report shared with Cointelegraph rather than in a standalone AMLBot publication. The underlying victim list and methodology are not in the public reporting. Investigators citing the numbers should attribute them as “AMLBot, via Cointelegraph” rather than treating them as independently verifiable on-chain figures.

Permission rotation is not the only takeover pattern

A hot-wallet drain on TRON does not necessarily involve AccountPermissionUpdateContract. The November 2023 Poloniex incident — a multi-chain hot-wallet drain that included substantial TRX and TRC-20 outflows from Poloniex’s TRON hot wallets — was a straightforward private-key compromise. The attackers used the stolen keys to broadcast outbound transactions directly. No permission update appears in the affected wallets’ histories. Halborn called it “a classic example of a compromised hot wallet”; CertiK independently characterized it as a private-key compromise — specifically, the second-largest such compromise CertiK had detected in 2023.

The diagnostic point: the absence of a permission-update transaction on a drained wallet is itself information. It distinguishes a private-key compromise (attacker uses the keys directly) from a permission takeover (attacker rotates keys first, then drains). Different attack patterns, different incident-response postures, different forensic artifacts.

False positives and edge cases

Most TRON wallets carry no AccountPermissionUpdateContract events in their history and use default single-key permissions. The protocol initializes each new account with a single key — the account’s own address — at weight 1 and threshold 1 on both Owner and the first Active permission. A permission rotation is informationally significant precisely because it deviates from this baseline. Several configurations would generate false positives if interpreted naively.

MPC custody (Fireblocks-style). Fireblocks and other MPC providers compute signatures off-chain through multi-party computation. The resulting on-chain transaction carries a single signature from the address representing the combined key shares. There is no on-chain permission key reuse to detect — even though the same operational team signs across many client wallets, the on-chain footprint is single-signer for each. MPC-custodied wallets cluster invisibly to permission-key analysis.

Witness permission on SR accounts. The witness_permission field appears only on Super Representative, SR Partner, and SR Candidate accounts. It controls block-producing nodes and is documented at TIP-105. A witness permission key separate from the Owner key is the documented best practice for SRs — the block-production key lives on the SR’s validator node and the funds key lives separately. The presence of witness_permission is therefore an SR-status signal, not a takeover signal.

Pseudo multi-sig. Multiple Owner keys can exist while one key alone holds enough weight to meet threshold — visually a multi-sig configuration, functionally single-key. TRONORIGIN tags this pattern as PSEUDO_MULTISIG and reduces the security rating accordingly: HIGH requires no single key controlling (key-weight to threshold ratio ≥ 0.67), MEDIUM allows one key with >50% weight (ratio ≥ 0.5), LOW is single-key, NONE is default-state or not-analyzed. Pseudo multi-sig often appears in exchange hot wallets — backup keys exist but one operational key needs to sign quickly without quorum coordination.

Deliberate freeze. A threshold higher than the sum of all key weights renders the account unsignable by any combination of current keys. This is detectable from wallet/getaccount as threshold > sum(keys[].weight). It can be intentional (a self-imposed lock) or accidental (a configuration error). Either way, an account in this state cannot be the source of new outbound transactions until the threshold is reduced via another AccountPermissionUpdateContract — which requires Owner permission, which by definition no current key holder can authorize.

Institutional custody key reuse. Custody platforms that use native TRON multi-sig (rather than MPC) may legitimately appear as a permission key across many unrelated client accounts. A custody-provided co-signer key is shared infrastructure, not an ownership signal. Without an external catalog of known custody-platform signing keys, this false positive is hard to filter automatically — the workaround is a manual annotation of repeatedly-appearing institutional addresses.

Exchange hot-wallet rotation cadence. High-frequency AccountPermissionUpdateContract events on an exchange-attributed hot wallet may be routine operational key rotation. Without external attribution, distinguishing routine rotation from compromise requires looking at post-rotation transaction patterns: rotation followed by normal customer-withdrawal volume is operational; rotation followed by a single large outbound to an unfamiliar address is the takeover pattern.

How TRONORIGIN scores permission signals

TRONORIGIN’s scoring model surfaces permission state in two phases.

Phase 2 — Funding history

A candidate detected as the executor of an AccountPermissionUpdateContract against the analyzed wallet earns +90 (funding_permission_update), described in the source as “definitive ownership proof.” This is among the highest single-signal scores in Phase 2 — the act of broadcasting and paying for a permission update is treated as direct evidence of operational control at that moment.

Phase 3 — Current control

Phase 3 evaluates current permission-key holders and assigns scores by their role on the account:

Permission role	Score
Controlling Owner key (weight ≥ threshold, can authorize alone)	+90
Owner co-signer (cannot authorize alone)	+30
Active-only permission key holder	+40
Original creator removed from all permission keys	-80 (escalated penalty)

The -80 penalty for a creator removed from all keys is the strongest negative signal in Phase 3. The inline rationale in the source attributes the value to “empirical analysis of TRON account takeover patterns” — the project’s read on how often genesis-creator removal correlates with hostile rotation rather than legitimate handoff.

Time decay on permission updates

Phase 3 applies a decay function to permission-update events: full score within 180 days of the update, 0.50× from 181 days to 1 year, 0.25× from 1 year to 2 years, 0.10× beyond 2 years. A permission update from five years ago is much weaker evidence of current operational involvement than one from last month. Phase 2 does not apply this decay — the funding-history phase treats the historical act as the relevant evidence regardless of age.

Tags and the architectural gap

PSEUDO_MULTISIG is the formal behavioral tag TRONORIGIN applies to the weighted-key-meets-threshold-alone pattern. OWNERSHIP_TRANSFER is a separately applied orchestrator tag noting that key composition has changed in a way consistent with control transfer. The existing /learn/account-model/ article refers to a PERMISSION_UPDATER tag in descriptive shorthand for an address detected as causing permission rotation; in the formal heuristic specification, the score funding_permission_update (+90) plays this role rather than a named tag.

The architectural gap, identified in the project’s internal research: TRONORIGIN does not currently create synthetic candidates for permission-key holders who have never transacted with the analyzed wallet. If someone holds Owner permission via a single AccountPermissionUpdateContract and has never sent any other transaction to or from the wallet, the scoring engine does not see them as a candidate. The cross-wallet permission-key clustering described earlier in this article is consequently still a manual workflow on top of TRONORIGIN output — built by the investigator querying suspect keys directly against wallet/getaccount for other wallets.

Investigative workflow

Two API surfaces matter for permission-state forensics.

Current state — wallet/getaccount

POST https://api.trongrid.io/wallet/getaccount with body { "address": "T...", "visible": true } returns the full account object including owner_permission, active_permission (array, up to 8), and witness_permission (only on SR accounts). Each permission object exposes:

• type — 0 for Owner, 1 for Witness, 2 for Active
• id — Owner is always 0, Witness 1, Active starts at 2
• permission_name — human-readable label
• threshold — minimum combined weight required to authorize
• keys — array of { address, weight } pairs, up to 5 entries per permission
• operations (Active permissions only) — 256-bit hex bitmask, little-endian bytes, big-endian bits within each byte (TIP-105 encoding)

This is the canonical query for “who controls this wallet right now.” It is unauthenticated, free, and returns the current state in one round trip.

Historical changes — AccountPermissionUpdateContract enumeration

TronGrid does not support filtering an address’s transactions by contract type — v1/accounts/:address/transactions returns all transactions undifferentiated. To enumerate just the permission updates, two practical approaches:

1. TronScan API filter. GET https://apilist.tronscanapi.com/api/transaction?sort=-timestamp&limit=50&address=T...&contract_type=46 returns only permission-update transactions for the address. The contract_type=46 parameter is observably supported by the TronScan API and used by their frontend, though it is not formally documented in the public API reference.

2. Client-side filtering. Fetch the full transaction history via TronGrid’s v1 endpoint and filter locally on tx.raw_data.contract[0].type === 'AccountPermissionUpdateContract'. More API calls, but only relies on documented endpoints.

Each transaction’s raw_data.contract[0].parameter.value carries the complete new permission state (owner, actives[], optional witness) plus the owner_address of the modified account. Pairing the value with a wallet/getaccount snapshot for the moment before the update reconstructs the diff — exactly which keys changed and how.

Workflow for cross-wallet key reuse

The current manual workflow, until synthetic-candidate creation lands in TRONORIGIN:

1. Identify a candidate key from the analyzed wallet’s wallet/getaccount Owner permission.
2. Search for other accounts where the same address appears as a permission key. There is no native TRON API for “find all accounts where address X is a permission key” — practical paths are (a) catalog the address in TRONORIGIN’s allowlist and let cross-references accumulate during normal analysis, (b) query commercial chain-analytics platforms that index permission state across all TRON accounts, or (c) maintain an investigator-side index built by crawling wallet/getaccount for accounts of interest.
3. For each shared-key account, repeat the full attribution analysis. The shared key is the operator; the question is what other operational signals (delegation, fueling — see /learn/fueling/, transaction patterns) confirm or qualify the attribution.

What this means for investigators

Permission state and permission-rotation history together expose the structure of control on TRON in a way no transaction graph can match. A wallet’s keys and the moments those keys changed are first-class protocol records — visible, queryable, dated to the block. The methodology in this article — strength-ranking shared-key signals, distinguishing rotation types by their pattern of accompanying activity, recognizing the false positives that institutional custody and MPC introduce — is what turns those records into attribution.

The signal is asymmetric in the investigator’s favor. Most wallets carry default permissions and rotate them never. The wallets that do rotate are signaling something meaningful — security hardening, custodial transfer, or hostile takeover — and the same on-chain mechanics that record the rotation also record exactly when, by whom, and to what new configuration. The remaining work is interpretation.

Sources

Primary and authoritative sources used for the facts in this article:

• TRON Developer Hub. “Account Permission Management” — Permission types, AccountPermissionUpdateContract semantics, 100 TRX update fee plus 1 TRX multi-sig fee, default account permissions, all-or-nothing update semantics.
• TRON Protocol documentation (java-tron). “Account Permission Management — Multi-Signatures” — Threshold and weight mechanics, block-level isolation guarantee for permission updates, witness permission scoping to SR accounts, default Active permission operations bitmask.
• GitHub: tronprotocol/tips. “TIP-16: Account Permission Management” — Foundational multi-signature TIP; up to 5 keys per permission; 32-byte operations bitmask encoding.
• GitHub: tronprotocol/tips. “TIP-105: Multi-signature Permission Operation” — Contract type 46 ID for AccountPermissionUpdateContract; operations bitmask byte/bit ordering (little-endian bytes, big-endian bits within each byte); witness permission definition.
• TRON Developer Hub. “AccountPermissionUpdate API reference” — Request and response field structure for the wallet/updateaccountpermission endpoint and the AccountPermissionUpdateContract parameter object.
• TRON Developer Hub. “GetAccount API reference” — wallet/getaccount endpoint; permission fields in the response (owner_permission, active_permission, witness_permission); key and weight field names.
• SlowMist. “Beginner’s Guide to Web3 Security: Risk of Wallet Being Maliciously Multi-Signed” — Two hostile-rotation variants (add-as-cosigner with raised threshold; transfer-permissions-entirely with threshold-1). Security-firm writeup, published July 25, 2024.
• OKX Wallet. “TRON Wallet Multisignature Scams: How They Work and How to Protect Yourself” — Documents the third weight-asymmetric variant (attacker weight 2, user weight 1, threshold 3); recommends manual permission inspection via block explorer. Exchange security guidance, published July 31, 2024.
• Token Trace LLC. “TRX Wallet Account Permission Change Scam” — Concrete on-chain example: victim wallet TPpAzAmpY5PAJ72XtSKVayfCcHfRHevMPu with Owner permission pre-assigned to scammer-controlled TYgYr17S9Zi1DocuuBCNiPLw6vq8VnEjAU. Forensics-firm case writeup, published November 27, 2023.
• Cointelegraph (via TradingView). “Over 14,500 Tron addresses at risk of ‘silent hijacking’ — AMLBot” — AMLBot’s research figures (14,545 wallets at risk; 2,130 compromised Q4 2024; ~$31.5M) attributed to AMLBot CTO Mykhailo Tiutin. The underlying AMLBot publication is not publicly available; citation chain stops at this Cointelegraph article.
• Halborn. “Explained: The Poloniex Hack (November 2023)” — Security-firm characterization of the Poloniex incident as a private-key compromise with no permission rotation; useful counter-example.
• CertiK. “Poloniex Incident Analysis” — Independent confirmation of the Poloniex incident as a private-key compromise; the second-largest such compromise CertiK detected in 2023.
• TRONORIGIN Heuristic Specification (HEURISTIC_SPEC.md, v5.1.0) — Internal project document: Phase 3 permission scoring (+90 controlling owner, +30 co-signer, +40 active-only, -80 genesis-creator-removed); security-level classification (HIGH / MEDIUM / LOW / NONE); PSEUDO_MULTISIG behavioral tag; Phase 2 funding_permission_update (+90) with “definitive ownership proof” rationale.
• TRONORIGIN internal research (tronorigin-core/docs/permissions-research.md) — Permission API endpoints in implementation; OWNERSHIP_TRANSFER tag location in orchestrator.ts; TronScan accountv2 endpoint structure exposing multiSignOwnerPermissionAddress / multiSignActivePermissionAddress arrays; identified architectural gap for cross-wallet permission-key clustering via synthetic candidates.