Trust Wallet revealed a security vulnerability that resulted in almost $170,000 in losses for its users between November 14-23.
This weakness affected some users’ wallet addresses created through the browser extension. According to the company, the vulnerability has been fixed.
With the help of the bug bounty program, Trust Wallet was able to find the issue. In November 2022, a security researcher identified a WebAssembly (WASM) flaw in the open-source library Wallet Core. The company stated that the new addresses generated “between November 14 and 23, 2022 by Browser Extension contain this vulnerability.” In addition, Trust Wallet assured that the addresses created before and after that period are safe.
1/10 Trust Wallet is built on security & trust. So we're sharing a vulnerability affecting new addresses created Nov 14-23,22 using the Browser Extension.
The issue is fixed. Most at-risk funds are secured. Affected users should take actions outlined:
— Trust Wallet (@TrustWallet) April 22, 2023
Two exploits caused by the breach resulted in around $170,000 in total. A postmortem report states that 500 addresses are still vulnerable, bearing an $88,000 balance. Trust Wallet offered a refund, including the gas fee and the cost of the fund transfer. According to the company:
“We want to assure users that we will reimburse eligible losses from hacks due to the vulnerability and have created a reimbursement process for the affected users. And we urged affected users to move the remaining $88,000 USD balance on all the vulnerable addresses as soon as possible.”
The two exploits might have affected the users who noticed unusual fund movement in late December 2022 and late March 2023.
The company calls for the affected users to open new wallet accounts and transfer their funds. According to Trust Wallet, users whose accounts were affected will be notified through the company’s browser extension. At the same time, the latest version will be implemented for developers who used the Wallet Core library in 2022. Binance wallet addresses that were affected were notified previously through the crypto exchange.
Another recent exploit targeted veterans in the crypto community since December of last year. This attack drained almost $11 million in nonfungible tokens and cryptocurrencies from different addresses across 11 blockchains. The attack was initially linked to an exploit at the MetaMask wallet, but later the company denied it.