- Trust Wallet announced the resolution of a critical vulnerability in its main wallet software code.
- The bug affected wallet addresses generated by the browser extension between November 14 and November 23, 2022.
- The vulnerability has been abused twice, resulting in a $170,000 loss.
Trust Wallet disclosed a WebAssembly (WASM) vulnerability that resulted in a $170,000 loss. The crypto wallet service said in a statement on April 22 that the issue affects wallets created by its browser extension between November 14 and September 23, 2022.
The vulnerability was disclosed in November 2022 via the Trust Wallet bug bounty scheme by an unidentified security researcher. New wallet addresses created between November 14 and November 23, 2022 by the Trust Wallet Browser Extension include this vulnerability. WASM is used in Wallet Core.
WebAssembly is a computer code standard that allows developers to create Web apps in a range of programming languages. This includes the language used to generate cryptocurrency wallets.
The company explained in the community post that it had improved the security of its wallet product by carrying out security audits more frequently and hiring outside auditors to assess its security precautions. The initiative confirmed its commitment to giving its consumers a safe wallet application.
In order to assist harmed users, Trust Wallet announced plans to offer refunds and set up a reimbursement scheme. Users will receive notices via the browser extension.
Additionally, Trust Wallet emphasised that users who only used the Trust Wallet mobile app, imported wallets into the browser extension using seed phrases from other wallet applications, or created new wallet addresses via the extension prior to November 14 or subsequent to November 23, 2022 were not affected by the vulnerability.
Trust claimed to have developed a compensation system that would send messages to these users via their browser extensions.
There was still roughly $88,000 in certain insecure addresses, Trust Wallet further cautioned. Users with these addresses were instructed by the team to withdraw the funds right away.
In February alone, renowned names in the industry like Algorand and Edge wallet had to navigate security flaws in order to manage their way out of exploits and wallet breaches.