Trust Wallet resolves vulnerability that led to $170,000 in user losses

Key takeaways:

• Trust Wallet announced the resolution of a critical vulnerability in its main wallet software code.

• The bug affected wallet addresses generated by the browser extension between November 14 and November 23, 2022.

• The vulnerability has been abused twice, resulting in a $170,000 loss.

Trust Wallet disclosed a WebAssembly (WASM) vulnerability that resulted in a $170,000 loss. The crypto wallet service said in a statement on April 22 that the issue affects wallets created by its browser extension between November 14 and September 23, 2022.

 The vulnerability was disclosed in November 2022 via the Trust Wallet bug bounty scheme by an unidentified security researcher. New wallet addresses created between November 14 and November 23, 2022 by the Trust Wallet Browser Extension include this vulnerability. WASM is used in Wallet Core. 

WebAssembly is a computer code standard that allows developers to create Web apps in a range of programming languages. This includes the language used to generate cryptocurrency wallets.

1/10 Trust Wallet is built on security & trust. So we're sharing a vulnerability affecting new addresses created Nov 14-23,22 using the Browser Extension.

The issue is fixed. Most at-risk funds are secured. Affected users should take actions outlined:
➡️https://t.co/X9AEfqWW87

— Trust Wallet (@TrustWallet) April 22, 2023

The company explained in the community post that it had improved the security of its wallet product by carrying out security audits more frequently and hiring outside auditors to assess its security precautions. The initiative confirmed its commitment to giving its consumers a safe wallet application.

In order to assist harmed users, Trust Wallet announced plans to offer refunds and set up a reimbursement scheme. Users will receive notices via the browser extension.

Additionally, Trust Wallet emphasised that users who only used the Trust Wallet mobile app, imported wallets into the browser extension using seed phrases from other wallet applications, or created new wallet addresses via the extension prior to November 14 or subsequent to November 23, 2022 were not affected by the vulnerability. 

Trust claimed to have developed a compensation system that would send messages to these users via their browser extensions.

There was still roughly $88,000 in certain insecure addresses, Trust Wallet further cautioned. Users with these addresses were instructed by the team to withdraw the funds right away.

The crypto space has been witnessing heightened numbers of wallet breaches lately.  Just last month, it was reported that 2,400 Wallets were Compromised in Arbitrum Airdrop. 

In February alone, renowned names in the industry like Algorand and Edge wallet had to navigate security flaws in order to manage their way out of exploits and wallet breaches.