Crypto wallet Trust Wallet disclosed a security vulnerability that resulted in nearly 170,000 losses for some users. The vulnerability has been patched, according to the company.
Trust Wallet found out about the issue through its bug bounty program. A security researcher reported a WebAssembly (WASM) vulnerability in the open-source library Wallet Core in November 2022. New wallet addresses generated “between November 14 and 23, 2022 by Browser Extension contain this vulnerability,” said the company in a statement, adding that all addresses created before and after those dates are safe.
1/10 Trust Wallet is built on security & trust. So we’re sharing a vulnerability affecting new addresses created Nov 14-23,22 using the Browser Extension.
The issue is fixed. Most at-risk funds are secured. Affected users should take actions outlined:
— Trust Wallet (@TrustWallet) April 22, 2023
The breach resulted in two exploits that led to a total loss of nearly $170,000. Approximately 500 vulnerable addresses remain with an $88,000 balance, according to a postmortem report. Affected users will be offered a refund and gas fee assistance to cover the costs of fund transfers. According to Trust Wallet:
“We want to assure users that we will reimburse eligible losses from hacks due to the vulnerability and have created a reimbursement process for the affected users. And we urged affected users to move the remaining ~$88,000 USD balance on all the vulnerable addresses as soon as possible.”
Users who experienced abnormal fund movement in late December 2022 and late March 2023 may be among the victims affected by the two exploits.
The company urged affected customers to create a new wallet and transfer funds. Users with vulnerable addresses will be notified through the Trust Wallet browser extension, said the company. For developers who used Wallet Core library in 2022, the latest version should be implemented. Affected wallet addresses from Binance were previously notified through the crypto exchange.
Another recently unveiled exploit drained almost $11 million in nonfungible tokens (NFTs) and cryptocurrencies from various addresses across 11 blockchains since December last year, targeting veterans in the crypto community. The attack was initially attributed to an exploit in the MetaMask wallet, which was later denied by the company.