Trust Wallet Discloses WASM Vulnerability In Open-Source Library
Trust Wallet, a popular cryptocurrency wallet owned by Binance, has disclosed a WebAssembly (WASM) vulnerability in its open-source library, Wallet Core, which affected some of its users. The vulnerability was reported through Trust Wallet’s bug bounty program by a security researcher in November 2022.
2/10 You’re NOT affected if:
– You only use the Trust Wallet mobile app
– You only imported wallet addresses created somewhere else into Browser Extension
– You only used the Browser Extension to create a new wallet before November 14 2022 or after November 23, 2022— Trust Wallet (@TrustWallet) April 22, 2023
Vulnerability in Browser Extension Wallets
According to an incident update shared by the company, the vulnerability affected new wallet addresses generated by its browser extension between Nov. 14 and 23, 2022. The vulnerability allowed attackers to execute malicious code on users’ devices and steal their funds.
Trust Wallet stated that it fixed the vulnerability within one day of verifying the bounty report and released a security update for its browser extension. However, two potential exploits were detected, resulting in a total loss of approximately $170,000 at the time of the attack.
Trust Wallet has assured its users that it will pay back eligible losses from hacks due to the vulnerability and has created a reimbursement process for affected users. The platform has urged affected users to move the approximately $88,000 remaining on all vulnerable addresses as soon as possible.
Recommended Security Measures
Users can check if their wallet addresses are vulnerable by opening their Trust Wallet browser extension and looking for a warning notification. The company urged users who see the warning notification to create a new wallet address, move their assets, and stop using vulnerable addresses. It also advised users to avoid wallet addresses they did not create to avoid being taken advantage of by scammers.
Trust Wallet also stated that users who only used its mobile app, imported wallet addresses into its browser extension, or used its browser extension to create a new wallet before Nov. 14, 2022, or after Nov. 23, 2022, are not affected by this vulnerability.
The platform advised its users to update to the latest app version, avoid clicking on suspicious links or messages related to their Trust Wallet account, create strong passwords and enable 2-factor authentication (2FA), avoid disclosing sensitive information such as recovery phrases or private keys to anyone, and download the Trust Wallet app from trusted sources such as its official website or app store.
