Crypto wallet firm TrustWallet revealed that a vulnerability impacted some of its users in November and claims to have patched the issue.
In an April 22 blog post, the TrustWallet team disclosed a vulnerability that affected wallet addresses created between Nov. 14 and 23 through a browser extension.
1/10 Trust Wallet is built on security & trust. So we're sharing a vulnerability affecting new addresses created Nov 14-23,22 using the Browser Extension.
The issue is fixed. Most at-risk funds are secured. Affected users should take actions outlined:
➡️https://t.co/X9AEfqWW87— Trust Wallet (@TrustWallet) April 22, 2023
“Despite our best efforts, we proactively detected two potential exploits, resulting in a total loss of approximately $170,000 USD at the time of the attack,” said the team.
The team was notified of the vulnerability by a security researcher, who identified the bug tied to the firm’s back-end WebAssembly (WASM) module. The problem was the pseudo-random number generator used to create private keys that did not provide an adequate level of randomness, which meant bad actors could monitor and predict future iterations.
The vulnerability was discovered fairly early on Nov. 17, however, the firm decided the best course of action was not to disclose it until it was patched. However, two exploits followed in December and March, and according to the team, efforts to reimburse those impacted are already in motion.
“We prepared a public disclosure statement. However, we considered that once the disclosure was made, a bad actor could exploit the remaining wallets and take ownership of the funds left,” said the TrustWallet team in a post-mortem statement.
Most of the affected users’ funds have been secured, but some are still at risk. Additionally, users that created wallets between version 0.0.172 and version 0.0.182 need to migrate their assets to a non-affected wallet themselves.
“Currently, these wallets hold approximately $88,300 USD across ~500 affected wallets with a balance higher than $10 USD worth of tokens,” the team said.