Crypto wallet Trust Wallet has disclosed a security vulnerability that resulted in nearly $170,000 in losses for some users. The vulnerability has been patched, according to the company.
Trust Wallet found out about the issue through its bug bounty program. A security researcher reported a WebAssembly vulnerability in the open-source library Wallet Core in November 2022. New wallet addresses generated “between November 14 and 23, 2022 by Browser Extension contain this vulnerability,” the company said in a statement, adding that all addresses created before and after those dates are safe.
1/10 Trust Wallet is built on security & trust. So we’re sharing a vulnerability affecting new addresses created Nov 14-23,22 using the Browser Extension.
The issue is fixed. Most at-risk funds are secured. Affected users should take actions outlined:
— Trust Wallet (@TrustWallet) April 22, 2023
The breach resulted in two exploits that led to a total loss of nearly $170,000. Approximately 500 vulnerable addresses remain, with an $88,000 balance, according to a postmortem report. Affected users will be offered a refund and gas fee assistance to cover the costs of fund transfers. According to Trust Wallet:
“We want to assure users that we will reimburse eligible losses from hacks due to the vulnerability and have created a reimbursement process for the affected users. And we urged affected users [to] move the remaining ~$88,000 USD balance on all the vulnerable addresses as soon as possible.”
Users who experienced abnormal fund movement in late December 2022 and late March 2023 may be among those affected by the two exploits.
The company urged affected customers to create a new wallet and transfer their funds. Users with vulnerable addresses will be notified through the Trust Wallet browser extension, said the company. Developers who used the Wallet Core library in 2022 should implement the latest version of Wallet Core. Affected wallet addresses from Binance were previously notified through the crypto exchange.
Another recently unveiled exploit has drained almost $11 million in nonfungible tokens and cryptocurrencies from various addresses across 11 blockchains since December 2022, targeting veterans in the crypto community. The attack was initially attributed to an exploit in the MetaMask wallet, but that was later denied by the company.