Trust Wallet, a popular crypto wallet owned by Binance, has disclosed a WebAssembly (WASM) vulnerability in its open-source library, Wallet Core, that affected some users. A security researcher reported the vulnerability through Trust Wallet’s bug bounty program in November 2022.
According to an incident update shared by the company, the vulnerability only affected new wallet addresses generated by its browser extension between Nov. 14 and 23, 2022. The vulnerability could allow attackers to execute malicious code on the users’ devices and steal their funds.
Vulnerability fixed, but $170,000 lost
Trust Wallet said it fixed the vulnerability within one day of verifying the bounty report and released a security update for its browser extension.
However, despite Trust Wallet’s efforts, two potential exploits were detected, resulting in a total loss of approximately $170,000 at the time of the attack.
Trust Wallet has assured its users that it will pay back eligible losses from hacks due to the vulnerability and has created a reimbursement process for the affected users.
The platform has also urged affected users to move the approximately $88,000 remaining on all the vulnerable addresses as soon as possible.
Users can check if their wallet addresses are vulnerable by opening their Trust Wallet browser extension and looking for a warning notification.
The company urged users who see the warning notification to create a new wallet address, move their assets, and stop using vulnerable addresses. It also advised users to avoid wallet addresses they did not create to avoid being taken advantage of by scammers.
What actions to take
Trust Wallet also said those who only used its mobile app, imported wallet addresses into its browser extension, or used its browser extension to create a new wallet before Nov. 14, 2022, or after Nov. 23, 2022, are not affected by this vulnerability.
The platform advised its users to update to the latest app version, avoid clicking on suspicious links or messages related to their Trust Wallet account, create strong passwords and enable 2-factor authentication (2FA), avoid disclosing sensitive information such as recovery phrases or private keys to anyone, and download the Trust Wallet app from trusted sources such as its official website or app store.
To avoid having their browser extension app affected by this vulnerability, which could cause losses for their users, Trust Wallet also advised wallet developers who used the Wallet Core library to develop browser extension wallets in 2022 to ensure they have implemented the most recent version of Wallet Core.