Trust Wallet fixed vulnerability, but warns $88,000 of user funds are still at risk

by · April 23, 2023

It took a few days for the team at Trust Wallet to patch a vulnerability that put users’ funds at risk and release the necessary fix. But the popular crypto wallet has not publicly acknowledged the problem for months, and even now says affected users must move to a new wallet address to protect their funds.

On Saturday, Trust Wallet announced that it fixed a vulnerability affecting users who created a digital wallet using the project’s browser extension between November 13 and November 23 of last year. The solution is only for the benefit of browser wallets created after 23 November.

“To be free from the vulnerability, users must migrate their assets from the affected wallet addresses to new, unaffected wallet addresses,” Trust Wallet said in a blog posts. “Under these circumstances, we took all possible measures to inform users and help them reduce the risk of potential attacks.”

The Binance-backed wallet project said it had first been alerted to the problem by a security researcher last fall, who flagged an issue in the open-source library that exposed private keys to a security risk.

Although most of the users’ vulnerable funds have been secured, Trust Wallet says $88,300 is still exposed. Trust Wallet acknowledged that a few users had fallen victim to the vulnerability, and promised on Twitter to offer them a refund.

“Despite our best efforts to minimize losses, we proactively identified 2 likely exploits with a total loss of $170K,” the project said on Twitter. “To do justice to users, we created a refund process for affected users to make them whole.”

Once the vulnerability was fixed – preventing new wallets from being affected – the project team says they debated whether to publicly disclose the vulnerability.

“Our primary goal was to help users preserve as much of their assets as possible and prevent potential losses,” it said. “We believed that confidential, one-to-one communication with users would enable users to take the necessary actions without sacrificing sole ownership of their assets.”

The project said it reached out to affected users through several rounds of mobile push notifications and in-app alerts that appeared every minute. The messages were accompanied by clear instructions on how users could transfer their assets, it said.

Not only did Trust Wallet offer users customer support, but the project also offered to refund gas fees for users who transfer their money to uncompromised wallets. In total, Trust Wallet refunded about 23.6 BNB in ​​gas fees, or about $7,700.

In addition, Trust Wallet contacted Binance and secured the exchange’s help in reaching out to users who had funds that could be traced back to the exchange. The project emphasized that it did do not share “personally identifiable information” with the exchange.

The project thanked Binance’s security team for “investigating the issue, conducting risk assessments, escalating the case, conducting impact assessments, and communicating with the security researcher.”

Trust Wallet said it had drafted a public statement regarding the vulnerability last November but decided to wait, weighing the value of informing the public against the possibility of highlighting a security hole that could still be exploited.

The date of the public warning will eventually be pushed back in February to April.

“We considered that once the disclosure was made, a bad actor could exploit the remaining wallets and take ownership of the remaining funds,” it said. “Therefore, we gave affected users more time to secure their fund[s] instead of making one[…] for early disclosure.”

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *