Trust Wallet, the Binance-backed wallet project, revealed a security flaw that resulted in nearly $170,000 in losses for some users.
It's all about a major WebAssembly (WASM) vulnerability in the core wallet software library of Trust Wallet, according to the postmortem issued by the company last weekend:
"A vulnerability was discovered in the back-end module WebAssembly (WASM) located in the open source repository wallet core, which affected new wallets generated by versions 0.0.172 and 0.0.182 of the Browser Extension. Only the private keys of the limited new wallets created in these versions are affected. Since the vulnerability was fixed on November 22, 2022, all other Browser Extension versions, including the existing version, are safe to use".
Now the issue is fixed, according to the company, and the "majority" of funds at-risk are secured.
Trust Wallet was aware of the vulnerability through its bug bounty program and fixed it on November 2022. However, the company postponed disclosing to avoid any immediate attacks and minimize the risk of further breaches.
However, two exploits were detected, which resulted in an estimated loss of around $170,000. The details of the exploits were shared in an official post on the project's community forum.
The Trust Wallet team highlighted that the security did not affect users who exclusively used the Trust Wallet mobile app, imported wallets into the browser extension using seed phrases, or created new wallet addresses via the extension before November 14 or after November 23.
They also established a reimbursement system to assist affected users and will issue refunds. Users who have been affected will be notified via the browser extension, according to the company.
Developers who utilized the Wallet Core library in 2022 are urged to update to the latest version of Wallet Core. Binance has already notified users with affected wallet addresses through the exchange.
And, as if all of the above weren't enough, the Trust Wallet team also clarified that the WebAssembly vulnerability they disclosed now was not related to the security incident reported (thread) earlier in April by MyCrypto founder Taylor Monahan, in which she had claimed that multiple user wallets had been mysteriously robbed of over 5,000 ETH ($10 million).
So it's completely different this time, they say. Ok. Sounds good (not really). But back to the currently reported vulnerability, what the deal was there with address-generating via the browser extension?
And you know what? It sounds and feels like a rather trivial security mistake. Just using a Mersenne Twister to create passwords is a terribly bad idea. Simply put, the problem with this generator is it's just not "random enough," which makes it susceptible to a brute-force attack.
In their official post, the Trust Wallet team emphasized they have since enhanced the security of their wallet product by conducting more frequent security audits and engaging external auditors to evaluate their security measures.
Maybe so. And there seems to be no reason to doubt the conscientiousness of the developers so far.
…But that apparently cannot be said about the security of their practices.
So once again, it feels like a good moment for the timeless axiom: "Don't Trust. Verify."