WASM Vulnerability in Trust Wallet Leads to $170,000 Loss

Trust Wallet, a leading cryptocurrency wallet provider, has publicly disclosed details regarding a WebAssembly (WASM) vulnerability that affected its open-source library, Wallet Core. The vulnerability, which specifically impacted wallets created in Trust Wallet’s Browser Extension between November 14 and 23, 2022, was detected and patched within one day of its discovery in November 2022.

The vulnerability originated in the back-end module WebAssembly (WASM), located in the open-source repository Wallet Core, and affected new wallets generated by versions 0.0.172 and 0.0.182 of Trust Wallet’s Browser Extension. The issue came to light when a security researcher reported the vulnerability to Trust Wallet through their bug bounty program.

Despite Trust Wallet’s swift response in patching the vulnerability, two separate exploits occurred within a small window of time, resulting in a total loss of approximately $170,000 USD at the time of the attack. In an effort to address the situation and maintain transparency, Trust Wallet has announced that it will reimburse eligible losses incurred by users due to the vulnerability. The wallet provider has also urged affected users to move the remaining balance of approximately $88,000 USD from vulnerable addresses as soon as possible.

In a recent announcement, Trust Wallet outlined a series of recommended actions for users. Wallet addresses are not affected by the vulnerability if they were created using Trust Wallet’s mobile app, imported into the Browser Extension, or created with the Browser Extension before November 14 or after November 23, 2022. Affected users will receive a notification within the Browser Extension, and they are advised to create a new wallet address, move their assets over, and stop using the vulnerable addresses. The company has provided an asset transfer tutorial to assist users in this process.

Trust Wallet has also advised wallet developers who utilized the Wallet Core library for developing Browser Extension wallets in 2022 to ensure that they have implemented the latest version of Wallet Core, thereby preventing the vulnerability from affecting their applications and users.

The company expressed gratitude to the security researcher who initially reported the vulnerability, as well as the Ledger Team and Binance Security team, who provided invaluable insights and assistance throughout the entire process.

In response to why the company delayed public disclosure of the vulnerability, Trust Wallet explained that securing users’ wallets and preventing losses was the top priority. Early public disclosure could have put users at risk of immediate hacks and larger losses. The company focused on patching the vulnerability and helping users move their funds without attracting the attention of bad actors. The decision to disclose the vulnerability was made after the majority of the funds in affected wallet addresses had been moved to a safe location, and the cost of hack operations was deemed economically unreasonable.