In November 2022, an anonymous security researcher reported a security risk in Trust Wallet’s open-source library Wallet Core through the company’s bug bounty program. Trust Wallet was informed of a WebAssembly vulnerability that led to the loss of $170,000 of user funds.
Based on the security report, Trust Wallet found that the vulnerability affected all new wallet addresses created by browser extension between November 14 to November 23, 2022. Trust Wallet confirmed that wallets created outside that timeline were safe from the vulnerability.
The security risk caused two exploits that resulted in customers losing about $170,000. Users who experienced any abnormal fund movement in late December 2022 and late March 2023 may be considered victims of the security vulnerability.
Trust Wallet assured everyone that users of its mobile app or those who only imported wallet addresses into the browser extension were protected from this breach. However, the company urged owners of all remaining vulnerable addresses (500) to move their assets, valued at nearly $88,000, to new wallet addresses.
Trust Wallet patched the vulnerability that put users’ funds at risk and released the necessary fix in April 2023. Once the vulnerability had been fixed, the Trust Wallet team debated whether to disclose the vulnerability publicly.
The team’s primary objective was to help users preserve as much of their assets as possible and prevent potential losses. The company reached out to impacted users through multiple rounds of mobile push notifications and in-app warnings that appeared every minute. The messages were accompanied by clear instructions on how users could transfer their assets.
Trust Wallet offered users customer support and reimbursed gas fees for transferring their funds to uncompromised wallets. In total, Trust Wallet reimbursed around 23.6 BNB of gas fees, or around $7,700.
Trust Wallet had prepared a public statement regarding the vulnerability last November but decided to wait, weighing the value of informing the public against the possibility of highlighting a security hole that could still be used. The public warning’s date would ultimately be pushed back in February to April.
Trust Wallet maintains that asset security remains their number one priority as they remain committed to improving their services. The Trust Wallet security vulnerability highlights the need for higher security standards in the crypto industry to combat cybercrime effectively
The Trust Wallet security vulnerability is not an isolated incident in the crypto industry. Since the start of the year, over 20 projects have suffered attacks leading to the loss of investors’ funds. One of the most notable heists in 2023 remains the theft of about $200 million from DeFi protocol Euler Finance back in March. Although the hacker returned $90 million some days later, this incident underscores the need for higher security standards in the industry.
As the crypto market continues to grow, there will be an increased risk of cyber attacks. It is, therefore, important for companies to ensure that they have robust security measures in place to protect their users. Trust Wallet’s response to the vulnerability shows that the company is committed to improving its security and offering compensation to affected users.
The Trust Wallet security vulnerability was a significant incident that affected users’ funds. However, the company’s response was swift, and it provided users with clear instructions on how to mitigate the risks. The incident underscores the need for companies in the crypto industry to prioritize security and invest in robust security measures to protect their users from cyber threats.