Trust Wallet, a widely used crypto wallet, has identified and resolved a significant WebAssembly (WASM) vulnerability in its core wallet software library. The issue affected wallet addresses on Ethereum and other blockchains generated through the Trust Wallet browser extension between November 14 and November 23, 2022. The project confirmed the fix on Twitter and assured users that most at-risk funds were secured.
WebAssembly, a computer code format that allows developers to use multiple programming languages to create web applications is employed in various crypto wallets. The discovered vulnerability was found in Trust Wallet’s core software library, which used the WASM format to enable users to create their crypto wallets within the browser extension.
$170,000 lost due to vulnerability
Trust Wallet stated that upon discovering the issue, it addressed the problem. Nevertheless, two exploits were detected, resulting in an estimated loss of about $170,000 due to potential hacks exploiting the issue, as outlined in an official community forum post.
The crypto wallet emphasized that the vulnerability did not affect users who solely used the Trust Wallet mobile app, imported wallets into the browser extension using seed phrases from other wallet applications, or created new wallet addresses via the extension before November 14 or after November 23, 2022.
The team shared in the community post that it had strengthened its wallet product’s security by conducting more frequent security audits and involving external auditors to evaluate its security measures. The project reaffirmed its dedication to providing a secure wallet application for its users.
Trust Wallet announced plans to issue refunds and establish a reimbursement system to support impacted users, who will receive notifications via the browser extension.
The wallet provider also clarified that the issue was unrelated to a recent security incident highlighted by MyCrypto founder Taylor Monahan, in which she alleged that over 5,000 ETH (worth $10 million) had been mysteriously stolen from multiple user wallets.
