Trust Wallet, a popular crypto wallet, identified and resolved a major WebAssembly (WASM) vulnerability within its core wallet software library. The issue impacted wallet addresses on Ethereum and other blockchains generated through the Trust Wallet browser extension between Nov. 14 and Nov. 23, 2022.
"The issue is fixed," the project said on Twitter. "Most at-risk funds are secured."
WebAssembly is a computer code format that lets developers use multiple programming languages to build web applications, including those used in crypto wallets. The discovered vulnerability was present in the wallet's core software library, which employed the WASM format to facilitate the user creation of their crypto wallets within the browser extension.
$170,000 lost due to the vulnerability
The Binance-backed wallet project stated in the post that, upon discovering the issue, it addressed the problem. However, two exploits were detected. This resulted in an estimated loss of about $170,000 due to potential hacks leveraging the issue, as stated in an official post on the project's community forum.
Trust Wallet also emphasized that the vulnerability did not impact users who exclusively utilized the Trust Wallet mobile app, imported wallets into the browser extension using seed phrases from other wallet applications or created new wallet addresses via the extension before Nov. 14 or after Nov. 23, 2022.
In the community post, the team clarified that it had bolstered the security of its wallet product by conducting more frequent security audits and engaging external auditors to assess their security measures. The project reiterated its commitment to providing a secure wallet application for its users.
"While there's no 100% security, we own our mistakes and improve to prevent, mitigate, and resolve issues swiftly," it added on Twitter. "We're committed to providing a secure, reliable platform for our users."
Trust Wallet added that it would issue refunds and has created a reimbursement system to support affected users. Such users will receive notifications through the browser extension, it added.
The team further clarified that the issue was not connected to a recent security incident flagged by MyCrypto founder Taylor Monahan, in which she claimed that over 5,000 ETH ($10 million) had been mysteriously stolen from multiple user wallets.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.