The crypto wallet Trust Wallet disclosed a security flaw that resulted in close to 170,000 user losses. According to the corporation, the vulnerability has been addressed.
The issue was discovered by Trust Wallet through its bug bounty program. In November 2022, a security researcher disclosed a WebAssembly (WASM) vulnerability in the open-source library Wallet Core.
New wallet addresses generated “between November 14 and November 23, 2022, by browser extensions contain this vulnerability,” the company said in a statement, adding that all addresses generated before these dates are secure.
The breach resulted in two exploits that led to nearly $170,000 in losses. A postmortem report indicates that approximately 500 vulnerable addresses have a balance of $88,000.
A refund and transportation fee assistance will be provided to affected users to cover the costs of fund transfers.
According to Trust Wallet:
“We want to assure users that we will reimburse eligible losses from hacks due to the vulnerability and have created a reimbursement process for the affected users. And we urged affected users to move the remaining ~$88,000 USD balance on all the vulnerable addresses as soon as possible.”
Users who encountered anomalous fund movements in late December 2022 and late March 2023 may be among the victims of the two vulnerabilities.
Customers were advised to establish a fresh wallet and transfer funds. According to the company, Trust Wallet’s browser extension will notify users whose email addresses are vulnerable.
The most recent version of the Wallet Core library should be implemented for developers who utilize it in 2022.
The affected Binance wallet addresses had previously been notified by the cryptocurrency exchange.
Targeting crypto community veterans, a recently disclosed exploit siphoned nearly $11 million in nonfungible tokens (NFTs) and cryptocurrencies from various addresses across 11 blockchains since December of last year.
The attack was initially attributed to a vulnerability in the MetaMask wallet, which the company later denied.