Every Wallet Generated With Trust Wallet Browser Extension Allowed For Stealing User Funds
"This vulnerability illustrates the worst case scenario of a crypto bug - compromised accounts forever."
- "Seed generation of Trust Wallet [browser extension] was flawed, the total entropy was only 32 bits. We have created a file containing all possible seeds."
- "By knowing the address of an account, it is possible to immediately compute its private key, then access all its funds."
- "Fortunately, the Ledger Donjon discovered the vulnerability very quickly and likely avoided one of the biggest hack in the crypto ecosystem."
- "During our investigations, around $30 millions were at risk at some point, but we didn’t monitor all chains and tokens overtime."
- Binance acquired Trust Wallet in 2018 and the wallet reportedly has over 60 million users globally, 10 million of which are deemed as monthly active users (as of November 2022).
Timeline
- "On November 14th 2022, Trust Wallet, a widely used software wallet, announced the release of its browser extension. It allows access to digital assets on several blockchains directly from the browser, and is a long-awaited addition to the existing iOS and Android apps."
- "Vulnerability has been reported to Binance using their bug bounty program on 2022, November the 17th."
- On November 21st, "Trustwallet team publicly committed on Github the fix avoiding the generation of new flawed seeds. We were quite worried someone would notice it and exploit the vulnerability."
- November 2022: the "Trustwallet team updated the app to warn their users, prevent them from generating new flawed seeds and removed the receiving flows."
- March 2023: "Trustwallet team granted us the highest bounty they offer : $100k."
- April 22, 2023: "After months waiting for users to migrate their funds, Trustwallet team disclosed the vulnerability and wrote a postmortem. As of now, there are still wallets with remaining funds that can be stolen (~$100k). Trust Wallet promised the reimbursement of stolen funds."