Every Wallet Generated With Trust Wallet Browser Extension Allowed For Stealing User Funds
"This vulnerability illustrates the worst case scenario of a crypto bug - compromised accounts forever."
- "Seed generation of Trust Wallet [browser extension] was flawed, the total entropy was only 32 bits. We have created a file containing all possible seeds."
- "By knowing the address of an account, it is possible to immediately compute its private key, then access all its funds."
- "Fortunately, the Ledger Donjon discovered the vulnerability very quickly and likely avoided one of the biggest hack in the crypto ecosystem."
- "During our investigations, around $30 millions were at risk at some point, but we didn’t monitor all chains and tokens overtime."
- Binance acquired Trust Wallet in 2018 and the wallet reportedly has over 60 million users globally, 10 million of which are deemed as monthly active users (as of November 2022).
- "On November 14th 2022, Trust Wallet, a widely used software wallet, announced the release of its browser extension. It allows access to digital assets on several blockchains directly from the browser, and is a long-awaited addition to the existing iOS and Android apps."
- "Vulnerability has been reported to Binance using their bug bounty program on 2022, November the 17th."
- On November 21st, "Trustwallet team publicly committed on Github the fix avoiding the generation of new flawed seeds. We were quite worried someone would notice it and exploit the vulnerability."
- November 2022: the "Trustwallet team updated the app to warn their users, prevent them from generating new flawed seeds and removed the receiving flows."
- March 2023: "Trustwallet team granted us the highest bounty they offer : $100k."
- April 22, 2023: "After months waiting for users to migrate their funds, Trustwallet team disclosed the vulnerability and wrote a postmortem. As of now, there are still wallets with remaining funds that can be stolen (~$100k). Trust Wallet promised the reimbursement of stolen funds."