A recent report from SECBIT Labs, a team of security researchers, suggests that an old vulnerability in the Trust Wallet iOS app may still pose a risk to users who created accounts with it, even if they no longer use the app. The vulnerability was active from February 5 to August 21, 2018, and does not affect accounts created after that time. However, some users may be unaware of the vulnerability and could still be planning to use the exposed wallets.
According to SECBIT, the vulnerability was caused by two functions in the Trust Wallet app that were intended for testing purposes but were accidentally included in the app’s final version. This error allowed attackers to guess the private keys of some users and steal their funds. SECBIT claims that these accounts are still vulnerable.
It’s important to note that this vulnerability is separate from a flaw in Trust Wallet’s browser extension that was identified by the Trezor team in April 2023.
In response to SECBIT’s claims, Trust Wallet stated in a blog post that the vulnerability only affected a small number of users, who were all notified and migrated to new wallets. Trust Wallet claims that the vulnerability was patched in July 2018 and that the current version of the app is safe to use.
SECBIT discovered this vulnerability while investigating a widespread attack on crypto wallets that occurred on July 12, 2023. Many of the affected accounts had not been used for months or were stored on devices with no internet access, making them difficult to hack. Trust Wallet and Klever Wallet were the most commonly used apps among the victims, making it challenging to determine the cause of the attack.
Further investigation revealed that most of the victims’ addresses had received funds between July and August 2018. The researchers suspected that a flaw similar to the one found in the Libbitcoin Explorer Bitcoin app, called “Milk Sad,” may have caused the attack. This suspicion led them to review Trust Wallet’s code from July to August 2018, where they discovered the use of the “random32()” and “random_buffer()” functions from Trezor’s crypto iOS library to generate mnemonic phrases. These functions were not intended for production use but were mistakenly included in the app.
SECBIT claims to have generated a database of compromised addresses, which was shared with the Trust Wallet team. They found that 83% of the victims in the July 12 attack had wallets generated using the flawed functions. Trust Wallet allegedly informed the affected users privately in 2018 and argued that the addresses had zero balances, so there was no risk of losing funds. SECBIT urged Trust Wallet to publicly disclose the vulnerability but claims that Trust Wallet did not comply. As a result, SECBIT published its findings.
SECBIT notes that Trust Wallet is open-source, so it’s possible that another wallet developer forked the code and exposed their users to the vulnerability. Trezor updated its library in July 2018, but the vulnerability may still affect users who created accounts before that time and never sent funds to them.
Trust Wallet responded to the report by emphasizing that the current version of the app is safe to use and that the vulnerability was quickly patched in 2018. They claim to have notified and migrated the affected users to secure wallets. Trust Wallet also stated that most of the hacked addresses were not generated by their app and that some users may have imported their addresses from another app.
In conclusion, SECBIT’s report highlights a vulnerability in the Trust Wallet iOS app that may still pose a risk to users who created accounts during a specific time period. Trust Wallet claims to have addressed the vulnerability and ensured the safety of its current version. Users are advised to update to the latest version and migrate to new wallets if necessary.