A recent report from SECBIT Labs, a team of security researchers, suggests that an old vulnerability in the Trust Wallet iOS app may still pose a risk to users who created accounts with it, even if they no longer use the app. The vulnerability was present in the app from February 5 to August 21, 2018, and does not affect accounts created after that time. However, some users may still be unaware of the vulnerability and may be planning to use their exposed wallets.
According to SECBIT, the vulnerability was caused by two functions in the Trust Wallet app that were supposed to be used for testing purposes only. Despite warnings from developers against their use, Trust Wallet accidentally included these functions in the app, making it possible for attackers to guess users’ private keys and steal their funds. SECBIT claims that these accounts are still vulnerable.
It is important to note that this vulnerability is different from a previously acknowledged flaw in Trust Wallet’s browser extension. In response to SECBIT’s claims, Trust Wallet stated in a blog post that the vulnerability only affected a small number of users, who were all notified and migrated to new wallets. Trust Wallet asserts that the vulnerability was patched in July 2018 and that the app is currently safe to use.
SECBIT discovered this flaw while investigating a widespread attack on crypto wallets that occurred in July 2023. Many of the affected accounts had not been used for months or were stored on devices without internet access, making them difficult to hack. Trust Wallet and Klever Wallet were among the most commonly used wallet apps by the victims of the attack, making it challenging to determine the cause of the hack.
Upon further investigation, the researchers found that most of the victims’ addresses had received funds between July and August 2018. The researchers suspected that a similar flaw to the one found in the Libbitcoin Explorer Bitcoin app, which allowed attackers to guess users’ private keys, may have caused the attack.
The researchers analyzed Trust Wallet’s code from July to August 2018 and discovered that the iOS versions of the app used functions from Trezor’s crypto iOS library to generate mnemonic phrases. These functions were not intended for use in production apps, as stated in the developer notes. The researchers found that the generated seed words were not random enough, making Trust Wallet accounts generated during this time vulnerable to being drained.
SECBIT claimed to have generated a database of compromised addresses and forwarded it to the Trust Wallet team. They compared these addresses with the victims of the July 12 hack and found that 83% of the victims had wallets generated using the flawed functions. Trust Wallet allegedly told SECBIT that it had already notified users privately in 2018 and emphasized that the compromised addresses had zero balances. SECBIT urged Trust Wallet to publicly disclose the vulnerability but claims that Trust Wallet did not comply, leading to the publication of their findings.
SECBIT pointed out that Trust Wallet is open-source, meaning that another wallet developer could have used the code and caused their users to generate vulnerable addresses. It is also possible that another wallet developer independently made the same mistake as Trust Wallet by using the affected library.
In response to the report, Trust Wallet emphasized that the current version of the app is not vulnerable and assured users that their funds are safe. Trust Wallet claims to have promptly patched the vulnerability with the support of the security community in 2018 and notified affected users. The team denied claims that they did not adequately inform users and stated that Trust Wallet’s founder took swift action to ensure user security.
Trust Wallet clarified that only a small number of the hacked addresses were associated with its app, and some users may have imported their addresses from other apps. In contrast to SECBIT’s statement, Trust Wallet claims that only one-third of the addresses have the historical vulnerability. They encourage security researchers to participate in their bug bounty program and reiterate their commitment to keeping the wallet secure.
In a separate report, Klever wallet confirmed that some of the victims of the attack had used its app. However, Klever stated that all the addresses had been imported and were not originally created by their app.
Trezor, the provider of the crypto iOS library, emphasized that the function at the center of the controversy was meant for testing purposes only and not for official project development use.
SECBIT’s researchers advised users with Trust Wallet accounts created during the vulnerable period to migrate to new wallets and cease using the old ones. They expressed concern that users who are unaware of the vulnerability may face further loss of funds.