SECBIT Labs, a team of security researchers, recently reported that an old vulnerability in the Trust Wallet iOS app could still impact users who created accounts with it, even if they no longer use the app. The vulnerability existed between February 5 and August 21, 2018, and does not affect accounts created after that time period. However, some users may still be unaware of the vulnerability and may plan to use the exposed wallets.
According to SECBIT, the vulnerability was caused by two functions in the Trust Wallet app that were only meant for testing purposes. Despite developer warnings against their use, Trust Wallet accidentally included these functions in its iPhone app, making it possible for attackers to guess users’ private keys and steal their funds. SECBIT claims that these accounts are still vulnerable.
It’s important to note that this newly revealed vulnerability is separate from Trust Wallet’s browser extension flaw, which the Trezor team already acknowledged in April 2023.
In response to SECBIT’s claims, Trust Wallet stated in a blog post on February 15 that the vulnerability only affected a few thousand users. Those users were notified and migrated to new wallets. Trust Wallet assured users that the vulnerability was patched in July 2018 and that the app is currently safe to use.
SECBIT discovered the flaw while investigating a widespread attack on crypto wallets that occurred on July 12, 2023. Many of the affected accounts had not been used for months or were stored on devices with no internet access, making them difficult to hack. The victims used various wallet apps, with Trust Wallet and Klever Wallet being the most commonly used. This made it challenging for researchers to pinpoint the cause of the hack.
Further investigation revealed that most of the victims’ addresses had received funds between July and August 2018. The researchers initially hit a dead end in their investigation but later discovered a vulnerability in the Libbitcoin Explorer Bitcoin app called “Milk Sad,” which allowed attackers to guess users’ private keys. This led them to suspect a similar flaw in Trust Wallet may have caused the July 12 attack.
Upon analyzing the Trust Wallet code published between July and August 2018, the researchers found that the iOS versions of the app used functions from Trezor’s crypto iOS library to generate mnemonic phrases. These functions had developer notes warning against their use in production apps. The researchers discovered that the code generated seed words that were not random enough, putting any Trust Wallet account generated during that time at risk.
SECBIT claimed to have generated a database of compromised addresses, which it forwarded to the Trust Wallet team. The team compared these addresses with the victims of the July 12 hack and found that 83% of the victims had wallets generated using the vulnerable functions.
Trust Wallet allegedly informed users privately in 2018 and emphasized that the affected addresses had zero balances, so no funds were at risk. SECBIT urged Trust Wallet to publicly disclose the vulnerability, but the company did not comply. As a result, SECBIT published its findings.
SECBIT noted that Trust Wallet is open-source, so it’s possible that another wallet developer may have forked the code and caused its users to generate vulnerable addresses. Alternatively, another wallet developer may have independently made the same mistake as Trust Wallet by using the vulnerable functions from Trezor’s library.
Trust Wallet responded to the claims by stating that the current version of its app does not contain the vulnerability. The team assured users that their funds are safe and the wallets are secure to use. Trust Wallet claimed that the vulnerability was quickly patched in 2018, and affected users were notified and migrated to safe wallets. The company denied claims that it had not adequately informed users and emphasized that no user was left vulnerable.
In contrast to SECBIT’s statement, Trust Wallet stated that only one-third of the hacked addresses were affected by the 2018 vulnerability. The Trust Wallet team encouraged security researchers to utilize its bug bounty program and reiterated its commitment to keeping the wallet secure.
In a separate report, the Klever wallet confirmed that some of the victims of the attack had used its app. However, it claimed that all the affected addresses were imported and not originally created by Klever.
Trezor’s chief technology officer, Tomáš Sušánka, clarified that the controversial function at the center of the vulnerability was only meant for testing and not for official project development use.
SECBIT researchers advised iOS users with Trust Wallet accounts created during the vulnerable period to migrate to new wallets and stop using the old ones to prevent further loss of funds.