It took a few days for the team at Trust Wallet to patch a vulnerability that put users’ funds at risk and release the necessary fix. But the popular crypto wallet didn’t publicly acknowledge the issue for months, and says even now that affected users will need to move to a new wallet address to protect their funds.
On Saturday, Trust Wallet announced that it fixed a vulnerability that impacts users who created a digital wallet using the project’s browser extension between Nov. 13 and Nov. 23 of last year. The fix only benefits browser wallets created after Nov. 23.
“To be free from the vulnerability, users must migrate their assets from the affected wallet addresses to new, non-affected wallet addresses,” Trust Wallet said in a blog post. “Under these circumstances, we undertook every possible measure to inform users and assist them in mitigating the risk of potential attacks.”
The Binance-backed wallet project said it had been initially alerted to the problem by a security researcher last fall, who flagged an issue in its open-source library that exposed private keys to a security risk.
Though most of the users’ vulnerable funds have been secured, Trust Wallet says that $88,300 of funds are still exposed. Trust Wallet acknowledged that a few users had fallen victim to the vulnerability, pledging on Twitter to offer them a refund.
“Despite our best efforts to minimize loss, we proactively identified 2 likely exploits with a total loss of $170K,” the project said on Twitter. “To do right to users, we created a reimbursement process for affected users to make them whole.”
