It took a few days for the team at Trust Wallet to patch a vulnerability that put users’ funds at risk and release the necessary fix. But the popular crypto wallet didn’t publicly acknowledge the issue for months, and says even now that affected users will need to move to a new wallet address to protect their funds.
On Saturday, Trust Wallet announced that it fixed a vulnerability that impacts users who created a digital wallet using the project’s browser extension between Nov. 13 and Nov. 23 of last year. The fix only benefits browser wallets created after Nov. 23.
“To be free from the vulnerability, users must migrate their assets from the affected wallet addresses to new, non-affected wallet addresses,” Trust Wallet said in a blog post. “Under these circumstances, we undertook every possible measure to inform users and assist them in mitigating the risk of potential attacks.”
The Binance-backed wallet project said it had been initially alerted to the problem by a security researcher last fall, who flagged an issue in its open-source library that exposed private keys to a security risk.
Though most of the users’ vulnerable funds have been secured, Trust Wallet says that $88,300 of funds are still exposed. Trust Wallet acknowledged that a few users had fallen victim to the vulnerability, pledging on Twitter to offer them a refund.
“Despite our best efforts to minimize loss, we proactively identified 2 likely exploits with a total loss of $170K,” the project said on Twitter. “To do right to users, we created a reimbursement process for affected users to make them whole.”
Once the vulnerability had been fixed—preventing new wallets from being impacted—the project team says it debated whether to disclose the vulnerability publicly.
“Our primary objective was to help users preserve as much of their assets as possible and prevent potential losses,” it said. “We believed that confidential, one-on-one communication with users would enable users to take the necessary actions without sacrificing their assets’ sole ownership.”
The project said it reached out to impacted users through multiple rounds of mobile push notifications and in-app warnings that appeared every minute. The messages were accompanied by clear instructions on how users could transfer their assets, it said.
Not only did Trust Wallet offer users customer support, but the project also offered to reimburse gas fees for users transferring their funds to uncompromised wallets. In total, Trust Wallet reimbursed around 23.6 BNB of gas fees, or around $7,700.
Additionally, Trust Wallet reached out to Binance and secured the exchange’s help in reaching out to users who had funds that could be traced back to the exchange. The project emphasized that it did not share “personally identifiable information” with the exchange.
The project thanked Binance’s security team for “triaging the issue, conducting risk assessments, escalating the matter, conducting impact analysis, and communicating with the security researcher.”
Trust Wallet said it had prepared a public statement regarding the vulnerability last November, but decided to wait, weighing the value of informing the public against the possibility of highlighting a security hole that could still be used.
The public warning’s date would ultimately be pushed back in February to April.
“We considered that once the disclosure was made, a bad actor could exploit the remaining wallets and take ownership of the funds left,” it said. “Therefore, we gave affected users more time to secure their fund[s] instead of making a[…] premature disclosure.”