Trust Wallet made a significant announcement on November 14th, 2022, unveiling its newly launched browser extension for wide usage.
The browser extension grants direct access to digital assets on multiple blockchains, a highly anticipated complement to the existing iOS and Android apps in Trust Wallet’s ecosystem.
However, recently, security analysts at Ledger Donjon found a major vulnerability in this browser extension. The newly discovered flaw enables asset theft from any wallet created with it, and for this, no user interaction is needed.
Moreover, Trust Wallet depends on the Trust Wallet Core; it’s a versatile library for blockchain wallets, which is now targeting Wasm since April 2022.
Trust Wallet Core is mostly portable, but some modules are target-specific, notably secure random generation for cryptographic material like:-
- Private keys
- HD wallet mnemonics
All implementations use OS-provided pseudorandom number generator (PRNG):-
- For iOS, SecRandomCopyBytes is used.
- For Android, the entropy is provided by an instance of java.security.SecureRandom.
The Wasm target lacks a common strong PRNG and system interfaces for browsers and Node.js environments.
The critical vulnerability arises due to using Mersenne Twister PRNG in wallet-core for Wasm, which is unfit for cryptography, and the single 32-bit seed input in mt19937.
The 32-bit seed in Wasm wallet-core allows just 2^32 (4 billion) mnemonics, generated quickly in a single computer within a couple of hours.
Here below we have mentioned all the abilities that it grants to the attackers:-
- Compute all the seeds
- Compute all the private keys
- Compute all the addresses of every cryptocurrency
- Scan the related blockchains
- Extract all the used addresses
- Compute the intersection
- Acquire Trust Wallet for Wasm addresses, then exploit and drain their funds.
The closed-source extension easily analyzes code and relies on vulnerable Wasm in Trust Wallet Core to create the 12-word mnemonic from a 128-bit seed during wallet creation.
The auto-generated Wasm wrapper HDWallet.create exploits the vulnerable random_buffer, risking mnemonic retrieval via brute force attack. While besides this, it handles various assets such as:-
PRNG seed to address transformation which necessitates the steps that we have mentioned below:-
- Entropy generation
- Entropy to mnemonic
- Mnemonic to seed
- Seed to BIP-32 master key
- Master key to Ethereum private key
- Ethereum private key to address
Here below we have mentioned all the standard derivation mechanisms that are used:-
The Trust Wallet extension address verification tool quickly tests 32 million addresses with a Python script; 1,873,720 dataset’s private key computation, which took 4 min 22s only.
Detection and Remediation
- On November 17, 2022, the vulnerability was reported to Binance.
- On November 21, the Trustwallet team publicly fixed it on GitHub.
Despite disclosure and patch, $100k remains at risk in wallets, with Trust Wallet promising repayment for stolen funds.
This vulnerability exemplifies the worst crypto bug – accounts compromised forever. Ledger devices ensure good randomness with certified smartcard chips for 40 years of tamper resistance.