Setting the Record Straight: 2018 Vulnerability

Introduction

Today, the community flagged a few news articles that allege the National Institute of Standards and Technology (NIST) is actively investigating a vulnerability from 2018 in the iOS Trust Wallet app—which was promptly fixed in the same year.

Firstly, we want to assure Trust Wallet users that their funds are safe and the wallets are safe to use. Though there was a previous vulnerability in our open-source code in early 2018 affecting a few thousand users only, the vulnerability was quickly patched with the support of the security community—and affected users were notified and migrated into safe wallets.

While we appreciate how much the community cares about the safety of our platform, the articles and original security reports submitted to CVE, contain several inaccuracies and the information presented is no longer relevant to current Trust Wallet open source libraries and products. In this statement, we will first clarify the inaccuracies, and share more on the previously resolved vulnerability.

Trust Wallet is Not Being Investigated by the United States Agencies

Contrary to what the articles state, Trust Wallet is not under investigation by the U.S. government, U.S. cyber authorities, or NIST. The mention of the National Institute of Standards and Technology (NIST) might imply official government scrutiny. However, it's crucial to understand that NIST operates a non-profit platform and database that allows any public member to submit information for review and include it in the CVE database.

The information highlighted in the news articles did not come from an official government-led investigation. Instead, the information was provided through a submission to a publicly accessible, open database, where independent representatives can submit vulnerability reports.

The 2018 Vulnerability

The vulnerability mentioned, stemming from the use of the Trezor library, was indeed identified in 2018 and existed for iOS wallets created between March 2018 and fixed in July 2018. This issue impacted a finite number of 10,000 downloads. Trust Wallet was an open-source project at this time, so all the code commits and fixes are public and transparent at all times.

Besides fixing the code itself, Trust Wallet's founder took swift and proactive steps to inform all impacted users and provided them with a secure migration path, ensuring no user was left vulnerable. The identified vulnerable wallet addresses in the Trust Wallet database are also found to not have balances anymore.

July 2023 Exploit

While the article and its’ security report sources accurately chronicles an industry-wide library that was used in 2017 (before Trust Wallet) and used by Trust Wallet iOS app in early 2018, it incorrectly implicates Trust Wallet as the root cause of the July 2023 exploit.

Last year, our team carefully checked when the exploit happened. Strong evidence showed that the wallets that got drained on July 12, 2023 are NOT Trust Wallet specific and likely caused by multiple sources, thus highly unlikely for Trust Wallet to be the root cause. First, we only found six hundred addresses out of the two thousands hacked in our database, and we don’t know if they were generated or imported into Trust Wallet. Also, only 1/3 of them have the 2018 Trust Wallet historical vulnerability. We have high confidence that the 2018 Trust Wallet vulnerability was not the origin of the July 2023 security breach.

Invitation for Meaningful Security Contributions

We have benefited a lot from the security community’s support to keep our platform safe. We continue to openly welcome and encourage meaningful contributions to proactively prevent security incidents. In fact, members of the community can use our bug bounty to proactively identify vulnerabilities. Trust Wallet believes in the power of collaboration and the importance of fact-based journalism. While it's crucial to address security concerns and vulnerabilities, it is equally important to ensure that the information shared with the public is accurate and up-to-date.

We want to reiterate to our users and the broader community that Trust Wallet remains dedicated to providing a secure gateway to explore Web3. For more information on our security measures and how we protect users’ assets, please visit our security page.

Join the Trust Wallet community on Telegram Follow us on X (formerly Twitter) Instagram Facebook Reddit

Note: Any cited numbers, figures, or illustrations are reported at the time of writing, and are subject to change.