Is Trust Wallet Safe? A Concise Analysis
Trust Wallet is a well-known and generally considered secure decentralized digital wallet designed for storing, receiving, and sending cryptocurrencies. Here a short description, we explain what is Trust Wallet, its unique features and a short assessment around its security.
This article is available also in italian.
What is Trust Wallet and which are its Features
Here are some of Trust Wallet main features and functionalities:
Multi-Currency Support:
Trust Wallet supports a wide range of cryptocurrencies, including Bitcoin, Ethereum, and other altcoins, as well as ERC20 tokens and over 65 different blockchains, facilitating the management of a wide variety of digital assets in one place.
User-friendly Interface:
The application is known for its simple and intuitive interface, making it easy for beginners to manage their cryptocurrencies.
Access to DApps:
Trust Wallet provides access to various decentralized applications (DApps) built on blockchains like Ethereum and Binance’s Smart Chain, allowing users to interact with these platforms directly through the app.
Non-Custodial:
It is a non-custodial wallet, meaning users have complete control over their Trust Wallet private key and, consequently, their funds.
Cryptocurrency Purchase and Staking:
Users can buy cryptocurrencies directly through the app and participate in staking some cryptocurrencies to earn interest.
Compatibility with Mobile and Desktop Devices:
Trust Wallet is available on mobile devices and recently on desktop PCs via a web browser extension, offering users the flexibility to manage their crypto assets from multiple platforms.
Privacy and Security:
Designed to keep users’ funds safe, Trust Wallet does not collect or store personal data and has robust security systems to protect users’ assets.
Owned by Binance:
Trust Wallet was developed by the creators of Binance, one of the world’s largest cryptocurrency exchange platforms, and is Binance’s official wallet.
NFT Support:
It also allows for the storage and management of non-fungible tokens (NFTs) or cryptographic digital collectibles.
Trust Wallet is therefore a versatile option for those seeking a reliable digital wallet to manage their crypto assets. However, opinions on Trust Wallet, especially in recent times, have been lively and almost heated on various forums.
Trust Wallet Issues: Why Are Problems and Scams Being Discussed?
Scams related to Trust Wallet are mainly associated with phishing attempts, where scammers try to deceive wallet users to gain access to their sensitive information. Here are some ways these scams can manifest:
General Phishing Attempts:
Scammers may send fake emails or text messages with deceptive subjects or links, claiming that users can earn free cryptocurrency, that they need to verify their email, or that they risk wallet suspension. Some users might also accuse Trust Wallet of being a scam that transfers money without permission.
Specific Phishing:
In some scams, malicious actors might pretend to be part of Trust Wallet’s support staff, sending emails about a supposed security issue with the user’s wallet and asking to confirm the seed phrase (a sequence of words that allows access to the wallet).
Fake Websites:
There are fake websites that look very much like Trust Wallet’s official site. If users enter their recovery phrase on these sites, scammers can access their Trust Wallet and transfer all cryptocurrencies. Due to the decentralized nature of cryptocurrencies, it would be nearly impossible to recover the lost funds.
Deceptive SMS Messages:
Trust Wallet users may receive SMS messages claiming there is some problem related to their account - verification being the most common. Links included in the messages lead to false phishing pages where users’ personal information is collected.
It is important to note that these scams are not a reflection of Trust Wallet’s security or reliability, but rather of malicious tactics used by outsiders to exploit less experienced users. To protect themselves, users should be cautious, avoid sharing sensitive information, and ensure they only use Trust Wallet’s official website and app.
The $170,000 Hack of Trust Wallet Users
Trust Wallet was recently hacked. We talked about it in another in-depth article here.
The $170,000 hack of Trust Wallet users occurred due to a security vulnerability discovered in November 2022, which affected new wallet addresses generated via Trust Wallet’s browser extension between November 14 and 23, 2022. This vulnerability was not discovered at the time, but only several months later, in April 2023, when Trust Wallet announced the incident. The discovery was made through their bug bounty program, when a security researcher reported a vulnerability in the open-source Wallet Core library, specifically related to WebAssembly. The incident led to two exploits, causing a total loss of about $170,000. Although the vulnerability has been resolved, about 500 vulnerable addresses with a balance of $88,000 remain. To mitigate the impact of the incident, Trust Wallet has urged affected users to create new wallets and transfer their funds to ensure security. Additionally, the Trust Wallet team has established a compensation process to reimburse users affected by the vulnerability and has extended its support to affected users, reimbursing about $7,700 in gas fees for those transferring their funds to secure, uncompromised wallets.
The incident highlighted a vulnerability in Trust Wallet’s implementation of WebAssembly (WASM), which affected wallets
generated by its browser extension during the specific period. An unnamed security researcher reported the vulnerability in November 2022 through Trust Wallet’s bug bounty program, bringing the issue to light and helping to address the problem.
The vulnerability has been resolved, and Trust Wallet shared a final update on the claim process related to the WASM vulnerability in July 2023, closing the claim process on June 30, 2023. The entire hacking operation involved a total loss of $170,000, emphasizing the importance of timely reporting and resolution of security vulnerabilities in the world of cryptocurrencies.
Trust Wallet: Security Audit, What’s the Situation?
Trust Wallet is an open-source project. This means that its source code is accessible to the public, allowing anyone to examine, modify, or improve it. Being open source is often seen as an advantage in terms of transparency and security, as it allows external experts and the developer community to conduct code audits to identify and correct any security vulnerabilities.
The Code is Not Completely Open
The WalletScrutiny website reports that the source code of Trust Wallet is private, implying that it is not possible to verify it publicly. This lack of access to the source code can raise concerns about the security and transparency of Trust Wallet, especially among expert users or those who prefer to have the ability to examine the source code of the applications they use. This could be a contributing factor to claims that Trust Wallet offers a large attack surface and is not completely open source as might have been indicated earlier.
It appears that there has been a change in the management of the source code of Trust Wallet for Android, making it private. This decision could have implications for the transparency and auditability of the code by the community. It is always advisable to stay up-to-date on news and official announcements from the Trust Wallet team to better understand any changes in source code management and security practices.
The Trust Wallet team has indeed decided to close the source code of their app on Android. This decision was made for unspecified reasons, but has been documented on WalletScrutiny. This change can have implications for the transparency and auditability of the code, which are crucial elements for many users and developers in the cryptocurrency sector.
Conclusions
The security of Trust Wallet can be assessed considering various factors such as the response to security incidents, code transparency, and implemented preventive measures. While Trust Wallet’s proactive response to the $170,000 incident and its bug bounty program show a commitment to security, the decision to close the source code on Android might raise concerns regarding transparency and auditability. The general opinion on security may vary among users, and the decision to use Trust Wallet should be informed by a comprehensive assessment of its security features, incident responses, and code management practices.