p0n1 🦇🔊

🚨 *Vulnerability Alert:* Trust Wallet's Fomo3D Summer 🚨 🔗 Full Disclosure: secbit.io/blog/en/2024/0… 💸 Losses on ETH mainnet alone are staggering – and that's just the tip of the iceberg. 🧵 A thread on the findings and implications for users: 👇 (1/n)

@starit_public 不能嘲笑 SUI 了 🤣 x.com/SuiNetwork/sta…

事实证明触动利益比触动灵魂还难，在艰难的损失分摊选择面前，最终选择了损失公信力 我当然不是说冻结是不正义的，这当然是正义的行为。然而这应该是第一次一个EOA账户在未签名的情况下被夺走资产。从此，L2很难被视作L1的延伸….更重要的是，相关过错方还没得到教训…

@keyahayek 是一支笔打四针的那种吗？这种用法，第四针使用的时候，（按照说明书）开封后应该过30天保质期了？

替尔泊肽减肥 (3/n) 鉴于 5mg 效果太猛，打完 7 天都不饿，根据 Reddit 老哥和 Gemini 建议，把 7 天打一次换成 10 天打一次。 多出来的 3 天狂暴摄入牛排虾仁金枪鱼，以免肌肉流失太多。现在一周还能瘦 1 斤 / 1 lb，属于非常健康的 track，从体脂推算理论上再过至多一个半月就没有将军肚了。

@Tsla99T 历史留名了

跨越东西海岸的能力特斯拉内部应该很早就知道了。 而这么吸引眼球的题材，却由一个普通车主验证，是不是和那些只知道钻营营销的追随者高下立判？

@surfer__05 Happy new year!

Okay, wow, last day of the year, and it has been a truly amazing year. And tbh, I don't want to share a yearly progress report here, just wanna type out whole-heartedly what I really felt. It was two separate halves altogether. The first filled with final year college vibes, trips, parties, "last times" stuff, and then finally wrapping up the graduation (it has been a really expensive purchase). And the latter filled with the work I love, being in solitude, working on the grind, solving maths, and man, I love maths. I owe very special thanks to @1dot2 for that. Buenos Aires was an amazinggg experience altogether, reconnecting with the old friends, and meeting the new ones at @invisiblgarden . It's a unique feeling when you meet people irl, who you've been working with online for the whole year. And it's the sole reason I love contributing to IG, working with @leolarav @Odyssey_Leexixi @cypherbadger @kosmostasis was an amazing experience this time. Just can't miss to mention @subsix_ , cause he's literally one msg away at any time of the day. Skeptical of the algorithm, so just gonna mention some amazing people I spend most of my year with, be it online or irl : @ErrNil @_rutefig @shrameetweets @0xlord_forever @0xpanicError @alpeh_v and of course @ziyinlox (purple never lies haha) and many more people who are not on X. See you in 2026 !!

@cryptobraveHQ @0xbitslab @TrustWallet 18天算“快”了，可以看一下我们之前沟通和披露的时间线 #timeline" target="_blank" rel="nofollow noopener">secbit.io/blog/en/2024/0… 关键到最后在各种证据面前为了公关不承认他们的用户大量被黑（因为都是老钱包并且过去一段时间，社交媒体上影响较弱，盗窃金额反而大于这次事件）这个团队内部指定有些说法的。 @cz_binance

12月17日，无畏、BitsLab @0xbitslab 在和 TrustWallet 沟通时就指出，浏览器版本存在类似的助记词泄露风险Bug。 当时TrustWallet @TrustWallet 表示，18天之前确实收到相关问题的报告。当时无畏对这个响应速度，就比较失望了。此外，部分钱包的漏洞赏金制度，更是形同虚设。 今天类似的助记词泄露风险，终于爆发了。只不过这代价，是数百万美元的用户资产被盗。

@0xakinator @TrustWallet Sad story. Hope the team takes the security incident seriously this time. The third time!

🚨 Security Alert It appears that the @TrustWallet browser extension may have been compromised via a supply-chain attack in the Dec 24 update. Reports indicate that importing a seed phrase into the extension can result in immediate wallet draining. ⚠️ Do NOT use the Trust Wallet extension for now, and never import seed phrase until an official clarification and fix are released. ❗ As of now, there has been no official communication from the Trust Wallet team regarding this incident. Exploiters are using multiple addresses and More than $2,000,000 appears to have been drained

A good TRUST wallet shouldn’t have been hacked three times in its short history. Sorry for the team and users. Stay safe. There must be something wrong.

So here’s what’s happening : In the Trust Wallet browser extension code 4482.js a recent update added hidden code that silently sends wallet data outside It pretends to be analytics, but it tracks wallet activity and triggers when a seed phrase is imported The data was sent to metrics-trustwallet[.]com a domain registered days ago and now down

Here is an interesting ECDSA quirk. I've created the same signature that is valid for two different messages: Message 1: "Ethereum the world computer" Message 2: "Bitcoin the store of value" Signer address: 0x126aABEc82aE54Bf03BC304DeD7d540E113F9963 Signature R, S: 0xec986ec3277febdaf14357431eba90f4218b65c8de80a77ebb6179a9bddc72f23517ac820af018fdf66ac767eff7e6cf7037266da787963b223b8a69145b5126 The only discrepancy is the V component: 0x1b for the first message and 0x1c for the second.

@AndreCronjeTech No BD is a good thing Imagine if bitcoin had a BD department

@AndreCronjeTech Why should EF have BD like your company?

@cz_binance @TrustWallet @teawaterwire add link to my earlier post on this issue in Chinese x.com/ErrNil/status/…

Fixed in 2018, but many user wallets got hacked in 2023. @teawaterwire and I are one of them. The Lubian hack is not related with Trust Wallet. This is the FUD part. However, Trust Wallet team lied about many things in their statement. Trust Wallet admitted their product had a vulnerability in 2018 but vehemently denies that it affected their users in the mass wallet theft incident of 2023. They claim to have notified all affected users back in 2018 to migrate their assets, which is clearly a lie fabricated for PR purposes. We previously disclosed the vulnerability in Trust Wallet for iOS from 2018. Any security issue related to Binance easily turns into FUD, which in turn triggers a knee-jerk reaction from Trust Wallet. It's actually normal for any software to have security vulnerabilities; what matters most is how they are handled properly. Here is our previous disclosure post about the Trust Wallet iOS vulnerability: x.com/ErrNil/status/… And here is Trust Wallet's announcement after the issue gained traction: x.com/TrustWallet/st… After the last incident, I was quite disappointed with Trust Wallet's response and lost interest in following up on the case. However, whenever I see PR statements that I find obviously incorrect and illogical, I always feel uncomfortable and have to speak my mind. So I'm taking this opportunity to discuss some of these points, just to leave a record. Trust Wallet mentioned that the number of affected users at the time was about 10,000 early adopters, and that they had notified each one and provided an asset migration plan. They claim no users suffered losses and all affected wallets have been deprecated. In fact, this is highly counterintuitive. Trust Wallet was extremely popular in 2018, which led to its acquisition by Binance. In such a situation, notifying 10,000 users about a security issue with their wallets and getting them to migrate would have been a tricky affair. If they had really done it, it would have almost certainly made the news. My own first Trust Wallet address was also generated in 2018 and was drained in the July 2023 incident. I have no memory of ever receiving any notification. This user's situation is the same as mine: x.com/teawaterwire/s… Trust Wallet mentioned that since July 2018, all new wallets created by Trust Wallet users are no longer affected by this vulnerability. This is also patently false. How can you guarantee that every single one of those 10,000 users updated their software to the latest version? If someone downloaded the problematic version at the time and never updated the app, then all addresses created with that version of the wallet would be permanently insecure and vulnerable to theft. Trust Wallet mentioned that the comprehensive evidence suggests the 2023 attacks did not originate from a Trust Wallet vulnerability, but were more likely caused by a combination of multiple sources. They state they have full confidence that the 2018 vulnerability was not the root cause of this incident. This is a very clever, but highly inaccurate, turn of phrase. In reality, while the 2018 Trust Wallet vulnerability was not the *sole* root cause of all the wallets drained in July 2023, it was a major contributor. The reasons are as follows: real Trust Wallet users were affected; the affected addresses could be reproduced using Trust Wallet's code from that time; and the activity timeline of the affected wallets highly correlates with Trust Wallet's code commit history. We discussed this in more detail in our original disclosure article, so I won't repeat it here. Trust Wallet mentioned that in addition to fixing the vulnerability, the founder of Trust Wallet proactively contacted affected users to provide them with a secure migration path, ensuring no users remained at risk. They also state that the relevant affected addresses have all been confirmed to no longer hold any balance. The part about confirming the relevant addresses no longer hold a balance is the most ridiculous part, because these addresses were cleaned out in July 2023. I am also a heavy Trust Wallet user. The theft from my first Trust Wallet address in July 2023 prompted me and my colleague @outoflegend to conduct an in-depth investigation. However, what truly made me lose my "Trust" in it was Trust Wallet's subsequent response and handling of this vulnerability. I can partly understand, as every wallet provider wants to have a perfect security record. I sincerely hope Trust Wallet can do better, provide more evidence, and dispel the community's doubts. I have deliberately not deleted my first Trust Wallet address; I just added "Rekt" to its name. @cz_binance @heyibinance I have great respect for you. Were you also deceived by your team, or were you in on it too? I hope they/you can provide any valid evidence that they notified 10,000 users to migrate.

This bug was detected and fixed by @TrustWallet 7 years ago. No user funds impacted. Now, some tried to make FUD about it. More PR to @TrustWallet 🤷‍♂️

@iced_chan @cz_binance @TrustWallet Good question 😂

@cz_binance @TrustWallet How were the affected users ”notified”? I was under the impression that TrustWallet wasn’t collecting PII?

@bitfish 各种黑客至今的确还在持续监控和操作这批弱随机性的地址 x.com/ErrNil/status/…

不完全统计显示，超22万个地址受此漏洞影响，完整地址列表见：git.distrust.co/milksad/data 更离谱的是，至今还有人往这些地址转钱……黑客心里估计在想：我以为你不要了，那我就帮你收着吧。

链接其他人最近的一些讨论 from @bitfish and @_FORAB x.com/bitfish1/statu… x.com/_FORAB/status/…

看到 Trust Wallet 中文在疯狂辟谣钱包安全问题。 x.com/trustwalletzh/… 搜了一下，原来很多帖子在讨论美国执法部门利用钱包漏洞掌握很多地址私钥，有些人提到了 Trust Wallet 可能受影响。据我了解，Lubian 矿池出问题用的钱包，应该不是 Trust Wallet，属于同类型漏洞，但不同变种。 用户无需恐慌。有问题的地址也早就被盗完了。尤其要小心从非官方渠道提供链接，提醒你迁移钱包的人。 我们之前披露过 Trust Wallet iOS 在 2018 年的漏洞。跟 Binance 相关的任何安全问题，总是很容易转变成 FUD，进而引发 Trust Wallet 的应激反应。其实任何软件有安全漏洞很正常，最重要的是如何妥善处理。 这是我们之前关于 Trust Wallet iOS 漏洞的披露贴 x.com/ErrNil/status/… 这是 Trust Wallet 在事情发酵之后的公告说明 x.com/TrustWallet/st… 中文翻译 x.com/trustwalletzh/… 上次之后，我对 Trust Wallet 的回应比较失望，对这个 case 失去了继续追踪的兴趣。但是每每看到我觉得明显不正确不合逻辑的文字，我总是感觉到不舒服，不吐不快。所以趁这次顺便把其中的一些拿出来讨论，也算留下痕迹。 Trust Wallet 提到，“当时受影响的用户数量约为 1 万名早期用户，我们已逐一通知并提供资产迁移方案。没有任何用户受到损失，并且所有受影响的钱包已被弃用。” 事实上，这个是非常反直觉的。2018 年当时 Trust Wallet 非常热，导致后来被 Binance 收购。在这种情况下，如何通知 1 万名用户钱包存在安全问题，并完成迁移是一件棘手的事情。如果真的做了，几乎一定会上新闻。而我本人的 Trust Wallet 第一个地址也是 2018 年生成的，在 2023 年 7 月份的事件中被盗。我从来没有印象收到过任何通知。 这位用户跟我的情况一样 x.com/teawaterwire/s… Trust Wallet 提到，“自 2018 年 7 月以来，所有 Trust Wallet 用户新创建的钱包均不再受到此漏洞影响。” 这也是明显错误的。你如何保证 1 万名用户每个人的软件都更新到了最新？假设一个人下载了当时有问题的版本之后，没有更新软件，那么他那个版本钱包创建出来的所有地址永远都有安全问题，都会被盗。 Trust Wallet 提到，“综合证据表明，2023 年的攻击并非源自 Trust Wallet 的漏洞，更可能是由多种来源共同导致。我们有充分信心，2018 年的漏洞并非此次事件的根源。” 这个春秋笔法非常好，但是很不准确。实际上 Trust Wallet 2018 年的漏洞虽不是 2023年 7 月所有被盗钱包的唯一根源，但贡献很大。原因如下：有真实的 Trust Wallet 用户受影响；能用 Trust Wallet 当时的代码，复现出受影响地址；受影响钱包活跃时间和 Trust Wallet 代码提交历史高度吻合。我们原先披露的文章中有更多详细讨论，不再赘述。 Trust Wallet 提到，“除了修复漏洞外，Trust Wallet 创始人还主动联系受影响用户，为他们提供安全迁移路径，确保没有任何用户继续面临风险。目前，相关受影响地址均已被确认不再持有余额。” 关于相关地址确认不再持有余额，这点是最搞笑的，因为这些地址在 2023 年 7 月被洗劫一空了。 我也是一名重度 Trust Wallet 用户，我 Trust Wallet 的第一个地址在 2023 年 7 月被盗促使我和我的同事 @outoflegend 进行深入调查。 然而，真正让我对它失去 Trust 的，是 Trust Wallet 后来对这个漏洞的回应与处理。我部分可以理解，因为每个钱包供应商，都希望自己有完美的安全历史。我真心希望 Trust Wallet 能做的更好，拿出更多证据，打消社区的疑虑。 我特地没有删除我的第一个 Trust Wallet 地址，只是在它的名字后面加上了 Rekt。