CVE-2023-31290

Name of the Vulnerable Software and Affected Versions Trust Wallet Core versions prior to 3.1.1 Trust Wallet browser extension versions 0.0.172 through 0.0.182

Description The issue allows theft of funds due to insufficient entropy, which is 32 bits. This is because the mt19937 Mersenne Twister uses a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The issue has been exploited in the wild in December 2022 and March 2023. An attacker can efficiently steal funds by identifying Ethereum addresses created since the 0.0.172 release and checking if they could have been created by the affected extension.

Recommendations For Trust Wallet Core versions prior to 3.1.1, upgrade the product version and move funds to a new wallet address. For Trust Wallet browser extension versions 0.0.172 through 0.0.182, upgrade the product version and move funds to a new wallet address.