USA Investigates Trust Wallet iOS App
15 Feb, 2024 ● Coin news
A division of the United States Department of Commerce is examining the Binance Trust Wallet app for a potential vulnerability that could enable attackers to steal cryptocurrency funds.
As per the National Institute of Standards and Technology (NIST), which promotes American innovation, a specific version of the Binance Trust Wallet app "misuses the trezor-crypto library" to create mnemonic phrases that can only be authenticated at the source of entropy.
An entropy source is a physical location where data is generated. NIST highlighted a similar vulnerability exploited in July 2023, resulting in financial losses. It elaborated:
"An attacker can systematically create mnemonics for each timestamp within a relevant time frame and associate them with specific wallet addresses to pilfer funds."
This disclosure was made public on Feb. 8 and is now under scrutiny to assess the actual extent of the vulnerability.
According to CVE, a U.S. Department of Homeland Security-sponsored program, Secbit Labs initiated an inquiry into the Binance Trust Wallet app for iOS after several Ether wallets were compromised.
They traced an older wallet generation flaw in the iOS version of Trust Wallet from 2018 and linked it to the major thefts on July 12, 2023.
Binance did not respond to Cointelegraph's request for comment. Nonetheless, an independent investigation by Milk Sad uncovered at least 6,572 unique wallet mnemonics at risk of fund loss.
It found that the Trust Wallet app for iOS utilized open-source code for generating new cryptocurrency wallets using unsafe functions in the "trezor-crypto library," not intended for production.
Upon confirming the existence of vulnerable wallets, it alleged their involvement in the Milk Sad thefts.
Following the investigation, NIST will assign a base score to the app's vulnerability, ranging from 0 to 10, based on its severity.
Sources:
https://cointelegraph.com/news/us-binance-trust-wallet-ios-vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-23660
https://www.cve.org/CVERecord?id=CVE-2024-23660
https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/