The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, is investigating a security issue with the Binance Trust Wallet app. This problem might let hackers steal cryptocurrency from wallets.
NIST has found that a specific Binance Trust Wallet app version incorrectly uses the “trezor-crypto library” for creating mnemonic words. Mnemonic words are words generated by a wallet that gives access to cryptocurrencies. These words should be unique and secure. However, the issue lies in verifying these words, which could let an attacker figure out the mnemonic words by checking each possible combination within a specific period. This method could then connect to particular wallet addresses and steal funds.
This security flaw was publicly shared on February 8 and is still being reviewed to understand how it might affect users in real scenarios.
Binance Trust Wallet app for iOS under investigation for vulnerability. Source: NIST
CVE, supported by the U.S. Department of Homeland Security, mentioned that Secbit Labs started looking into the Binance Trust Wallet app for iOS after several Ethereum wallets were compromised. They linked a vulnerability in the app’s method of creating new wallets, dating back to 2018, to significant thefts on July 12, 2023.
Binance hasn’t commented on this issue. However, an independent study by Milk Sad discovered over 6,500 wallet mnemonics that could potentially cause funds to be lost due to this vulnerability. It pointed out that the Trust Wallet app for iOS used open-source code that included unsafe functions for generating wallets. This flaw was connected to the thefts investigated by Milk Sad.
Once NIST finishes its investigation, it will give the vulnerability a score from 0 to 10 to indicate its seriousness.
