Update (Feb. 15, 12:10 PM UTC): This article has been updated based on Binance's statement to reflect that Trust Wallet is a separate legal entity that is not part of the Binance group and operates independently from Binance.com.
An agency of the United States Department of Commerce is analyzing the "Binance Trust Wallet app" for a vulnerability that could allow an attacker to steal funds from crypto wallets.
According to the National Institute of Standards and Technology (NIST) — the agency tasked with promoting U.S. innovation and industrial competitiveness — a specific version of the Trust Wallet app “misuses the trezor-crypto library” to generate mnemonic words that can be verified only at the entropy source.
An entropy source is a physical location from where data is generated. NIST noted that a similar vulnerability was exploited in July 2023, leading to economic losses. It explained:
“An attacker can systematically generate mnemonics for each timestamp within an applicable time frame, and link them to specific wallet addresses in order to steal funds from those wallets.”
The information was made public on Feb. 8 and is currently awaiting analysis to determine the real-world scope of the vulnerability.
According to CVE — a program sponsored by the U.S. Department of Homeland Security — Secbit Labs began investigating the Trust Wallet app for iOS after numerous Ether (ETH) wallets were hacked. The researchers tracked down an older wallet generation weakness in the iOS platform version of Trust Wallet from 2018 and connected it to the large thefts on July 12, 2023.
Related: Bitcoin inscriptions added to US National Vulnerability Database
Speaking to Cointelegraph, a Binance spokesperson clarified that Trust Wallet is now a separate legal entity that is not part of the Binance group and operates independently from Binance.com.
An independent investigation by Milk Sad found at least 6,572 unique wallet mnemonics that risk loss of funds. It found the Trust Wallet app for iOS using an open-source code for generating new cryptocurrency wallets using unsafe functions in the “trezor-crypto library” that were not meant for production. After confirming that the weak wallets existed, it alleged that they were involved in the Milk Sad thefts.
Upon completing the investigation, NIST will allot a base score to the app’s vulnerability ranging from 0-10, depending on its severity.
Magazine: ‘Crypto is inevitable’ so we went ‘all in’: Meet Vance Spencer, permabull