Key Takeaways
- Concern arises because the app generates mnemonic words that can only be verified at the entropy source
- NIST will assign a base score to the vulnerability, indicating its severity on a scale of 0 to 10.
The National Institute of Standards and Technology (NIST), a division of the United States Department of Commerce, is currently investigating a potential vulnerability in the Binance Trust Wallet app that could leave users vulnerable to crypto theft.
The issue centers around a version of the app that reportedly misuses the trezor-crypto library for generating mnemonic words, essential for accessing crypto wallets. This library, commonly used by platforms like TrustWallet, is critical for creating wallets for cryptocurrencies such as Bitcoin and Ethereum. The concern arises because the app generates mnemonic words that can only be verified at the entropy source, raising security risks.
“An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets”, the NSIT statement reads. Once the investigation is completed, NIST will assign a base score to the vulnerability, indicating its severity on a scale of 0 to 10.
NIST’s probe comes after a similar vulnerability was exploited in July 2023, leading to significant financial losses. Attackers could systematically generate mnemonics for specific timestamp intervals and link them to particular wallet addresses, allowing them to steal funds.
Prior to NIST’s involvement, Secbit Labs, working with the US Department of Homeland Security’s CVE program, identified vulnerabilities in the Binance Trust Wallet app for iOS. Researchers traced these issues back to an older wallet generation flaw in the iOS platform version of Trust Wallet from 2018, linked to significant thefts in July 2023.
Trust Wallet had previously disclosed a low entropy vulnerability in its browser extension in April 2023. In cryptography, entropy pertains to random number generation, specifically indicating the degree of unpredictable randomness present within a physical system.
Further scrutiny by independent investigators at Milk Sad revealed over 6,500 unique wallet mnemonics at risk of fund loss. The investigation found that the Trust Wallet app for iOS was using open-source code for generating new cryptocurrency wallets, employing unsafe functions in the trezor-crypto library not intended for production.
Milk Sad alleges that these weak wallets were implicated in the thefts it uncovered. In December last year, the National Vulnerability Database (NVD) had flagged Bitcoin inscriptions as a cybersecurity risk, reflecting ongoing concerns about vulnerabilities in crypto systems.
