An agency of the United States Department of Commerce (DOC) is analyzing the Binance Trust Wallet app for a vulnerability that could potentially allow an attacker to steal funds from crypto wallets.
According to the National Institute of Standards and Technology (NIST), the DOC agency tasked with promoting American innovation and industrial competitiveness, a specific version of the Binance Trust Wallet app “misuses the trezor-crypto library” to generate mnemonic words that can be verified only at the entropy source.
An entropy source is a physical location from where data is generated. NIST noted that a similar vulnerability was exploited in July 2023, leading to economic losses. It explained:
“An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.”
The information was made public on Feb. 8 and currently awaits an analysis to identify the real-world scope of the said vulnerability.
According to CVE, a program sponsored by the U.S. Department of Homeland Security (DHS), SECBIT Labs began its investigation on the Binance Trust Wallet app for iOS after numerous Ether (ETH) wallets were hacked. The researchers tracked down an older wallet generation weakness in the iOS platform version of Trust Wallet from 2018 and connected it to the large thefts on July 12, 2023.
Related: Bitcoin inscriptions added to US National Vulnerability Database
Binance did not respond to Cointelegraph’s request for comment. However, an independent investigation from Milk Sad found at least 6572 unique wallet mnemonics, that risk loss of funds.
It found Trust Wallet app for iOS using an open-source code for generating new cryptocurrency wallets using unsafe functions in the ‘trezor-crypto library’ that were not meant for production. While confirming that the weak wallets exist, they alleged its involvement in the Milk Sad thefts.
Upon completing the investigation, NIST will allot a base score to the app’s vulnerability ranging from 0-10, depending on its severity.
Magazine: ‘Crypto is inevitable’ so we went ‘all in’: Meet Vance Spencer, permabull
