The National Institute of Standards and Technology (NIST), an entity within the United States Department of Commerce, is currently scrutinizing a specific vulnerability in the iOS version of the Binance Trust Wallet application.
This examination centers on a security flaw that, if exploited, could potentially enable attackers to illicitly access and divert funds from users’ cryptocurrency wallets. The focus of the investigation is on how the application improperly utilizes the trezor-crypto library for generating mnemonic words, crucial for securing user funds, which ought to be authenticated at the entropy source exclusively.
This issue bears similarity to a precedent in July 2023, where exploitation of a similar vulnerability led to financial detriments. NIST’s current efforts aim to meticulously assess the possibility of manipulating mnemonic generation to fraudulently link them to specific wallet addresses, thereby facilitating unauthorized fund withdrawals. This critical analysis, disclosed publicly on Feb. 8, seeks to ascertain the practical implications and the extent of the vulnerability’s impact.
Simultaneously, the CVE database, backed by the U.S. Department of Homeland Security, initiated an inquiry into the Trust Wallet through Secbit Labs following a spate of unauthorized accesses to Ether wallets. The probe identified a vulnerability in the iOS platform’s version of Trust Wallet dating back to 2018, directly correlating it with substantial thefts recorded on July 12, 2023.
Despite Binance’s silence regarding these security concerns, an independent investigation by Milk Sad has brought to light a significant risk. The review identified over 6,500 wallet mnemonics at potential risk, pinpointing their vulnerability to the use of insecure functions within the trezor-crypto library. This exposure is directly linked to the methods leveraged in the Milk Sad theft incidents, underscoring the critical nature of the flaw.
The conclusion of NIST’s investigation will culminate in the assignment of a base severity score to the app’s vulnerability, ranging from 0 to 10, reflecting the potential risk it poses to users. This step is pivotal in guiding users on the gravity of the security flaw.
The recent events concerning the Trust Wallet vulnerability are not the only challenges Binance has encountered. The cryptocurrency exchange has also been addressing rumors of a system leak following allegations on X regarding the availability of Binance user data on GitHub. In a firm rebuttal of these claims, Binance has reassured its community about the integrity and safety of its accounts, categorically denying any breaches.
Meanwhile, the sentencing for Binance’s founder, Changpeng Zhao, has been postponed to April 30 from the original Feb. 23 date, as reported by CNBC. The reasons for this delay have not been disclosed, and Zhao’s lawyer has declined to comment.