By George Ward
The United States Department of Commerce is investigating potential vulnerabilities in the Binance Trust Wallet application for iOS users. The supposed glitch would allow attackers to steal funds from users’ crypto wallets if not addressed.
Investigating Binance’s Trust Wallet iOS Version
The National Institute of Standards and Technology (NIST), a government agency under the Department of Commerce committed to promoting innovation and industrial competitiveness, is investigating a potential vulnerability. According to the NIST, it discovered that a specific version of the Binance Trust Wallet application has improperly utilized the trezor-crypto library.
This library is responsible for producing mnemonic words, which are noteworthy in that they can only be verified at the source of entropy. The entropy source denotes a physical site from which data emanates. Meanwhile, the NIST stated that a similar vulnerability was malevolently exploited in July 2023, resulting in significant financial consequences.
Furthermore, the NIST clarified the complexities of the matter by explaining that this alleged susceptibility will allow a malicious actor to systematically produce mnemonics that correspond to every timestamp within a specified period for particular wallet addresses. Thus, it enables malicious activities by moving funds from such targeted wallets.
Awaiting Results
Following the constant illicit hacking into Ethereum (ETH) wallets, Secbit Labs began investigating the Binance Trust Wallet software for iOS. This research complies with the Common Vulnerabilities and Exposures (CVE) program, which the US Department of Homeland Security supports.
Accordingly, the researchers tracked the source of the security vulnerability to a flaw in wallets from a 2018 version unique to the iOS platform. In addition, the later discovery of a link between this past vulnerability and the significant breaches on July 12, 2023, revealed more underlying problems. Meanwhile, the current inquiry will further explain the full scope of the vulnerability’s impacts, highlighting the need to understand the implications in the real world.
Possible Loss Of Funds
Furthermore, an independent investigation by Milk Sad revealed that at least 6,572 wallet mnemonics within the Trust Wallet app for iOS are in danger of fund losses. The investigation revealed that the iOS version of the Trust Wallet app used open-source code to generate new crypto wallets, which isn’t secure enough.
It further argued that this version included unsafe functions within the “trezor-crypto library,” which differed from its intended use in production environments. Milk Sad’s findings claim that the app’s reliance on functionalities from the trezor-crypto library that were never designed for production exposes users to security breaches.
Following the results of this investigation, the NIST plans to establish a baseline score (on a scale of 0 to 10) to assess the severity of the app’s vulnerability. This scoring mechanism will be critical in determining the scope of the threat caused by the detected vulnerabilities. It can also assist stakeholders in prioritizing and executing essential security steps to protect users’ crypto assets.