An arm of the U.S. Department of Commerce is currently scrutinizing older iterations of the "Binance Trust Wallet App" for a potential vulnerability that could leave crypto wallets susceptible to theft.
As per the National Institute of Standards and Technology (NIST), an identified version of the Trust Wallet app is found to exploit the trezor-crypto library, enabling the creation of a mnemonic phrase solely verifiable by an entropy source. This source, defined by NIST, is the physical location where the data was initially generated.
NIST highlights a previous exploitation of a similar vulnerability in July 2023, leading to financial losses. It elaborates on the potential risk, explaining how attackers could systematically generate mnemonic phrases linked to specific wallet addresses within a designated timeframe to pilfer funds.
The disclosure was made public on February 8 and is currently undergoing assessment to ascertain the extent of the vulnerability. In response, a Trust Wallet spokesperson assured transparency, noting that the Trezor library issue was identified in 2018, affecting a limited number of downloads, and promptly patched.
Following a significant Ethereum theft, Secbit Labs initiated an investigation into the Trust Wallet app for iOS. They traced the vulnerability back to an older version of the wallet in 2018, ultimately linking it to a substantial theft occurring on July 12, 2023. Meanwhile, a representative from Binance clarified that Trust Wallet operates independently as a separate legal entity.
Independent research by Milk Sad revealed that over 6,500 unique wallet mnemonics could be at risk of fund loss. The investigation highlighted the Trust Wallet app's usage of insecure functions within the "trezor-crypto library," underscoring the necessity for more robust security measures in cryptocurrency applications. Finally, it's essential to recognize that the vulnerability stemming from the Trezor cryptographic library is not confined to Trust Wallet alone but could impact any application utilizing that specific version of the library.
