NIST Probes Security Vulnerability in Binance's Trust Wallet for iOS
The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, is investigating a vulnerability in the iOS app of Binance's Trust Wallet. This security concern could potentially allow attackers to gain unauthorized access and transfer funds from users' crypto wallets. The investigation focuses on the app's misuse of the trezor-crypto library for generating mnemonic phrases, which are essential for user fund security and should be verified at the entropy source alone.
This issue follows a July 2023 incident where a similar flaw resulted in financial losses. NIST aims to thoroughly examine the risk of manipulating mnemonic phrase generation to unjustly associate them with certain wallet addresses, enabling illicit fund withdrawals. Revealed on February 8, this probe intends to determine the vulnerability's real-world impact and scope.
Additionally, following reports of unauthorized Ether wallet access, the CVE database, supported by the U.S. Department of Homeland Security, launched an investigation with Secbit Labs into the Trust Wallet. This inquiry traced a vulnerability in the iOS version of Trust Wallet back to 2018, linking it to significant thefts on July 12, 2023.
Independent research by Milk Sad highlighted a severe risk, identifying over 6,500 wallet mnemonics at risk due to the trezor-crypto library's insecure functions. This flaw is closely related to the methods used in the Milk Sad thefts, emphasizing the urgency of addressing this security gap.
The outcome of NIST's inquiry will lead to a base severity score for the app's vulnerability, rated on a scale from 0 to 10, to inform users about the associated risk level.
Amidst these security issues, Binance also combats rumors of a data leak, following allegations on X about user data being available on GitHub. Binance has strongly denied these allegations, asserting the security of its accounts.
In a related development, the sentencing of Binance founder Changpeng Zhao has been deferred to April 30, with no reasons provided for the delay, and Zhao's legal representation remaining silent on the matter.
Only login in users can review, please log in or signup
Send complaint