NIST conducts inquiry into vulnerability in Binance trust wallet

The National Institute of Standards and Technology (NIST), a division of the United States Department of Commerce, is currently examining a specific vulnerability in the iOS version of the Binance Trust Wallet application. This investigation focuses on a security flaw that, if exploited, could potentially allow attackers to unlawfully access and redirect funds from users’ cryptocurrency wallets. The investigation centers on the improper utilization of the trezor-crypto library by the application for generating mnemonic words, which are crucial for securing user funds and should only be authenticated at the entropy source.

This issue is similar to a previous incident in July 2023, where the exploitation of a similar vulnerability resulted in financial losses. NIST’s current efforts aim to thoroughly assess the possibility of manipulating mnemonic generation to fraudulently link them to specific wallet addresses, thus facilitating unauthorized fund withdrawals. This detailed analysis, disclosed publicly on Feb. 8, seeks to determine the practical implications and extent of the vulnerability’s impact.

At the same time, the CVE database, supported by the U.S. Department of Homeland Security, has initiated an investigation into the Trust Wallet through Secbit Labs following a series of unauthorized accesses to Ether wallets. The investigation has identified a vulnerability in the iOS version of Trust Wallet dating back to 2018, directly linking it to significant thefts recorded on July 12, 2023.

Despite Binance’s lack of response to these security concerns, an independent investigation by Milk Sad has revealed a significant risk. The review identified over 6,500 wallet mnemonics that are potentially at risk, highlighting their vulnerability to the use of insecure functions within the trezor-crypto library. This exposure is directly connected to the methods used in the Milk Sad theft incidents, emphasizing the critical nature of the flaw.

NIST’s investigation will ultimately result in the assignment of a base severity score to the app’s vulnerability, which will range from 0 to 10, indicating the potential risk it poses to users. This step is crucial in informing users about the severity of the security flaw.

The recent events surrounding the Trust Wallet vulnerability are not the only challenges that Binance has faced. The cryptocurrency exchange has also been addressing rumors of a system leak following allegations on X about the availability of Binance user data on GitHub. Binance has firmly denied these claims and reassured its community about the integrity and safety of its accounts, stating that no breaches have occurred.

Meanwhile, the sentencing of Binance’s founder, Changpeng Zhao, has been postponed from the original date of Feb. 23 to April 30, as reported by CNBC. The reasons for this delay have not been disclosed, and Zhao’s lawyer has declined to comment.