The United States National Institute of Standards and Technology is investigating a vulnerability in the Trust Wallet app for iOS, owned by Binance.
According to the description, the wallet software incorrectly uses the trezor-crypto library. As a result, the device’s time is the sole source of entropy for generating mnemonic phrases.
This bug opens the door for exploits in Trust Wallet. An attacker could systematically create mnemonics for each timestamp and link them to specific addresses to steal funds.
The application submitted by the non-profit MITRE Corporation is pending analysis. It includes links to relevant vulnerability research by experts from the Milk Sad and SECBIT Labs projects. The results were published in January.
Experts identified at least 6,500 wallets at risk. According to their data, exploits already implemented resulted in the loss of nearly 33 BTC in just three major incidents in July 2023.
The Trust Wallet team responded to media reports, assuring that U.S. authorities are not investigating the project and that user assets remain secure.
According to the developers, the issue concerns a known vulnerability in the iOS app, which affected approximately 10,000 downloads from March to July 2018. All users were informed, offered asset migration methods, and the bug was fixed.
Hey Trust Wallet fam,
We’d like to address some articles that have recently been published by some prominent Crypto media outlets, regarding the security of Trust Wallet.
For clarity on two main points: users assets are #SAFU and we are NOT being investigated by the US…
— Trust Wallet (@TrustWallet) February 15, 2024
Binance acquired Trust Wallet in the summer of 2018. The mobile app primarily focused on Ethereum assets, and it was only by the end of the year that the team added support for Bitcoin.
The first desktop version of the wallet was a solution for macOS devices in 2019.
In April 2023, developers announced the resolution of a critical vulnerability in the core software library of the Trust Wallet browser application.