U.S. cybersecurity authorities have opened an investigation into a critical vulnerability in the iOS version of the cryptocurrency wallet app Binance Trust Wallet, which could allow attackers to steal user funds. The vulnerability has already been actively exploited in the wild, putting thousands of crypto holders’ digital assets at risk.
The National Institute of Standards and Technology (NIST) added the vulnerability to its Common Vulnerabilities and Exposures (CVE) database on February 8th, 2024. The CVE program tracks security flaws and exposures in software that pose significant security risks. Inclusion in the CVE database means the vulnerability is considered serious and requires prompt attention.
By exploiting the vulnerability, attackers could systematically guess password phrases, known as “mnemonics” in the crypto world, to access and drain wallets linked to specific wallet addresses. According to the CVE entry, this is exactly what happened in July 2023 when bad actors were able to steal money from Trust Wallet users due to weaknesses in the way the app generates and secures mnemonics.
Concerning the History of Breaches
Unfortunately, this investigation into serious security issues is just the latest trouble for Binance’s Trust Wallet app. The wallet platform suffered multiple cyber attacks last year resulting in over $4 million in stolen funds.
Back in February 2023, Trust Wallet revealed its Binance Bridge was compromised in a cyber intrusion that allowed hackers to steal around $325 million worth of cryptocurrency. Just a few months later in June, the company announced that a security exploit in Trust Wallet’s infrastructure led to another $5.8 million loss.
These back-to-back breaches highlighted flaws in Trust Wallet’s security defenses. They also underscored the inherent vulnerabilities of hot wallets that keep crypto keys online as opposed to disconnected cold wallets. However, the software bug now under investigation takes things a step further by potentially allowing attackers to easily guess the wallet mnemonics guarding user funds.
The Severity of the Mobile App Vulnerability
While Trust Wallet has released advice warning users about phishing attempts trying to steal wallet mnemonics, this recently uncovered flaw is far more alarming. Rather than tricking users into giving up their wallet passphrases, it could let malicious actors guess mnemonics via a software vulnerability.
Based on the vulnerability details submitted to CVE after exploitation reports last July, the flaw relates specifically to the iOS mobile app version of Trust Wallet. It seems the app may not have been correctly implementing Trezor’s open-source crypto library for mnemonic generation and key derivation. This weakness could let attackers successfully predict mnemonics and access wallet contents.
By systematically checking different mnemonics linked to past timestamps, hackers could drain funds from crypto wallets protected by flawed mnemonics generated via the Trust Wallet iOS app. Government investigation confirms this exploit has already led to stolen money in the real world, making it extremely high-risk for iOS users.
Protecting Mobile Crypto Holders
For cryptocurrency enthusiasts who rely on Trust Wallet’s iOS application to store and use their coins and tokens, this news means they could be vulnerable to theft. The severity of the bug has prompted federal authorities to step in and investigate due to the potential for massive financial damage.
Until further details emerge about securing the app or mitigating the exploit, iOS Trust Wallet users would be wise to take precautions. Avoid keeping substantial holdings in Trust Wallet or any hot wallet, switch to cold wallet alternatives not dependent on mnemonics, and watch closely for updates.
Although Binance acquired Trust Wallet back in 2018, the company recently stated that Trust Wallet now operates independently. However, Trust Wallet’s official X profile has shared no warnings about this vulnerability or guidance for iOS users concerned over the security of their funds.
As cryptocurrency adoption accelerates globally, making digital assets more mainstream, threats like this will undermine wider trust in the ecosystem’s security. Luckily, rapid government action and cryptocurrency community awareness about the Trust Wallet app issue will hopefully prevent further exploits and give the platform a chance to harden defenses.
But this event does illustrate why caution about new crypto products without lengthy track records continues to be warranted. It also shows centralized exchanges and wallet providers have ongoing work ahead to match institutional custody solutions if they want to compete for larger capital entering the space.
For Trust Wallet specifically, the platform still needs to rebuild credibility and trust after suffering multiple breaches last year followed by this serious vulnerability coming to light. We will have to wait and see if the company can address the problems and deliver the bulletproof security expected from a guardian of users’ precious crypto assets.