Trust Wallet counters investigation rumors and vulnerability concerns
Trust wallet said it had addressed the vulnerability issue promptly in 2018 upon discovery.
Trust Wallet has denied reports that it is under investigation by the US government or its agencies, according to a Feb. 15 statement.
‘Binance Trust Wallet’ vulnerability
Earlier today, multiple reports indicated that the National Institute of Standards and Technology (NIST), a US agency responsible for setting technology and cybersecurity standards, is investigating a potential vulnerability in the iOS version of “Binance Trust Wallet.”
Binance told CryptoSlate that Trust Wallet now operates as a separate legal entity and is not part of the Binance group.
The vulnerability, listed in the CVE database on Feb. 8, alleged that a particular version of the Trust Wallet app improperly utilizes the trezor-crypto library to create mnemonic words that can only be authenticated at the entropy source.
According to NIST, this flaw has already been exploited in the wild, resulting in financial losses. The agency stated:
“An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.”
Trust wallet debunks report
In its rebuttal, Trust Wallet claimed that NIST operates a non-profit platform and database that allows the public to submit information for review and include it in the CVE database.
“The information highlighted in the news articles did not come from an official government-led investigation. Instead, the information was provided through a submission to a publicly accessible, open database, where independent representatives can submit vulnerability reports,” Trust Wallet added.
Regarding the identified vulnerability, Trust Wallet said it had addressed the issue promptly in July 2018 upon discovery. The firm stated that the vulnerability affected a limited subset of 10,000 downloads, and proactive measures were taken to safeguard users from potential risks.
In addition, the firm further disputed its implication in the July 2023 exploit. Trust Wallet asserted the affected wallets were not exclusive to its platform and likely stemmed from various sources.
According to the firm, only 600 out of over 2,000 addresses were traceable in its system, while only a third exhibited the 2018 vulnerability.
“We have high confidence that the 2018 Trust Wallet vulnerability was not the origin of the July 2023 security breach,” it concluded.