Trust Wallet responds to rumors of investigations and concerns about vulnerabilities.
According to a February 15 statement, Trust Wallet denied reports that it was under investigation by the U.S. government or its agencies.
‘Binance Trust Wallet’ vulnerability
According to multiple reports this morning, the National Institute of Standards and Technology (NIST), the US agency responsible for setting technology and cybersecurity standards, is investigating potential vulnerabilities in the iOS version of “Binance Trust Wallet.”
Binance said CryptoSlate Trust Wallet now operates as a separate legal entity and is not part of the Binance group.
The vulnerability, listed in the Feb. 8 CVE database, alleges that certain versions of the Trust Wallet app improperly utilize the trezor-crypto library to generate mnemonic words that can only be authenticated by entropy sources.
According to NIST, the flaw has already been exploited in the wild, causing financial losses. The agency stated:
“An attacker can systematically create a mnemonic for each timestamp within that time period and associate it with a specific wallet address to steal funds from that wallet.”
Report Debunks Trust Wallet
In its rebuttal, Trust Wallet argued that NIST operates a non-profit platform and database where the public can submit information for review and inclusion in the CVE database.
“The information highlighted in the news article does not come from an official government-led investigation. Instead, the information was submitted to an open, publicly accessible database for independent officials to submit vulnerability reports,” Trust Wallet added.
Regarding the identified vulnerability, Trust Wallet stated that it fixed the issue in July 2018 as soon as it was discovered. The company said the vulnerability affected a limited subset of 10,000 cases and that precautions had been taken to protect users from potential risks.
The company also further disputed the impact of the exploit in July 2023. Trust Wallet claimed that the affected wallets were not unique to the platform and likely came from a variety of sources.
According to the company, only 600 of the more than 2,000 addresses were traceable in the system, and only a third showed vulnerabilities in 2018.
“We have high confidence that the 2018 Trust Wallet vulnerability was not the cause of the July 2023 security breach,” they concluded.