Skip to main content

CVE-2024-23660: n/a in n/a

High
VulnerabilityCVE-2024-23660cvecve-2024-23660
Published: Thu Feb 08 2024 (02/08/2024, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.

AI-Powered Analysis

AILast updated: 07/06/2025, 08:27:36 UTC

Technical Analysis

CVE-2024-23660 is a high-severity cryptographic vulnerability affecting the Binance Trust Wallet app for iOS, specifically in the version identified by commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f and git tag 0.0.4. The root cause is the improper use of the trezor-crypto library, which results in the generation of mnemonic seed phrases relying solely on the device's timestamp as the entropy source. Normally, mnemonic generation requires high-quality randomness to ensure unpredictability and security of wallet private keys. However, in this case, the entropy is limited to the device time, which is a low-entropy and predictable value. An attacker can exploit this by systematically generating all possible mnemonics corresponding to timestamps within a plausible timeframe, then deriving wallet addresses from these mnemonics. By matching derived addresses to target wallets, the attacker can identify vulnerable wallets and steal funds from them. This vulnerability falls under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)) and has a CVSS 3.1 base score of 7.5, indicating high severity. The attack vector is network-based with no privileges or user interaction required, and it impacts the integrity of wallet funds, although confidentiality and availability are not directly affected. While no official patch links are provided, the issue was publicly disclosed in February 2024, with exploitation reportedly observed in the wild as early as July 2023. This vulnerability highlights the critical importance of using secure, high-entropy sources for cryptographic key generation in cryptocurrency wallets to prevent economic losses.

Potential Impact

For European organizations, particularly those involved in cryptocurrency trading, asset management, or providing wallet services, this vulnerability poses a significant financial risk. Compromised wallets can lead to direct theft of cryptocurrency assets, resulting in economic losses and potential reputational damage. Since the vulnerability affects the Binance Trust Wallet iOS app, European users of this wallet are at risk of having their funds stolen if they use affected versions. The impact extends beyond individual users to businesses that rely on these wallets for transactions or custody, potentially disrupting operations and undermining trust in digital asset security. Additionally, regulatory scrutiny in Europe regarding digital asset security and consumer protection could increase following incidents exploiting this vulnerability. The lack of a patch at the time of disclosure further exacerbates the risk, emphasizing the urgency for affected users and organizations to take protective measures.

Mitigation Recommendations

1. Immediate mitigation involves advising all users of the Binance Trust Wallet iOS app to upgrade to a version that addresses this vulnerability once available. Until a patch is released, users should avoid generating new wallets or mnemonic phrases using the affected app version. 2. Organizations should conduct audits to identify any wallets created with the vulnerable app version and consider migrating funds to new wallets generated with secure entropy sources. 3. Implement monitoring for suspicious transactions originating from wallets suspected to be vulnerable, enabling rapid response to potential theft. 4. Encourage users to enable additional security measures such as multi-factor authentication and hardware wallet integration where possible. 5. For developers and wallet providers, ensure the use of cryptographically secure random number generators with sufficient entropy sources during mnemonic generation, avoiding reliance on predictable values like timestamps. 6. Engage with Binance Trust Wallet developers or support channels to obtain updates and verify remediation status. 7. Educate users about the risks of using outdated wallet software and the importance of timely updates in the cryptocurrency ecosystem.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2024-01-19T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fa1484d88663aec3c9

Added to database: 5/20/2025, 6:59:06 PM

Last enriched: 7/6/2025, 8:27:36 AM

Last updated: 8/11/2025, 8:01:31 PM

Views: 24

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats