CVE-2024-23660: n/a in n/a
The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.
AI Analysis
Technical Summary
CVE-2024-23660 is a high-severity cryptographic vulnerability affecting the Binance Trust Wallet app for iOS, specifically in the version identified by commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f and git tag 0.0.4. The root cause is the improper use of the trezor-crypto library, which results in the generation of mnemonic seed phrases relying solely on the device's timestamp as the entropy source. Normally, mnemonic generation requires high-quality randomness to ensure unpredictability and security of wallet private keys. However, in this case, the entropy is limited to the device time, which is a low-entropy and predictable value. An attacker can exploit this by systematically generating all possible mnemonics corresponding to timestamps within a plausible timeframe, then deriving wallet addresses from these mnemonics. By matching derived addresses to target wallets, the attacker can identify vulnerable wallets and steal funds from them. This vulnerability falls under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)) and has a CVSS 3.1 base score of 7.5, indicating high severity. The attack vector is network-based with no privileges or user interaction required, and it impacts the integrity of wallet funds, although confidentiality and availability are not directly affected. While no official patch links are provided, the issue was publicly disclosed in February 2024, with exploitation reportedly observed in the wild as early as July 2023. This vulnerability highlights the critical importance of using secure, high-entropy sources for cryptographic key generation in cryptocurrency wallets to prevent economic losses.
Potential Impact
For European organizations, particularly those involved in cryptocurrency trading, asset management, or providing wallet services, this vulnerability poses a significant financial risk. Compromised wallets can lead to direct theft of cryptocurrency assets, resulting in economic losses and potential reputational damage. Since the vulnerability affects the Binance Trust Wallet iOS app, European users of this wallet are at risk of having their funds stolen if they use affected versions. The impact extends beyond individual users to businesses that rely on these wallets for transactions or custody, potentially disrupting operations and undermining trust in digital asset security. Additionally, regulatory scrutiny in Europe regarding digital asset security and consumer protection could increase following incidents exploiting this vulnerability. The lack of a patch at the time of disclosure further exacerbates the risk, emphasizing the urgency for affected users and organizations to take protective measures.
Mitigation Recommendations
1. Immediate mitigation involves advising all users of the Binance Trust Wallet iOS app to upgrade to a version that addresses this vulnerability once available. Until a patch is released, users should avoid generating new wallets or mnemonic phrases using the affected app version. 2. Organizations should conduct audits to identify any wallets created with the vulnerable app version and consider migrating funds to new wallets generated with secure entropy sources. 3. Implement monitoring for suspicious transactions originating from wallets suspected to be vulnerable, enabling rapid response to potential theft. 4. Encourage users to enable additional security measures such as multi-factor authentication and hardware wallet integration where possible. 5. For developers and wallet providers, ensure the use of cryptographically secure random number generators with sufficient entropy sources during mnemonic generation, avoiding reliance on predictable values like timestamps. 6. Engage with Binance Trust Wallet developers or support channels to obtain updates and verify remediation status. 7. Educate users about the risks of using outdated wallet software and the importance of timely updates in the cryptocurrency ecosystem.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2024-23660: n/a in n/a
Description
The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.
AI-Powered Analysis
Technical Analysis
CVE-2024-23660 is a high-severity cryptographic vulnerability affecting the Binance Trust Wallet app for iOS, specifically in the version identified by commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f and git tag 0.0.4. The root cause is the improper use of the trezor-crypto library, which results in the generation of mnemonic seed phrases relying solely on the device's timestamp as the entropy source. Normally, mnemonic generation requires high-quality randomness to ensure unpredictability and security of wallet private keys. However, in this case, the entropy is limited to the device time, which is a low-entropy and predictable value. An attacker can exploit this by systematically generating all possible mnemonics corresponding to timestamps within a plausible timeframe, then deriving wallet addresses from these mnemonics. By matching derived addresses to target wallets, the attacker can identify vulnerable wallets and steal funds from them. This vulnerability falls under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)) and has a CVSS 3.1 base score of 7.5, indicating high severity. The attack vector is network-based with no privileges or user interaction required, and it impacts the integrity of wallet funds, although confidentiality and availability are not directly affected. While no official patch links are provided, the issue was publicly disclosed in February 2024, with exploitation reportedly observed in the wild as early as July 2023. This vulnerability highlights the critical importance of using secure, high-entropy sources for cryptographic key generation in cryptocurrency wallets to prevent economic losses.
Potential Impact
For European organizations, particularly those involved in cryptocurrency trading, asset management, or providing wallet services, this vulnerability poses a significant financial risk. Compromised wallets can lead to direct theft of cryptocurrency assets, resulting in economic losses and potential reputational damage. Since the vulnerability affects the Binance Trust Wallet iOS app, European users of this wallet are at risk of having their funds stolen if they use affected versions. The impact extends beyond individual users to businesses that rely on these wallets for transactions or custody, potentially disrupting operations and undermining trust in digital asset security. Additionally, regulatory scrutiny in Europe regarding digital asset security and consumer protection could increase following incidents exploiting this vulnerability. The lack of a patch at the time of disclosure further exacerbates the risk, emphasizing the urgency for affected users and organizations to take protective measures.
Mitigation Recommendations
1. Immediate mitigation involves advising all users of the Binance Trust Wallet iOS app to upgrade to a version that addresses this vulnerability once available. Until a patch is released, users should avoid generating new wallets or mnemonic phrases using the affected app version. 2. Organizations should conduct audits to identify any wallets created with the vulnerable app version and consider migrating funds to new wallets generated with secure entropy sources. 3. Implement monitoring for suspicious transactions originating from wallets suspected to be vulnerable, enabling rapid response to potential theft. 4. Encourage users to enable additional security measures such as multi-factor authentication and hardware wallet integration where possible. 5. For developers and wallet providers, ensure the use of cryptographically secure random number generators with sufficient entropy sources during mnemonic generation, avoiding reliance on predictable values like timestamps. 6. Engage with Binance Trust Wallet developers or support channels to obtain updates and verify remediation status. 7. Educate users about the risks of using outdated wallet software and the importance of timely updates in the cryptocurrency ecosystem.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2024-01-19T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec3c9
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/6/2025, 8:27:36 AM
Last updated: 8/11/2025, 10:54:17 PM
Views: 25
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.