CVE-2024-23660

HIGH EXPLOITED IN THE WILD

Binance Trust Wallet <0.0.4 - Info Disclosure

Title source: llm

Description

The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.

References (2)

[Exploit, Third Party Advisory] https://milksad.info/posts/research-update-5/

[Exploit, Third Party Advisory] https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/

Scores

CVSS v3 7.5

EPSS 0.0019

EPSS Percentile 40.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2024-02-08

InTheWild.io 2024-02-08

CWE

CWE-338

Status published

Products (1)

binance/trust_wallet 0.0.4

Published Feb 08, 2024

Tracked Since Feb 18, 2026