Description

The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.

Known Exploited

🚨 Marked as known exploited on May 15th, 2025 (16 days ago).

Classification

CVE ID: CVE-2024-23660

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.16% (probability of being exploited)

EPSS Percentile: 37.94% (scored less or equal to compared to others)

EPSS Date: 2025-05-31 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-23660
https://milksad.info/posts/research-update-5/
https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/

Timeline