Solana disputes CertiK audit findings on Saga phone security, deeming the report "inaccurate."
CertiK alleges a critical "bootloader vulnerability" in Solana's Saga smartphone, while Solana Labs disputes the claims, deeming them entirely inaccurate.
A recent video from blockchain security firm CertiK has sparked controversy by making claims about a potential security vulnerability in Solana's Saga phone. CertiK asserted that the Saga phone contained a "critical vulnerability" related to a "bootloader unlock" attack, suggesting that this could enable a malicious actor with physical access to the phone to install custom firmware containing a root backdoor. According to CertiK's report, such an attack could compromise sensitive data stored on the phone, including cryptocurrency private keys. However, Solana Labs, the creator of the Saga phone, has vehemently refuted CertiK's claims, stating that the video did not reveal any actual threat to the security of the Saga device.
Solana Labs emphasized that CertiK's assertions are inaccurate and clarified that the unlocking of the bootloader, a prerequisite for installing custom firmware, involves multiple steps and can only be done after unlocking the device with the user's passcode or fingerprint. The company highlighted that unlocking the bootloader initiates a device wipe, a process that users are informed about repeatedly to ensure active participation and awareness. Solana Labs argued that CertiK's claims do not demonstrate any known vulnerability or security threat to Saga holders and asserted the robust security measures in place to protect users' data and private keys.
The Saga phone, released by Solana in April 2022, was designed to offer a Web3-native decentralized application store, integrating cryptocurrency apps into the device's hardware. However, sales reportedly declined steeply, leading Solana to reduce the phone's price from $1,099 to $599 four months after its launch. The controversy between CertiK and Solana Labs adds another layer of scrutiny to the security of blockchain-based smartphones and the potential vulnerabilities associated with them.
In response to CertiK's claims, Solana Labs emphasized that users are subjected to various warnings about the implications of unlocking the bootloader on an Android device. If users proceed despite these warnings, the device is wiped, along with any private keys. Solana Labs defended the security of the Saga phone and questioned the legitimacy of CertiK's assertions, emphasizing the importance of accurate and responsible reporting in the blockchain security space. CertiK has not issued an immediate response to Solana Labs' rebuttal.