Certik Exposes Critical Vulnerability in Solana Saga Phone

CertiK, a leading cybersecurity firm, discovered a critical vulnerability in the Solana Saga phone, a smartphone that integrates the Solana Mobile Stack. The flaw allowed assets to be transferred within a minute of obtaining the phone.

The Solana Saga phone, a smartphone that claims to offer a secure and seamless Web3 experience, was found to have a serious vulnerability that put more than 2,100 devices at risk since April.

The vulnerability was uncovered by CertiK, a leading cybersecurity firm specializing in blockchain and smart contract audits.

The Solana Saga phone, an Android-based smartphone introduced by Solana CEO Anatoly Yakovenko in June 2022, is distinguished by its integration of the Solana Mobile Stack (SMS), which features a “Secure Element” to manage private keys and bolster the security of Web3 transactions.

However, CertiK discovered that the Secure Element was not as secure as it claimed to be.

The flaw allowed anyone who had physical access to the phone to transfer the assets stored in the SMS wallet within a minute of obtaining the phone without needing to unlock the device or enter the PIN code.

CertiK reported the vulnerability to Solana Labs in October and issued a public alert on Nov. 15, 2023, urging all Solana Saga phone users to update their firmware to the latest version and transfer their assets to a different wallet as soon as possible.

In April, we introduced Saga with a clear vision: to put web3 at your fingertips. We continue to work to bring more people into the ecosystem and drive web3’s mobile future. Today, we are reducing the price of Saga to $599.

Over the past four months, Saga users embraced the… pic.twitter.com/qpC1BHiqZ7

— Seeker | Solana Mobile (@solanamobile) August 9, 2023

The response from Solana Labs

Solana Labs acknowledged the vulnerability and thanked CertiK for their responsible disclosure. The studio also released a firmware update that fixed the flaw and improved the security of the SMS wallet.

Solana Labs advised all Solana Saga phone users to install the update and reset their PIN codes.

The blockchain studio also stated that they were not aware of any cases of asset theft or loss due to the vulnerability and that they would compensate any affected users if such cases were reported.

Solana Labs also assured that they would continue to work with CertiK and other security experts to ensure the safety and reliability of the Solana Saga phone and the Solana Mobile Stack.

The outlook for the Solana Saga phone

Despite the potential of the Solana Saga phone, using it currently feels akin to beta testing, especially for average consumers.

Solana Labs acknowledges this challenge but remains optimistic about the device’s appeal to early adopters and developers.

The Saga phone witnessed a notable price drop from $1,000 to $599 in September. Solana attributed this $400 reduction to a strategic move to foster wider adoption of mobile Web3 and enhance the overall user experience within the Solana mobile community.

Solana Mobile is committed to delivering an excellent welcome experience for Saga users through the genesis token, which is a native token of the SMS wallet that can be used to access various Web3 applications and services.

The Mobile phone also encourages the exploration of Web3 by offering rewards and incentives for using the Solana Saga phone and the Solana Mobile Stack.