The recent large-scale theft of funds in the Solana ecosystem has drawn widespread attention to wallets and their security. Let us give you some tips, tell you our understanding of the incident and show how we take security best practices seriously.
The Solana Slope wallet incident
First of all, what happened to Solana? On August 3rd, some Solana users saw their wallets being drained. The community quickly confirmed that all affected users had one thing in common: They all used a wallet called Slope at one point. Later, it was confirmed that the wallet app had sent the user's seed phrase to a central server in the form of readable text.
Since the seed phrase was sent in clear text, anyone with access to this particular server may be able to access the user's account. These low security standards can lead to vulnerabilities that allow hackers to access the seed phrase and drain funds.
Second, imToken does not offer support for Solana. If you did use Solana, please take the following steps to minimize further risk below.
- The incident: Some hackers gained access to the seed phrases (also known as Mnemonic phrases or backup phrases) of Slope wallet users
- If you have used any Slope wallet - even just for generating one address - please open another Solana-enabled wallet, create a new account with new seed phrase (Mnemonic) and transfer assets from the old to the new account
- Again, if you use the same seed phrase (Mnemonic) in Slope wallet, then we recommended you to create a wallet and transfer assets
Security best practices: A private key never leaves the device
At imToken, we used developer tools such as Sentry and Firebase for error reporting and statistics as it is common practice. We do however never collect any data sensitive to asset security.
- We invite any security auditor and developer to participate in our bug bounty mechanism participate in the bug report program.
- We always put security and privacy of our users first. If users find any security-related issues, they can send us feedback through email@example.com, and the imToken security team will quickly reply and follow up.
We have strict audit and risk control measures to ensure security.
- External risk control: We have long-term cooperations with well-known professional security institutions in the industry such as SlowMist and Peckshield, including security audits for our software wallets, hardware wallets and contracts.
- Internal risk control
- Security team
Our security department is responsible for internal security audits and external collaboration such as maintaining close contact with auditors as well as security audit and risk control for all internal products.
- Permission management
We adhere to strict permission management in product design and development: Code permissions are minimized, and any product is launched after R&D and security departments jointly conduct black and white box security audit evaluations.
- Version Audit
We conduct internal security audits for each release. The scope of the audit includes the new version of our own code as well as software dependencies, to eliminate potential backdoors and security risks.
- Change management (back-end audit)
Wallet products can be divided into two parts: The app front-end and back-end services. We not only ensure the security of the app front-end through above-mentioned version audits, but also conduct a complete security assessment before each back-end service goes online. This ensures the overall security of the front-end and back-end products.
We welcome white hat audits and responsible disclosure.
- We invite any developer and auditor to participate in the bug bounty program have been jointly hosting with SlowMist: https://slowmist.io/imtoken/
Bonus: Our top security tips
As one of the major wallet apps, we receive lots of user feedback and questions. Our help center should offer an answer for all popular questions.
Here is our summary of common risks to be aware of when using wallets:
Use hardware wallets for higher security
imToken software wallet is safe and easy to use, but software wallets need users to have a good sense of security. For bigger amounts of assets, our imKey hardware wallet maximizes security by storing Mnemonics away from any internet connection, on a secure chip.
If you have any questions about wallet security or usage, please contact our official imToken customer service at: firstname.lastname@example.org