Slingshot Wallet Audit
We just audited Slingshot’s new DeFi wallet!
Slingshot is a DeFi application that can be used to buy, sell, and swap over 40k cryptocurrencies at the best prices, with 0% swap fees.
Slingshot just launched their new DeFi wallet, which allows users to search, swap, and track tokens on mobile. Auditware performed a detailed audit of their code.
Slingshot’s Wallet is a mobile DeFi application that can be used to buy, sell, and swap over 40k cryptocurrencies. While Slingshot is not an exchange, it combines the performance and ease of centralized exchanges with the openness and transparency of decentralized exchanges, all while working like a search engine. If a token exists with on-chain liquidity or on a Slingshot-supported network, Slingshot will index it and make it available to swap. With aggregated liquidity across all top DEXs, Slingshot searches to provide the most efficient swap possible for any selected token.
DeFi wallets offer a unique set of challenges when it comes to security. Wallet applications have a unique threat model that comes with handling the keys to large sums of users’ money. Securing the private keys of a user’s wallet is easy to do, but not so easy to do right. Highly sensitive assets require highly tuned security controls and defense-in-depth measures. Here are some of the controls the Slingshot Wallet uses:
Encryption is the most fundamental tool in a dev’s security toolbox. The private keys and mnemonic seeds of a user’s wallet are encrypted in the Slingshot wallet— so that they are even protected from being read by an attacker with access to your phone. Improvements to wallet encryption integrity were made, guarding against highly unlikely but theoretically possible cryptographic tampering attacks.
Authentication is the other fundamental security tool that protects users. Controlling access to encrypted data, your app PIN is as powerful as your private key to anyone holding your device; Set a strong one and keep it secret. The Slingshot team implemented a brute-force lockout to the PIN screen to prevent determined attackers from being able to guess your PIN after many tries.
Overall, we found no critical vulnerabilities in the application. The Slingshot Wallet is securely designed, and only minor suggestions to improve defense-in-depth were recommended.
Interested in learning more about how Slingshot Wallet protects its users? You can view our full audit report here.
About Auditware: Auditware is a company specializing in audits and security tooling. We’re a team with over seven years of professional experience in security and web3. We conduct smart contract, application, and OpSec audits for web3 projects. We’re also building Audit Wizard, a revolutionary web3 auditing tool. Request an audit and learn more on auditware.io!
