The SlowMist security team specializes in traditional network attacks and defenses. The relevant achievements of team members has been highly recognized by the world's leading institutions. Our wallet security audits is more than just a typical audit, it’s built with a unique private key architecture along with years of extensive practical security knowledge. The related security services provided by SlowMist has covered top wallet platforms in dozens of industries, whether centralized or decentralized.Security Audit: Our audits covers penetration testing topics in greater depth and detail than other penetration testing services. Through a combination of black box and gray box security audits, we are able discover vulnerabilities and propose solutions to our clients. As well as providing suggestions for improving security, and best security practices to prevent possible security risks in the future. The security audit will provide a more comprehensive practical basis for the construction of the enterprise security system, and issue a professional Security Audit Report according to the needs of the development team.
Business Communication
Project Evaluation
Pay for Expenses
Security Audit
Issue a Report
Serial Number | Audit Class | Audit Subclass |
---|---|---|
1 | Open Source Intelligence Gathering | Whois information collection |
Real IP discovery | ||
Subdomain detection | ||
Mail service detection | ||
Certificate information collection | ||
Web services component fingerprint collection | ||
Port service component fingerprint collection | ||
Segment C service acquisition | ||
Personnel structure collection | ||
GitHub source code leak locating | ||
Google Hack detection | ||
Discovery of the privacy leaked | ||
2 | App Security Audit | App environment testing audit |
Code decompilation detection | ||
File storage security detection | ||
Communication encryption detection | ||
Permissions detection | ||
Interface security test | ||
Business security test | ||
WebKit security test | ||
App cache security detection | ||
App Webview DOM security test | ||
SQLite storage security audit | ||
3 | Server Security Configuration Audit | CDN service detection |
Network infrastructure configuration test | ||
Application platform configuration management test | ||
File extension resolution test | ||
Backup, unlinked file test | ||
Enumerate management interface test | ||
HTTP method test | ||
HTTP strict transmission test | ||
Web front-end cross-domain policy test | ||
Web security response head test | ||
Weak password and default password detection | ||
Management background discovery | ||
4 | Node Security Audit | Node configuration security detection |
Node data synchronization security detection | ||
Node transaction security audit | ||
Node communication security detection | ||
Node open source code security audit | ||
5 | Identity Management Audit | Role definition test |
User registration process test | ||
Account rights change test | ||
Account enumeration test | ||
Weak username strategy testing | ||
6 | Certification and Authorization Audit | Password information encrypted transmission test |
Default password test | ||
Account lockout mechanism test | ||
Certification bypass test | ||
Password memory function test | ||
Browser cache test | ||
Password strategy test | ||
Security quiz test | ||
Password reset test | ||
OAuth authentication model test | ||
Privilege escalation test | ||
Authorization bypass test | ||
Two-factor authentication bypass test | ||
Hash robustness test | ||
7 | Session Management Audit | Session management bypass test |
Cookies property test | ||
Session fixation test | ||
Session token leak test | ||
Cross Site Request Forgery (CSRF) test | ||
Logout function test | ||
Session timeout test | ||
Session token overload test | ||
8 | Input Security Audit | Cross Site Scripting (XSS) test |
Template injection test | ||
Third-party component vulnerability test | ||
HTTP parameter pollution test | ||
SQL injection test | ||
XXE entity injection test | ||
Deserialization vulnerability test | ||
SSRF vulnerability test | ||
Code injection test | ||
Local file contains test | ||
Remote file contains test | ||
Command execution injection test | ||
Buffer overflow test | ||
Formatted string test | ||
9 | Business Logic Audit | Interface security test |
Request forgery test | ||
Integrity test | ||
Overtime detection | ||
Interface frequency limit test | ||
Workflow bypass test | ||
Application misuse protection test | ||
Unexpected file type upload test | ||
Malicious file upload test | ||
10 | Cryptographic Security Audit | Weak SSL/TLS encryption, insecure transport layer protection test |
SSL pinning security deployment test | ||
Non-encrypted channel transmission of sensitive data test |
Serial Number | Audit Class | Audit Subclass |
---|---|---|
1 | Transaction Process Security Audit | Transaction signature security audit |
Transfer security audit | ||
Transaction broadcast audit | ||
2 | Private Key/Mnemonic Phrase Security Audit | Private Key/Mnemonic generation security audit |
Private Key/Mnemonic storage security audit | ||
Private Key/Mnemonic use process security audit | ||
Private Key/Mnemonic backup security audit | ||
Private Key/Mnemonic destroy security audit | ||
Random security audit | ||
Cryptographic security audit | ||
3 | Web Front-end Security Audit | XSS security Audit |
Third-party JS security audit | ||
HTTP Response Header security audit | ||
4 | Communications Security Audit | Communication encryption security audit |
Cross-domain transmission security audit | ||
5 | Architecture and Business Logic Security Audit | Access control security audit |
DApp communication security audit | ||
Business design security audit | ||
Architecture design security audit |
A Wintermute wallet was recently attacked, resulting in a loss of approximately $160 million dollars. The root cause of this incident was Wintermute’s use of the Profanity tool to create a vanity wallet (beginning with 0x0000000) in an attempt to save on gas fees. This follows the recent announcement by 1inch, a DeFi exchange, that some Ethereum addresses created through Profanity contained severe vulnerabilities. We conducted a thorough investigation into this incident, and the following are our findings.
Celer Network officials stated on August 18 that between 3:45 and 6:00 Beijing time, certain cBridge users were directed to malicious smart contracts. Initially, the cBridge front-end interface was suspected of being compromised by DNS hijacking.
On June 15, 2022, MetaMask announced the white hat hackers from Halborn have discovered a security vulnerability codename “Demonic”. The vulnerability is known to affect only versions before 10.11.3. Given MetaMask’s popularity and the prevalence of derivatives that utilize it as a wallet’s foundation, MetaMask rewarded the team a prize of 50,000 USD for discovering the issue. After our team communicated the vulnerability to me, I immediately started analyzing and recreating it myself.
Copyright © SlowMist, Inc. All Rights Reserved.