Prepared by:
HALBORN
Last Updated 05/08/2026
Date of Engagement: May 4th, 2026 - May 5th, 2026
100% of all REPORTED Findings have been addressed
All findings
7
Critical
0
High
0
Medium
3
Low
2
Informational
2
This security assessment was commissioned by Catapult Trade, a Web3 token launch and trading platform that enables creators to launch tokens via automated mechanisms — including bonding curves — and facilitates trading through smart contracts. The assessment was conducted by Halborn, a leading cybersecurity firm specializing in blockchain and Web3 security.
The engagement was scoped to the turbo-token-generator repository at commit b6f2b400, covering the TypeScript-based backend microservice responsible for the Provably Fair chart algorithm — specifically the HKDF-based PRNG seed derivation, token generation endpoint, and associated configuration. The purpose of this engagement was to rigorously evaluate the cryptographic soundness, access control posture, and overall security of the Provably Fair token generation service.
The assessment was conducted over approximately two days, from May 4th to May 5th. The review was performed by Halborn security specialists with expertise in web application security, TypeScript-based backend systems, and cryptographic protocol analysis.
The primary goals of the engagement were to:
Validate the cryptographic integrity of the Provably Fair PRNG and HKDF seed derivation pipeline.
Assess access control and authentication enforcement on sensitive API endpoints.
Identify configuration and dependency weaknesses that could undermine system security.
The overall security posture of the assessed service requires attention across several high-impact areas. While no critical infrastructure failures were identified, the assessment surfaced a cluster of significant findings that, in combination, could undermine the Provably Fair guarantees the platform relies upon for user trust, as well as expose the service to unauthorized access.
The assessment has identified medium-priority vulnerabilities that could compromise system integrity, specifically through minor cryptographic weaknesses and insufficient access controls. Furthermore, the use of outdated software dependencies exposed the platform to known vulnerabilities and supply chain risks, requiring remediation to protect the infrastructure and ensure a robust security posture.
| Security analysis | Risk level | Remediation |
|---|---|---|
| Missing Authentication and Authorization on Token Generation Endpoint | Medium | Solved - 05/05/2026 |
| Outdated and Vulnerable Dependencies | Medium | Solved - 05/05/2026 |
| Disabled TypeScript Strict Checks Allowed Null-Safety and Type-Safety Bugs to Go Undetected | Medium | Solved - 05/05/2026 |
| Insufficient Entropy Validation for TURBO_CHART_SALT Allowed Weak HKDF Salt to Undermine Provably Fair PRNG | Low | Solved - 05/05/2026 |
| Insufficient Rate Limiting — IP-Only Throttle with No Authentication-Based Quota | Low | Not Applicable - 05/05/2026 |
| Static HKDF Info Parameter Provided No Domain Separation Across Token Modes or Key Purposes | Informational | Solved - 05/05/2026 |
| Premature Disclosure of Server Seed and Full Tick Array Undermined Provably-Fair Guarantees | Informational | Not Applicable - 05/05/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Token Generator Pentest
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
