← Back to Audits

SilentSwap V2 App Backend. - SilentSwap

Prepared by:

Halborn Logo

HALBORN

Last Updated 12/02/2025

Date of Engagement: November 20th, 2025 - November 20th, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

1

Critical

0

High

0

Medium

1

Low

0

Informational

0

Table of Contents

1. Introduction

SilentSwap engaged Halborn to conduct a security assessment of the non-custodial SilentSwap v2 backend. Halborn was provided access to the source code, the documentation and a functional application in order to conduct security testing using a combination of automated testing and manual analysis to scan, detect, validate and report possible vulnerabilities.

2. Assessment Summary

The team at Halborn was provided 10 days for the engagement, from August 20nd, 2025 to September 2nd, 2025, and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in multiple blockchains, web application, API, and infrastructure penetration testing.


During the penetration test of the assessed components, Halborn identified several vulnerabilities ranging from High to Informational severity.


A single high-risk vulnerability was identified whereby the backend was trying to check transaction counts, and multiple medium-risk issues were also observed.

Lastly, address the low and informational severity vulnerabilities in a timely manner to improve the overall security posture of the backend.


The team has accepted the risk of most of the findings while resolving some of them, and has planned upcoming patches to further strengthen the backend.

3. Test Approach and Methodology

Halborn followed greybox and blackbox approaches as per the scope and performed a combination of both manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques enhance coverage of the infrastructure and can quickly identify flaws in it. A combination of both provides a robust ground to identify as many vulnerabilities as possible during the time allocated for the assessment.

The assessment methodology covered a range of phases and employed various tools, including but not limited to the following:

    • Mapping Content and Functionality of APIs

    • Business Logic

    • Authentication and Authorization

    • Rate Limiting

    • Handling of Gas/Fees

    • Amount Calculations and Rounding Operations

    • Input Handling and Injection Vulnerabilities

    • Fuzzing of Input Parameters

    • Hardcoded Secrets

    • Sensitive Data Leakage

    • Handling and Storing of Sensitive Data Storage

    • Secure Communications

    • Denial-of-Service (DoS) Conditions

    • Unvalidated Redirects and Forwards

    • External Component Interactions and Best Practices

    • Outdated Software and Third-Party Dependencies

    • Amount Calculations and Decimal Handling

    • Race Conditions

    • Payment Flow Logic

    • Bypass of Implemented Restrictions

4. Confirmation of Non-Custodial Architecture

At the request of SilentSwap, we were tasked with determining whether the platform operates as a non-custodial system. Upon completion of our review, our determination is that SilentSwap’s architecture is non-custodial.

5. RISK METHODOLOGY

Halborn assesses the severity of findings using either the Common Vulnerability Scoring System (CVSS) framework or the Impact/Likelihood Risk scale, depending on the engagement. CVSS is an industry standard framework for communicating characteristics and severity of vulnerabilities in software. Details can be found in the CVSS Specification Document published by F.I.R.S.T.
Vulnerabilities or issues observed by Halborn scored on the Impact/Likelihood Risk scale are measured by the LIKELIHOOD of a security incident and the IMPACT should an incident occur. This framework works for communicating the characteristics and impacts of technology vulnerabilities. The quantitative model ensures repeatable and accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the Risk scores. For every vulnerability, a risk level will be calculated on a scale of 5 to 1 with 5 being the highest likelihood or impact.
RISK SCALE - LIKELIHOOD
  • 5 - Almost certain an incident will occur.
  • 4 - High probability of an incident occurring.
  • 3 - Potential of a security incident in the long term.
  • 2 - Low probability of an incident occurring.
  • 1 - Very unlikely issue will cause an incident.
RISK SCALE - IMPACT
  • 5 - May cause devastating and unrecoverable impact or loss.
  • 4 - May cause a significant level of impact or loss.
  • 3 - May cause a partial impact or loss to many.
  • 2 - May cause temporary impact or loss.
  • 1 - May cause minimal or un-noticeable impact.
The risk level is then calculated using a sum of these two values, creating a value of 10 to 1 with 10 being the highest level of security risk.
Critical
High
Medium
Low
Informational
  • 10 - CRITICAL
  • 9 - 8 - HIGH
  • 7 - 6 - MEDIUM
  • 5 - 4 - LOW
  • 3 - 1 - VERY LOW AND INFORMATIONAL

6. SCOPE

Out-of-Scope: New features/implementations after the remediation commit IDs.

7. Assessment Summary & Findings Overview

Critical

0

High

0

Medium

1

Low

0

Informational

0

Security analysisRisk levelRemediation Date
Outdated and Vulnerable Third-Party DependenciesMediumRisk Accepted - 09/08/2025

8. Findings & Tech Details

8.1 Outdated and Vulnerable Third-Party Dependencies

//

Medium

Description
Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L(6.5)
Recommendation
Remediation Comment

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

SilentSwap V2 App Backend.

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed