Prepared by:
HALBORN
Last Updated 12/05/2025
Date of Engagement: August 20th, 2025 - September 2nd, 2025
100% of all REPORTED Findings have been addressed
All findings
1
Critical
0
High
0
Medium
1
Low
0
Informational
0
SilentSwap engaged Halborn to conduct a security assessment of the non-custodial SilentSwap v2 backend. Halborn was provided access to the source code, the documentation and a functional application in order to conduct security testing using a combination of automated testing and manual analysis to scan, detect, validate and report possible vulnerabilities.
The team at Halborn was provided 10 days for the engagement, from August 20nd, 2025 to September 2nd, 2025, and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in multiple blockchains, web application, API, and infrastructure penetration testing.
During the penetration test of the assessed components, Halborn identified several vulnerabilities ranging from High to Informational severity.
A single high-risk vulnerability was identified whereby the backend was trying to check transaction counts, and multiple medium-risk issues were also observed.
Lastly, address the low and informational severity vulnerabilities in a timely manner to improve the overall security posture of the backend.
The team has accepted the risk of most of the findings while resolving some of them, and has planned upcoming patches to further strengthen the backend.
Halborn followed greybox and blackbox approaches as per the scope and performed a combination of both manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques enhance coverage of the infrastructure and can quickly identify flaws in it. A combination of both provides a robust ground to identify as many vulnerabilities as possible during the time allocated for the assessment.
The assessment methodology covered a range of phases and employed various tools, including but not limited to the following:
Mapping Content and Functionality of APIs
Business Logic
Authentication and Authorization
Rate Limiting
Handling of Gas/Fees
Amount Calculations and Rounding Operations
Input Handling and Injection Vulnerabilities
Fuzzing of Input Parameters
Hardcoded Secrets
Sensitive Data Leakage
Handling and Storing of Sensitive Data Storage
Secure Communications
Denial-of-Service (DoS) Conditions
Unvalidated Redirects and Forwards
External Component Interactions and Best Practices
Outdated Software and Third-Party Dependencies
Amount Calculations and Decimal Handling
Race Conditions
Payment Flow Logic
Bypass of Implemented Restrictions
At the request of SilentSwap, we were tasked with determining whether the platform operates as a non-custodial system. Upon completion of our review, our determination is that SilentSwap’s architecture is non-custodial.
Critical
0
High
0
Medium
1
Low
0
Informational
0
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Outdated and Vulnerable Third-Party Dependencies | Medium | Risk Accepted - 09/08/2025 |
//Medium
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
SilentSwap V2 App Backend.
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
