Floin is a forward-thinking FinTech startup dedicated to creating a fully regulated environment for digital assets. Their mission is to provide a secure and enjoyable experience for buying, selling, and storing tokens, while also offering access to exciting tokenized projects through their innovative marketplace. As the foundation of their business, Floin prioritizes safety, stability, and privacy in the digital asset landscape.
Smart Contract Audit: Floin required a comprehensive audit of their smart contract to ensure it would perform as designed and to identify and mitigate potential attack vectors.
Platform Penetration Testing: In addition to the smart contract audit, Floin needed their platform thoroughly tested for penetration risks, safeguarding against potential vulnerabilities.
Security Awareness: Floin aimed to raise the security awareness of their entire team, emphasizing the importance of security considerations at every step of their development and operations.
Halborn provided instructional videos that proved immensely helpful in addressing vulnerabilities, particularly for team members who were unfamiliar with vulnerability identification procedures.
Due to the complexity of the frameworks and services in use, Halborn collaborated closely with Floin to pinpoint optimal solutions while safeguarding previously resolved vulnerabilities, striking a balance to ensure the integrity of all solutions.
Some vulnerabilities presented multiple possible solutions. The Halborn team offered comprehensive explanations to assist Floin in selecting solutions aligned with their frameworks and requirements.
In the course of the engagement, Halborn conducted a Pentest that led to the discovery of 34 vulnerabilities, achieving the primary goal of assessing the KYC mechanism. Notably, the team successfully bypassed the KYC mechanism, allowing orders to be placed without completing KYC—a critical issue for Floin. This finding underscored the importance of fortifying the KYC mechanism to prevent such bypasses.
Among the vulnerabilities identified, one notable issue enabled attackers to disable any user's Multi-factor Authentication with a single click, embedding a malicious request under any article or website. Unsuspecting users could have their MFA disabled, potentially leading to a complete account takeover.
Additionally, a Denial of Service (DoS) vulnerability was uncovered, providing attackers with the capability to disrupt Floin's entire backend from a single computer.
Furthermore, during the KYC process, another critical issue was identified whereby attackers could inject malicious input into KYC sections, triggering exceptions at the backend and rendering it unavailable.
All issues uncovered by Halborn were successfully resolved by Floin’s engineering team.
Ultimately, Floin's decision to partner with Halborn aligned perfectly with their commitment to safety and privacy. The quality, thoroughness, and extensive results of the audit, penetration testing, and the additional Pentest far exceeded their expectations. As Floin continues to build their FinTech platform in the secure environment of Liechtenstein, they can confidently rely on Halborn's expertise to safeguard their foundation of smart contract and platform architecture, addressing not only the identified vulnerabilities but also raising awareness of security considerations at every step.