Introduction
We express our gratitude to the WhiteBIT team for the collaborative engagement that enabled the execution of this Pentest.
WhiteBIT is a centralized cryptocurrency exchange established in 2018, offering a secure platform for trading over 300 coins and trading pairs.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for WhiteBIT |
| Audited By | Faizan Nehal |
| Approved By | Ece Orsel |
| Website | https://whitebit.com, https://whitebit.com/ua |
| Changelog | 26/03/2026 - Preliminary Report |
| Changelog | 10/04/2026 - Final Report |
| Platform | Web & API |
| Methodology | https://docs.hacken.io/methodologies/pentesting→ |
Document
- Name
- Pentest and Security Analysis Report for WhiteBIT
- Audited By
- Faizan Nehal
- Approved By
- Ece Orsel
- Website
- https://whitebit.com, https://whitebit.com/ua
- Changelog
- 26/03/2026 - Preliminary Report
- Changelog
- 10/04/2026 - Final Report
- Platform
- Web & API
Review Scope | |
|---|---|
| Web & API | https://whitebit.com→ |
Review Scope
- Web & API
- https://whitebit.com→
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
{FindingsVulnSeverityStatusTable}
System Overview
WhiteBIT is a centralized cryptocurrency exchange launched in 2018, designed to provide a secure and efficient trading environment for digital assets. It supports spot trading, margin trading, staking, and peer-to-peer (P2P) transactions, catering to both retail and institutional traders. The platform lists over 300 cryptocurrencies, offering users a diverse range of assets to trade.
WhiteBIT prioritizes security and compliance, implementing AML (Anti-Money Laundering) and KYC (Know Your Customer) regulations, alongside two-factor authentication (2FA), cold wallet storage for funds, and encrypted user data protection. The exchange also features an API for algorithmic trading, fiat on-ramp services, and integration with decentralized finance (DeFi) solutions.
With a user base spanning over the globe, WhiteBIT continuously enhances its infrastructure to ensure high liquidity, competitive fees, and a user-friendly trading experience. The platform aims to bridge the gap between traditional finance and blockchain technology by providing seamless access to cryptocurrency markets.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2026-1559 | Inconsistent Investment Amount Calculation Causes “Max Amount” DCA Bot Creation Failure | fixed | Observation |
Appendix 1. Severity Definitions
Findings are categorized based on their potential impact and assigned a severity level using the Common Vulnerability Scoring System (CVSS) version 4.0: →
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Scope Details | |
|---|---|
| Web & API | https://whitebit.com→ |
| API Documentation | https://docs.whitebit.com/api-reference/overview→ |
Scope Details
- Web & API
- https://whitebit.com→
- API Documentation
- https://docs.whitebit.com/api-reference/overview→
Appendix 3. Additional Valuables
Frameworks and Methodologies
This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment →, the Penetration Testing Execution Standard (PTES) →, and the OWASP Testing Guide →. These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.