Introduction
We express our gratitude to the CoinDepo team for the collaborative engagement that enabled the execution of this Pentest.
CoinDepo is a centralized crypto-earning platform launched in 2021. It allows you to deposit major cryptocurrencies and stablecoins into interest-bearing (staking/savings) accounts, offering attractive annual yields ranging from 12 % to 24 %—with stablecoins typically at the higher end
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for CoinDepo |
| Audited By | Bogdan Bodisteanu |
| Approved By | Stephen Ajayi |
| Website | coindepo.com |
| Changelog | 23/06/2025 - Preliminary Report |
| Changelog | 31/07/2025 - Final Report |
| Platform | Web Application & API |
| Language | Python , Angular |
| Methodology | https://hackenio.cc/dApp_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for CoinDepo
- Audited By
- Bogdan Bodisteanu
- Approved By
- Stephen Ajayi
- Website
- coindepo.com
- Changelog
- 23/06/2025 - Preliminary Report
- Changelog
- 31/07/2025 - Final Report
- Platform
- Web Application & API
- Language
- Python , Angular
- Methodology
- https://hackenio.cc/dApp_methodology→
Review Scope | |
|---|---|
| Web Application | coindepo.com, |
| API | app.coindepo.com |
Review Scope
- Web Application
- coindepo.com,
- API
- app.coindepo.com
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
Earn passive income by depositing crypto or stablecoins.
🔹 Flexible Term Accounts: Withdraw anytime, with interest paid daily, weekly, or monthly.
🔹 Fixed Term Accounts: Lock assets for up to 12 months for higher returns.
🔹 Interest Rates: Up to 24% APR on stablecoins, and up to 18% on cryptocurrencies.
🔹 Compound Interest: Option to reinvest interest for increased yield.
KYC & Compliance
Identity verification required before using interest services.
Compliance with EU regulations, GDPR, and anti-money laundering (AML) standards.
Upcoming Services
Planned features under development:
Crypto Credit Card — use earned interest as a credit line.
Unsecured Crypto Loans — small loans without collateral.
Instant Swaps — swap assets directly within the platform.
EU Fiat Integration — deposit and withdraw in EUR via SEPA.
COINDEPO Token (CDT) — loyalty token for extra benefits (launch expected 2025).
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1098 | Unauthorized Deposit Plan Creation Leading to Balance Manipulation | fixed | Critical | |
| F-2025-1285 | IDOR via Username Parameter allows complete account takeover (ATO) [DualDefense] | fixed | Critical | |
| F-2025-1088 | Exposed Hardcoded Credentials | fixed | High | |
| F-2025-1111 | Insecure Implementation of Secret Parameter in Account Confirmation and Password Reset Flows | fixed | Medium | |
| F-2025-1094 | Improper Trust of X-Forwarded-For and X-Forwarded-Host | fixed | Medium | |
| F-2025-1111 | Exposure of Administrative Endpoints | fixed | Observation | |
| F-2025-1093 | User Enumeration via Registration Endpoint | accepted | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
Scope Details | |
|---|---|
| Web Application | coindepo.com |
| API | app.coindepo.com |
| Whitepaper | https://hackenio.cc/hacken-methodologies→ |
Scope Details
- Web Application
- coindepo.com
- API
- app.coindepo.com