KCEX

We express our gratitude to the KCEX team for the collaborative engagement that enabled the execution of this Pentest.

KCEX is a centralized cryptocurrency trading platform launched in 2021 and registered in Seychelles. It supports spot and futures trading with up to 100x leverage across a wide variety of digital assets.  Account creation requires no KYC; users can sign up and start trading using just an email or phone number.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Modeling and Attack Surface Coverage

As part of the web and API penetration testing of the KCEX Exchange platform, we conducted a thorough threat modeling exercise to identify potential risks, map the application’s attack surface, and assess exploitable vectors in line with the business logic of a centralized exchange. The analysis was guided by a combination of real-world adversary techniques and security best practices, focusing on areas most likely to impact confidentiality, integrity, and availability. Below is a breakdown of the core areas analyzed and the threats evaluated during testing:

Threat Modeling: Registration & Authentication A variety of vectors were examined, including but not limited to:

• Bypassing registration limits via browser fingerprint manipulation

• Multiple account creation using email aliases

• Denial-of-service through forced account lockout

• Brute-force attempts against verification code endpoints

• Insecure or weak password enforcement

• Acceptance of expired or reused verification codes

• Missing rate limits on password attempts

• Logic flaws in OAuth-based login flow

• Insecure handling of phone/email-based authentication

• Abuse of password reset to target other users

• Sessions not invalidated after password reset

• Bypass of 2FA via password reset loopholes

Threat Modeling: Authorization & Access Controls

A variety of vectors were examined, including but not limited to:

• Privilege escalation through misconfigured access controls

• Signature Replay Attacks enabling the reuse of API requests to place unauthorized trades or withdrawals.

• Bypassing 2FA protections via authentication loopholes

• Exploiting weak session management to hijack active sessions

• Manipulating third-party account linking for unauthorized access

• Circumventing withdrawal security checks by modifying address verification logic

• Adding unauthorized withdrawal addresses to victim accounts

• Subverting KYC verification through fake document submissions

• Resetting security configurations using falsified identity verification

• Abuse of anti-phishing codes to mislead users into phishing attacks

• Exploiting weak file upload validation for arbitrary file execution

• Manipulating event-based reward mechanisms via unauthorized invite codes

• Unauthorized deletion of other users’ spot and futures orders through IDOR

• Exploiting profile update mechanisms to bypass intended security restrictions

• Email Spoofing via misconfigured DMARC policy.

• Exploiting Cross site request forgery (CSRF) for account takeovers and unauthorized account modification

• Exploiting Cross origin resource sharing (CORS) for sensitive data exposures.

• Exploiting Cache Poisoning Issue for potential DOS and Redirects.

• Finding Endpoints for potential open redirect issues.

• Exploiting rate limiting on API for potential account takeovers and user spamming.

Threat Modeling: Information Disclosure

A variety of vectors were examined, including but not limited to:

• Exposing sensitive user details via improper API access control

• Leaking user email or phone numbers through registration or password reset flows

• Disclosing internal system details via verbose error messages

• Exposing session tokens or authentication headers in client-side responses

• Unrestricted access to user transaction history or withdrawal records

• Improper handling of CORS headers leading to cross-origin data leaks

• Unauthorized access to user KYC documents or identity verification status

• Leaking internal referral or commission details through insecure API endpoints

• Disclosure of backend logic or sensitive configurations via client-side JavaScript

• Exposing internal logs, debug messages, or admin dashboard endpoints

• Allowing enumeration of registered users through differences in response behavior

• Unintended exposure of spot and futures order details through IDOR vulnerabilities

Threat Modeling: Injection Attacks

A variety of vectors were examined, including but not limited to:

• Injecting malicious scripts into input fields leading to stored or reflected XSS

• Bypassing input validation to execute unauthorized HTML or JavaScript payloads

• Exploiting chatbot inputs for potential XSS or HTML injection

KCEX is a centralized cryptocurrency trading platform designed to support both spot and futures markets. Users initiate their interaction with the platform by creating an account through a no-KYC registration process, requiring only an email address or phone number. Once registered, users can deposit supported crypto assets into their exchange wallet via blockchain transfers. The platform does not support fiat deposits, so users must onboard with existing cryptocurrencies.

The core of the platform revolves around its trading engine, which facilitates spot trades for direct asset exchanges and perpetual futures contracts for leveraged trading. In the spot market, users can submit buy or sell orders that are matched in real time against other users. For futures trading, users can open long or short positions with leverage up to 100x, using their deposited crypto as margin. The system continuously evaluates positions based on market data to calculate PnL, margin requirements, and liquidation thresholds.

Order management includes limit and market orders, along with advanced trading tools integrated into the trading interface. Each trade updates user balances and is logged for real-time monitoring. The platform also supports internal balance transfers and facilitates withdrawals by broadcasting transactions to the respective blockchain networks. All asset movements and trading operations are handled through clearly defined workflows governed by the trading logic and margin rules.

Additionally, KCEX includes operational logic for promotional programs such as trading bonuses, event-based rewards, and an affiliate system. The affiliate system tracks referrals and distributes a percentage of trading fee rebates to the referrer based on the activity of invited users. These incentive mechanisms are implemented through user activity tracking and conditional logic tied to platform usage metrics. All these components together define the functional and operational boundaries of the KCEX platform.

Key Features Breakdown

• No-KYC Onboarding: Users can register accounts using only an email or phone number no identity verification required.

• Crypto-Only Deposits: Users deposit supported cryptocurrencies directly via blockchain transfers; fiat currencies are not supported.

• Spot Trading Engine: Real-time order matching for direct crypto asset exchanges between users.

• Futures Trading with Leverage: Perpetual futures contracts available with leverage up to 100x, including margin calculations and liquidation logic.

• Advanced Order Management: Support for market and limit orders, with integrated trading tools and charting interfaces.

• Wallet and Fund Transfers: Internal wallet system supports deposits, withdrawals, and balance transfers between users.

• Incentive Programs: Includes promotional bonuses, volume-based trading rewards, and an affiliate system with automated fee rebate distribution.

The scope of the project includes the following assets

Assets in Scope