[PT] MEXC DEX+ / Android / Mar2025

MEXC

Audit name:

[PT] MEXC DEX+ / Android / Mar2025

Date:

May 23, 2025

Table of Content

→Introduction

→Audit Summary

→System Overview

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the MEXC team for the collaborative engagement that enabled the execution of this Pentest.

MEXC is a centralized cryptocurrency exchange known for its high-performance mega-transaction matching technology. The platform offers a broad selection of over 3,000 trading pairs, providing users with access to a diverse range of digital assets. MEXC emphasizes user-friendly experiences by offering zero maker fees and low taker fees, enhancing trading efficiency and cost-effectiveness.

Document
Name	Pentest and Security Analysis Report for MEXC
Audited By	Sam Ronald
Approved By	Stephen Ajayi
Website	https://www.mexc.com/, mexc.com→
Changelog	27/03/2025 - Preliminary Report, 22/04/2025 - Final Report
Platform	Android
Language	Java
Tags	Pentest
Methodology	https://hackenio.cc/pentest_methodology→

Document
Name
Pentest and Security Analysis Report for MEXC
Audited By
Sam Ronald
Approved By
Stephen Ajayi
Website
https://www.mexc.com/, mexc.com→
Changelog
27/03/2025 - Preliminary Report, 22/04/2025 - Final Report
Platform
Android
Language
Java
Tags
Pentest
Methodology
https://hackenio.cc/pentest_methodology→

Review Scope
Android Application	Shared Privately
Version	6.3.1

Review Scope
Android Application
Shared Privately
Version
6.3.1

Protect your dApp with insights like these.

Audit Summary

9Total Findings

6Resolved

3Accepted

0Mitigated

2high

2medium

1low

4observation

The system users should acknowledge all the risks summed up in the risks section of the report

System Overview

The MEXC Android application is designed to provide users with seamless access to cryptocurrency trading on mobile devices. Key features of the app include:

User Interface: The app features a clean and intuitive interface, facilitating easy navigation for both novice and experienced traders.
Trading Functionality: Users can engage in spot and futures trading with zero maker fees and low taker fees. The app supports a wide variety of cryptocurrencies, enabling comprehensive trading opportunities.
Security Measures: MEXC implements robust security protocols to protect user assets and data. The app provides transparent information about platform reserves and reserve ratios, ensuring users are informed about asset security.
Additional Features: The application offers various trading tools and features, such as margin trading, futures, and staking options, catering to the needs of diverse traders. Users can also participate in daily airdrop events and access up to 60% yield for holding MX tokens.

The MEXC Android app aims to deliver a secure and efficient trading experience, aligning with the platform's commitment to making cryptocurrency trading accessible and user-friendly.

Findings

Code ―	Title	Status	Severity
F-2025-9351	Email Spoofing Enabled Due to Missing DMARC, SPF, and DNS Protections	fixed	High
F-2025-9348	Widespread Reflected XSS via id Parameter across Multiple /token-airdrop/ Endpoints	fixed	High
F-2025-9357	Exposed Hardcoded Credentials and Tokens	fixed	Medium
F-2025-9349	Global Insecure CORS Policy with Credential Leakage on www.greentreeone.com API	fixed	Medium
F-2025-9355	SSL Pinning Bypass via Objection	accepted	Low
F-2025-9358	Insecure Random Number Generation Using Math.random	accepted	Observation
F-2025-9354	Missing Root Detection Mechanisms in Mobile App	fixed	Observation
F-2025-9353	Copyable Password Field in MEXC Mobile Application	fixed	Observation
F-2025-9350	Improper Error Handling and Verbose Exception Disclosure in /api/gateway/pmt/market/web/orders	accepted	Observation

1-9 of 9 findings

Uncover findings like these to secure your project.

Appendix 1. Severity Definitions

Severity	Description
Critical	These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
High	These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Medium	These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Low	These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Severity
Critical
Description
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
High
Description
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
Medium
Description
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
Low
Description
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following:

Scope Details
Android Application	Shared Privately
Version	6.3.1

Scope Details
Android Application
Shared Privately
Version
6.3.1

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Hacken Extractor