Audit name:
[PT] MEXC DEX+ / Web / Mar2025
Date:
May 16, 2025
Table of Content
Introduction
We express our gratitude to the MEXC DEX+ team for the collaborative engagement that enabled the execution of this Pentest.
MEXC is a centralized cryptocurrency exchange established in 2018 and is registered in Seychelles. Currently, there are 2387 coins and 2794 trading pairs available on the exchange. MEXC 24h volume is reported to be at $2,785,705,704.22, a change of -35.41% in the last 24 hours. MEXC has $618,029,912.87 in Exchange Reserves. The most active trading pair is ETH/USDT with a 24h volume of $195,383,565.93.
Established in April 2018, MEXC is one of the world’s leading digital-asset trading platforms. The core team comes from world-class enterprises and financial companies with rich experience in blockchain and financial industries.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for MEXC DEX+ |
| Audited By | Bohdan Korzhynskyi |
| Approved By | Stephen Ajayi |
| Website | https://www.mexc.com/, mexc.com→ |
| Changelog | 20/03/2025 - Preliminary Report |
| Platform | Web, API |
| Tags | dApp Auditing Web, dApp Auditing API |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for MEXC DEX+
- Audited By
- Bohdan Korzhynskyi
- Approved By
- Stephen Ajayi
- Changelog
- 20/03/2025 - Preliminary Report
- Platform
- Web, API
- Tags
- dApp Auditing Web, dApp Auditing API
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| Web | ddjhe.com |
Review Scope
- Web
- ddjhe.com
Protect your dApp with insights like these.
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
MEXC is a centralized cryptocurrency exchange established in 2018 and is registered in Seychelles. Currently, there are 2387 coins and 2794 trading pairs available on the exchange. MEXC 24h volume is reported to be at $2,785,705,704.22, a change of -35.41% in the last 24 hours. MEXC has $618,029,912.87 in Exchange Reserves. The most active trading pair is ETH/USDT with a 24h volume of $195,383,565.93.
Established in April 2018, MEXC is one of the world’s leading digital-asset trading platforms. The core team comes from world-class enterprises and financial companies with rich experience in blockchain and financial industries.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-9260 | Use of uncontrolled external domain (dangling domain/subdomain takeover) | fixed | Low | |
| F-2025-9236 | Insecure redirection from HTTPS to HTTP | fixed | Low | |
| F-2025-9234 | URL verification content spoofing (misleading verification) | fixed | Low | |
| F-2025-9257 | Outdated vulnerable JavaScript libraries detected | accepted | Observation | |
| F-2025-9248 | Client-Side Path Traversal with potential CSRF protection bypass for GET requests | accepted | Observation | |
| F-2025-9245 | Absence of CAPTCHA on submission form (/api/operation/tokenListing/form) | accepted | Observation | |
| F-2025-9243 | Incorrect Origin validation via regex bypass (CORS misconfiguration) | fixed | Observation | |
| F-2025-9240 | Insufficient URL validation for redirection parameter (potential Open Redirect/XSS) | accepted | Observation | |
| F-2025-9238 | Missing security headers | accepted | Observation | |
| F-2025-9235 | Information disclosure via error handling | accepted | Observation |
Uncover findings like these to secure your project.
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following resources from the provided repository:
Scope Details | |
|---|---|
| Web | ddjhe.com |
Scope Details
- Web
- ddjhe.com
Assets in Scope
ddjhe.com