Introduction
We express our gratitude to the Mizar team for the collaborative engagement that enabled the execution of this Pentest.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Mizar |
| Audited By | Ece Orsel |
| Approved By | Stephen Ajayi |
| Website | https://mizar.com/→ |
| Changelog | 13/01/2025 - Preliminary Report |
| Changelog | 28/01/2025 - Final Report |
| Platform | Web Application + API→ |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for Mizar
- Audited By
- Ece Orsel
- Approved By
- Stephen Ajayi
- Website
- https://mizar.com/→
- Changelog
- 13/01/2025 - Preliminary Report
- Changelog
- 28/01/2025 - Final Report
- Platform
- Web Application + API→
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| Web Application | https://mizar.com/→ |
| API | https://app.mizar.com/→ |
| API Documentation | https://docs.mizar.com/c-mizar-manual→ |
| https://docs.mizar.com/sniper-bot-manual→ |
Review Scope
- Web Application
- https://mizar.com/→
- API Documentation
- https://docs.mizar.com/c-mizar-manual→
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
Mizar is a trading platform designed for creating and managing automated trading strategies on centralized (CEX) and decentralized (DEX) cryptocurrency exchanges. The platform provides tools such as Dollar-Cost Averaging (DCA) bots, copy trading features, and smart trading terminals to automate trading processes. It supports on-chain analytics and trading tools on Ethereum, BASE, and BNB chains to facilitate strategic decision-making. Mizar does not hold user funds; all transactions are conducted directly through users' linked exchange accounts. Additionally, it offers the ability to replicate successful investors' strategies and reduce trading fees by staking $MZR tokens.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-7998 | Missing DMARC Policy Enforcement | fixed | High | |
| F-2024-7997 | Insecure Handling of Private Key in Memory | fixed | High | |
| F-2024-7996 | Insecure Handling of Wallet Seed Phrases in Memory | fixed | High | |
| F-2024-8041 | Improper Input Sanitization Might Lead to SQL Injection | fixed | Medium | |
| F-2024-8038 | Concurrent Session Management Issue | fixed | Medium | |
| F-2024-8001 | Integer Overflow in Mizar Blog page Parameter | fixed | Medium | |
| F-2024-7990 | Improper CORS Policy on app.mizar.com | fixed | Medium | |
| F-2025-8139 | Missing Input Validation Controls | fixed | Low | |
| F-2024-8043 | Input Validation Issue in Wallet Name Field | fixed | Low | |
| F-2024-8003 | SSL Certificate Expiry | fixed | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following
Review Scope | |
|---|---|
| Web Application | https://mizar.com/→ |
| API | https://app.mizar.com/→ |
| API Documentation | https://docs.mizar.com/c-mizar-manual→ |
| https://docs.mizar.com/sniper-bot-manual→ | |
| Whitepaper | https://hackenio.cc/hacken-methodologies→ |
Review Scope
- Web Application
- https://mizar.com/→
- API Documentation
- https://docs.mizar.com/c-mizar-manual→