The Hacken 2025 Yearly Security ReportCovers major Web3 breaches, their root causes, prevention insights, and key regulatory trends for 2026.
Learn more

NonKyc.io

Audit name:

[PT] NonKYC | Web +API | Jul2025

Date:

Aug 25, 2025

Table of Content

Introduction
Audit Summary
System Overview
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the NonKyc.io team for the collaborative engagement that enabled the execution of this Pentest.

NonKYC.io is an exchange committed to providing a secure and intuitive platform tailored for trading small and mid-cap digital assets.

Document

NamePentest and Security Analysis Report for NonKyc.io
Audited ByFaizan Nehal
Approved ByStephen Ajayi
Websitehttps://nonkyc.io
Changelog12/08/2025 - Preliminary Report
Changelog25/08/2025 - Final Report
PlatformWeb Application & API
Methodologyhttps://hackenio.cc/pentest_methodology

Review Scope

Web applicationhttps://nonkyc.io
APIhttps://api.nonkyc.io

Protect your dApp with insights like these.

Audit Summary

6Total Findings
5Resolved
1Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report. The web application and API endpoints were found to be secure and no major vulnerability identified in them.

System Overview

The Nonkyc.io exchange is a cryptocurrency trading platform that allows users to create accounts, manage balances, deposit and withdraw assets, and perform spot trading. The platform offers both a web-based client interface and a set of REST APIs for programmatic interaction.

Web Application

The web application is the primary user interface for interacting with the exchange.

  • Account Management: Registration, login, profile updates, and account security settings such as 2FA.

  • Wallet Operations: Viewing balances, transaction history, deposit addresses, and initiating withdrawals.

  • Trading Interface: Spot market view, placing buy/sell orders, viewing open orders and trade history.

  • Support System: Ticket creation, file attachment uploads, and communication with the support team.

  • Settings & Preferences: Language selection, notification preferences, API key management.

API

The API backend is a REST-based service that powers both the web client and any external API integrations. It is hosted under the nonkyc.io domain and accessed over HTTPS. API calls include:

  • Wallet APIs: Retrieving balances, deposits, withdrawals, and transaction history.

  • Trading APIs: Fetching market data, placing and canceling orders, retrieving trade history.

Findings

Code
Title
Status
Severity
F-2025-1205Insecure Password Change Implementation
fixed

Medium
F-2025-1212Vulnerable JavaScript Dependency
fixed

Low
F-2025-1207Lack of Session Invalidation After Phone Number Binding
fixed

Low
F-2025-1212Cross-Site Request Forgery (CSRF) to Change User Language Preference
accepted

Observation
F-2025-1207Insecure Direct Object Reference (IDOR) in Support Ticket Attachments
fixed

Observation
F-2025-1207 Missing CSRF Protection on Multiple Export Functionalities
fixed

Observation
1-6 of 6 findings

Uncover findings like these to secure your project.

Appendix 1. Severity Definitions

Severity

Description

Critical
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.

High
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.

Medium
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.

Low
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

  • Severity

    Critical

    Description

    These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.

    Severity

    High

    Description

    These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.

    Severity

    Medium

    Description

    These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.

    Severity

    Low

    Description

    These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following:

Scope Details

Web Applicationhttps://nonkyc.io
APIhttps://api.nonkyc.io

Disclaimer

NonKyc.io audit by Hacken