Q1 2026 Security & Compliance Report44 incidents, $482M in losses, insights from 11 industry leaders.
Read the report

Audit name:

[PT] Nyala | API | May2026

Date:

Jun 26, 2026

Table of Content

Introduction
Audit Summary
System Overview
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Appendix 3. Additional Valuables
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Nyala team for the collaborative engagement that enabled the execution of this Pentest.

The Nyala Internal API is a backend service that provides core platform functionality related to institution management, wallet operations, digital asset management, and blockchain interactions.

Document

NamePentest and Security Analysis Report for Nyala
Approved ByEce Orsel
Websitehttps://www.nyala.de/en
Changelog29/05/2026 - Preliminary Report
Changelog30/06/2026 - Final Report
PlatformAPI
Methodologyhttps://docs.hacken.io/methodologies/pentesting

Protect your dApp with insights like these.

Audit Summary

5Total Findings
4Resolved
1Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

{FindingsVulnSeverityStatusTable}

System Overview

The Nyala API is an internal backend service that supports the management of institutions, digital asset operations, wallet management, identity-related workflows, and blockchain interactions. The API serves as a central component within the platform's infrastructure and exposes functionality required for asset issuance, wallet administration, transaction processing, recovery operations, and smart contract lifecycle management.

The API is organized into multiple versions and provides functionality for managing institutional entities, issuer wallets, retail wallets, digital assets, and related blockchain operations. The service enables authorized systems to perform actions such as wallet creation and recovery, transaction signing, asset management, token issuance, contract deployment, identity registration, and retrieval of blockchain-related information.

Authentication is performed through HMAC-based request signing using API credentials. Based on information provided during the assessment, the internal API operates behind external services that are responsible for enforcing institution-level access controls before requests are forwarded to the internal layer.

The API processes highly sensitive operations that can impact digital assets, wallet infrastructure, cryptographic material, and blockchain transactions. As a result, the service represents a high-value component within the overall platform architecture and relies on strong authentication, authorization, input validation, secure key management, tenant isolation, and error handling controls to maintain the security of the environment.

Overall, the Nyala Internal API functions as a privileged backend service that provides the core business and blockchain functionality required by the platform while acting as an intermediary between external services and the underlying digital asset infrastructure.

Findings

Code
Title
Status
Severity
F-2026-1764Insufficient Environment Segregation Prevented Verification of Cross-API Credential Authorization Controls
fixed

Medium
F-2026-1764Insufficient Server-Side Validation of KMS Key Identifiers Allows Arbitrary Configuration Values
fixed

Low
F-2026-1764Insufficient Input Validation Feedback Returns Generic Error Responses
accepted

Observation
F-2026-1764Improper Validation Order Allows Enumeration of Locked Issuer Wallet Seeds
fixed

Observation
F-2026-1764Verbose Error Message Discloses Internal Application Implementation Details
fixed

Observation
1-5 of 5 findings

Uncover findings like these to secure your project.

Appendix 1. Severity Definitions

Findings are categorized based on their potential impact and assigned a severity level using the Common Vulnerability Scoring System (CVSS) version 4.0:

Severity

Description

Critical
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.

High
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.

Medium
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.

Low
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
  • Severity

    Critical

    Description

    These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.

    Severity

    High

    Description

    These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.

    Severity

    Medium

    Description

    These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.

    Severity

    Low

    Description

    These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following:

Appendix 3. Additional Valuables

Frameworks and Methodologies

This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment , the Penetration Testing Execution Standard (PTES) , and the OWASP Testing Guide . These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.

Disclaimer