Introduction
We express our gratitude to the Nyala team for the collaborative engagement that enabled the execution of this Pentest.
The Nyala Internal API is a backend service that provides core platform functionality related to institution management, wallet operations, digital asset management, and blockchain interactions.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Nyala |
| Approved By | Ece Orsel |
| Website | https://www.nyala.de/en→ |
| Changelog | 29/05/2026 - Preliminary Report |
| Changelog | 30/06/2026 - Final Report |
| Platform | API |
| Methodology | https://docs.hacken.io/methodologies/pentesting→ |
Document
- Name
- Pentest and Security Analysis Report for Nyala
- Approved By
- Ece Orsel
- Website
- https://www.nyala.de/en→
- Changelog
- 29/05/2026 - Preliminary Report
- Changelog
- 30/06/2026 - Final Report
- Platform
- API
Review Scope | |
|---|---|
| API Base URL | http://io-api.uat.internal.nyala.de→ |
Review Scope
- API Base URL
- http://io-api.uat.internal.nyala.de→
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
{FindingsVulnSeverityStatusTable}
System Overview
The Nyala API is an internal backend service that supports the management of institutions, digital asset operations, wallet management, identity-related workflows, and blockchain interactions. The API serves as a central component within the platform's infrastructure and exposes functionality required for asset issuance, wallet administration, transaction processing, recovery operations, and smart contract lifecycle management.
The API is organized into multiple versions and provides functionality for managing institutional entities, issuer wallets, retail wallets, digital assets, and related blockchain operations. The service enables authorized systems to perform actions such as wallet creation and recovery, transaction signing, asset management, token issuance, contract deployment, identity registration, and retrieval of blockchain-related information.
Authentication is performed through HMAC-based request signing using API credentials. Based on information provided during the assessment, the internal API operates behind external services that are responsible for enforcing institution-level access controls before requests are forwarded to the internal layer.
The API processes highly sensitive operations that can impact digital assets, wallet infrastructure, cryptographic material, and blockchain transactions. As a result, the service represents a high-value component within the overall platform architecture and relies on strong authentication, authorization, input validation, secure key management, tenant isolation, and error handling controls to maintain the security of the environment.
Overall, the Nyala Internal API functions as a privileged backend service that provides the core business and blockchain functionality required by the platform while acting as an intermediary between external services and the underlying digital asset infrastructure.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2026-1764 | Insufficient Environment Segregation Prevented Verification of Cross-API Credential Authorization Controls | fixed | Medium | |
| F-2026-1764 | Insufficient Server-Side Validation of KMS Key Identifiers Allows Arbitrary Configuration Values | fixed | Low | |
| F-2026-1764 | Insufficient Input Validation Feedback Returns Generic Error Responses | accepted | Observation | |
| F-2026-1764 | Improper Validation Order Allows Enumeration of Locked Issuer Wallet Seeds | fixed | Observation | |
| F-2026-1764 | Verbose Error Message Discloses Internal Application Implementation Details | fixed | Observation |
Appendix 1. Severity Definitions
Findings are categorized based on their potential impact and assigned a severity level using the Common Vulnerability Scoring System (CVSS) version 4.0: →
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Scope Details | |
|---|---|
| API Base URL | http://io-api.uat.internal.nyala.de→ |
Scope Details
- API Base URL
- http://io-api.uat.internal.nyala.de→
Appendix 3. Additional Valuables
Frameworks and Methodologies
This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment →, the Penetration Testing Execution Standard (PTES) →, and the OWASP Testing Guide →. These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.