Introduction
We express our gratitude to the Ourbit team for the collaborative engagement that enabled the execution of this Pentest.
Ourbit is the SuperCEX (centralized crypto exchange) for degens, by degens. Built by the ex-founding team of top-tier exchanges and industry veterans with deep roots across iconic memecoin ecosystems like SPX6900, HarryPotterObamaSonic10Inu etc. Delivering no.1 memecoin liquidity and prophetic listings of high-performing cryptos for spot & futures trading up to 200x leverage, Ourbit empowers the degen community to pursue meme-ionaire dreams.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Ourbit |
| Audited By | |
| Approved By | |
| Website | ourbit.com |
| Changelog | 11/09/2025 - Preliminary Report, 10/10/2025 - Final Report |
| Platform | Web & API |
| Language | React, Next.js |
| Tags | Web Application, API, Pentest |
| Methodology | https://hackenio.cc/dApp_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for Ourbit
- Audited By
- Approved By
- Website
- ourbit.com
- Changelog
- 11/09/2025 - Preliminary Report, 10/10/2025 - Final Report
- Platform
- Web & API
- Language
- React, Next.js
- Tags
- Web Application, API, Pentest
- Methodology
- https://hackenio.cc/dApp_methodology→
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
OurBit.com → is a modern, secure, and high-performance cryptocurrency exchange platform designed to provide users with a seamless experience for trading digital assets. The system is architected for scalability, reliability, and security, supporting a high volume of concurrent transactions while ensuring the utmost protection of user funds and data. This document outlines the core components, architecture, and key technologies that power the OurBit ecosystem.
The platform is structured into several interconnected modules
User Management & Authentication (IAM):
User registration, KYC/AML verification, and profile management.
Multi-factor authentication (2FA/MFA), including Google Authenticator and email codes.
Role-Based Access Control (RBAC) for administrators, support, and users.
Secure session management and anti-phishing mechanisms.
Wallet & Asset Management Engine:
Hot Wallets: For immediate deposits and withdrawals, securely managed with multi-signature technology.
Cold Storage: The majority of assets are held in offline, air-gapped cold wallets for maximum security.
Deposit/Withdrawal Processing: Automated systems for crediting deposits and processing withdrawal requests, with built-in fraud detection and manual review thresholds.
Trading Engine (Core):
The heart of the exchange, built for ultra-low latency.
Handles order matching (using a price-time priority algorithm), order books management, and trade execution.
Supports various order types: Limit, Market, Stop-Limit, etc.
Real-time calculation of balances and P&L.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1281 | Insecure Direct Object Reference (IDOR) in Spot ID Parameter | fixed | Medium | |
| F-2025-1283 | Missing Rate Limiting on File Upload Functionality | accepted | Low | |
| F-2025-1265 | Misconfigured Cross-Origin Resource Sharing (CORS) Policy | accepted | Low |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Scope Details | |
|---|---|
| WEB | **https://www.ourbit.com/**→ |
| API | **https://ourbitdevelop.github.io/apidocs/**→ |
| Whitepaper | https://hackenio.cc/hacken-methodologies→ |
Scope Details