Pionex

We express our gratitude to the Pionex team for the collaborative engagement that enabled the execution of this Pentest.

Pionex is a cryptocurrency exchange based in Singapore. It is a cryptocurrency exchange with a distinctive emphasis on trading bot services. At its core, Pionex offers an array of built-in trading bots tailored to various trading tactics.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Modeling Attack Scenarios

This threat modeling report serves as a comprehensive security assessment for Pionex, focusing on identifying vulnerabilities within its Web Application and API. The primary goal is to uncover potential attack vectors, evaluate associated risks, and provide recommendations for enhancing the platform's security posture against potential threats.

Potential Attack Scenarios

Authentication and Logical Flaws in Sign-In & Sign-Up Functionality

• A variety of vectors were examined, including but not limited to:

• • Weak password policies

  • Usage of expired verification codes

  • Reuse of verification codes

  • Rate limiting during password entry attempts

  • Logical and authentication issues when signing in via OAuth

  • Flaws in using phone numbers and email for authentication

  • Possible abuse of password reset functionalities to target victims

  • Ensuring proper session invalidation post-password reset

  • Circumvention of 2FA protections through password reset processes

Cross-Site Scripting (XSS) and HTML Injection

• Comprehensive checks for XSS and HTML injection vulnerabilities across the entire web application, including an assessment for hidden parameters.

Cross-Site Request Forgery (CSRF)

• Evaluation of CSRF vulnerabilities in POST requests, particularly in changing user preferences and settings.

Information Disclosure Vulnerabilities

• Testing various features for potential information leakage, such as:

• • Accessing notifications of other users

  • Revealing system messages

  • Marking messages as read on behalf of other users

  • Disclosing API tokens

  • Exposing earnings information and rebate history for other users

  • Accessing wallet balances and deposit/withdrawal histories

  • Disclosing details from primary and futures accounts, including bonus and portfolio information

  • Gaining unauthorized access to bot-related information and order histories

  • Exploring structured product orders and related vulnerabilities

Access Control, Authorization & Authentication Issues

• Extensive testing of access control and authorization mechanisms due to the sensitive nature of an exchange platform. Key attack vectors included:

• • Creating API tokens without binding to Google 2FA

  • Generating tokens for other users, possibly exposing their access keys

  • Issues with API authentication, such as deleting user tokens

  • Exporting transaction histories of other users, even beyond limits

  • Denial of Service (DoS) attacks on export limits via CSRF or logical flaws

  • Abuse of KYC processes through submission of fake documents

  • Flaws in the reset password functionality

  • Improper handling of mobile verification and Google Authenticator settings for other users

  • Binding multiple accounts to the same phone number

  • Issues with session management during 2FA binding

  • Weaknesses in enabling/disabling 2FA and session token authorization

  • Setting anti-phishing codes for other users

  • Flaws in the account deletion process

  • Disclosing Personally Identifiable Information (PII) from the dashboard

  • Unauthorized changes to usernames and profile pictures

  • Manipulating watchlists and attempting unauthorized withdrawals

  • Rate limiting issues while claiming rewards

  • Unauthorized manipulation of whitelist addresses and other security settings

  • Exploiting bot functionalities, including editing, deleting, and overriding bot orders

  • Testing for logical flaws in futures and structured product orders

  • Verification of the security of Pionex’s structured products, trading bots, and associated features

  • Identifying logical flaws in swap functionalities and demo trading

  • Re-testing access control vulnerabilities in both the Spot and Futures markets, ensuring independent protection.

Cache Poisoning Issues

• Evaluation of all endpoints for potential cache poisoning vulnerabilities that may lead to the disclosure of sensitive information.

SQL Injection

• Rigorous testing for SQL injection vulnerabilities across all requests and parameters sent to various endpoints.

Pionex is a cryptocurrency exchange that uniquely prioritizes trading bot services, allowing users to create and deploy customized trading bots. This integration enables users to implement trading strategies without the constant need to monitor fluctuating price charts.

In contrast to many exchanges where traders manually set parameters and execute trades, Pionex transforms the trading experience by offering 16 complimentary trading bots. These include popular options such as the DCA Bot, Rebalancing Bot, Martingale Bot, Pionex Arbitrage Bot, Grid Trading Bot, Reverse Grid Bot, and more.

Upon signing up, users gain immediate access to these bots, with the option to use default configurations or tailor them to fit their specific trading preferences. This feature is advantageous for traders at all levels, simplifying the trading process, reducing guesswork, and enhancing the potential for profits with less effort.

For this penetration test, Hacken conducted a thorough assessment of both the Pionex web application and its API.

Web Application: http://www.pionex.com/

API: https://api.pionex.com/

Documentation: https://pionex-doc.gitbook.io/apidocs/

The scope of the project includes the following assets:

Assets in Scope