Introduction
We express our gratitude to the Zoomex team for the collaborative engagement that enabled the execution of this Pentest.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Zoomex |
| Audited By | |
| Approved By | |
| Website | http://zoomex.com/→ |
| Changelog | 01/10/2025 - Preliminary Report |
| Changelog | 30/10/2025 - Final Report |
| Tags | Pentest, Grey-box |
| Methodology | https://hackenio.cc/pentest_methodology→ |
Document
- Name
- Pentest and Security Analysis Report for Zoomex
- Audited By
- Approved By
- Website
- http://zoomex.com/→
- Changelog
- 01/10/2025 - Preliminary Report
- Changelog
- 30/10/2025 - Final Report
- Tags
- Pentest, Grey-box
- Methodology
- https://hackenio.cc/pentest_methodology→
Review Scope | |
|---|---|
| URL | https://testnet.zoomex.com/→ |
Review Scope
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
Zoomex (www.zoomex.com →) is a cryptocurrency exchange that provides a range of trading services, including spot trading, derivatives trading, and copy trading. The platform supports a broad selection of digital asset pairs and allows users to engage in perpetual futures trading with leverage. In addition to standard trading functions, Zoomex incorporates gamified features such as “To The Moon” and “Lucky Draw,” which are designed to increase user activity and participation. The exchange also includes social trading tools that enable users to follow and automatically replicate the strategies of experienced traders, making it accessible to both individual and group trading approaches. The interface is built to simplify order execution, portfolio management, and real-time monitoring of market movements within a single platform.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1323 | Unvalidated ImageURL Parameter in VIP Subscription Endpoint | fixed | Medium | |
| F-2025-1323 | Password change function allows password updates without verifying current password | fixed | Low | |
| F-2025-1323 | Insecure JWT Signing Algorithm | accepted | Low | |
| F-2025-1323 | Usage of Vulnerable JavaScript Dependencies | accepted | Observation | |
| F-2025-1323 | Verbose Error Message | fixed | Observation | |
| F-2025-1323 | Potential Application Wide CSRF | accepted | Observation |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following URL:
Scope Details | |
|---|---|
| URL | https://testnet.zoomex.com/→ |
Scope Details