SERVICE / PENETRATION TESTING

Web2.5 Penetration Testing

The security of a crypto business lives in the seam between a web2 backend and the blockchain. Decurity are the experts at finding the edge cases in those integrations — for exchanges, custodians, payment processors and any fintech that touches crypto.

REQUEST A PENTESTWHAT IS WEB2.5?0-days reported to 20+ exchanges
THE WEB2.5 ATTACK SURFACE

Most crypto platforms aren't purely onchain. Business logic runs in a web2 backend that talks to blockchains through a thin integration layer — and that layer is where the money-losing bugs hide.

WEB2 / BACKEND
  • ·APIs & business logic
  • ·Databases & ledgers
  • ·Auth & admin panels
  • ·Accounting engine
INTEGRATION LAYER
  • Deposits & withdrawals
  • Webhooks & callbacks
  • Signing & key handling
  • Reorg / finality logic
← WHERE THE BUGS LIVE
WEB3 / ONCHAIN
  • ·Nodes & RPC providers
  • ·Smart contracts
  • ·Mempool & bridges
  • ·Token standards
WHO IT'S FOR

Exchanges (CEX)

Deposit/withdrawal engines, matching, internal transfers, admin surfaces.

Custodians

Key management, HSM firmware, signing services, HD wallet implementations.

Payment Processors

Crypto acquiring, settlement, invoicing and fiat on/off-ramps.

Staking Providers

Validator infra, reward accounting, delegation and withdrawal flows.

Fintech accepting crypto

Any institution integrating blockchain rails into a web2 backend.

DeFi backends & dApps

Protocol backends, relayers, keepers, frontends and off-chain components.

EDGE CASES WE FIND
01

Fake deposits

Crafted transactions that credit an account without real, final funds arriving.

02

Deposit / withdrawal races

Concurrency and TOCTOU bugs in balance accounting and settlement.

03

Reorg & finality handling

Crediting on non-final blocks; chain reorganizations and re-spends.

04

Address & memo confusion

Tag/memo, checksum, case and format edge cases across chains.

05

Decimals & precision

Rounding, unit and token-decimal mismatches that leak value.

06

Webhook & callback spoofing

Forged node/provider callbacks and unauthenticated integration hooks.

07

Signature replay & nonces

Replayable signed payloads, nonce reuse and cross-chain replay.

08

Node / RPC trust

Over-trusting RPC responses, mempool and third-party indexers.

TRACK RECORD

Dozens of 0-days, reported to the biggest names in crypto

Decurity researchers discovered novel fake-deposit and integration attacks — some already being exploited in the wild — and responsibly reported them to 20+ exchanges, custodians and payment platforms.

REPORTED TO
OKXHTXGatePhemexWhiteBITBitMartBingXAscendEXCEX.IOBitrueBitkubCoinWXTBTSEEXMOBiconomy+ more ↗
RECENT WEB2.5 ENGAGEMENTS

A live slice of Decurity's public audit history tagged Web2.5 — pulled from our reports repository.

ENGAGEMENTSCOPEDATE
Confidential (payment provider)Web2.5 · Solana · TONJune 2026
Confidential (CEX)Web2.5June 2026
Confidential (payment provider)Web2.5 · EVMMay 2026
ConfidentialCEX · Web2.5May 2026
ConfidentialStablecoin · HTLC · Cross-chain · Web2.5January 2026
ConfidentialCEX · Web2.5December 2025
ConfidentialForex · Web2.5December 2025
Vooi (Frontend)Web2.5 · TypescriptNovember 2025
ConfidentialCEX · Web2.5November 2025
ConfidentialStablecoin · HTLC · Cross-chain · Web2.5November 2025
ALL PUBLIC REPORTS

Test your blockchain integration before an attacker does

Tell us about your platform and Decurity will scope a penetration test.

REQUEST FORM