External penetration test

1. Scope

Trail of Bits conducted a 6-week black/grey-box penetration test against the bitexasia platform between 2025-12-01 and 2026-01-10. Scope included:

• Public web application (bitexasia.com)
• Authenticated customer dashboard
• REST API (v1 public + private endpoints)
• WebSocket infrastructure
• Customer-data handling pipeline (KYC vendor integration, withdrawal authorisation flow)
• Internal admin tools (limited scope, with our security team's escort)

Out of scope: physical security, social engineering of staff, custody key infrastructure (audited separately by a bonded specialist).

2. Findings summary

10 findings total:

• 0 Critical
• 1 High — see Finding 1
• 3 Medium
• 4 Low
• 2 Informational

3. Notable findings (public versions)

Finding 1 (High): IDOR in trade-history export

Issue: Authenticated trade-history export accepted a numeric account ID parameter that was not bound to the session cookie. An attacker with a valid login could request another user's trade history.

Impact: Disclosure of trade history (timestamps, pairs, sizes) for any account. No funds, no PII directly leaked.

Status: Resolved. Parameter removed; account ID derived from session. Hot-fixed 2025-12-08, Trail of Bits retested 2026-01-04 — confirmed fixed.

Finding 4 (Medium): Permissive CORS on public pricing endpoint

Issue: A CORS misconfiguration on a credentialed endpoint allowed an unintended Access-Control-Allow-Origin echo of the request origin. Combined with a CSRF gap on a separate endpoint, theoretically usable for a chained attack.

Status: Resolved. CORS tightened to known origins for credentialed requests; the public pricing endpoint is now credential-free.

Finding 7 (Low): Secrets in client-bundle source maps

Issue: Source maps for the public marketing site included references to internal Datadog API key (read-only metric submission, public repo). Not actionable, but noisy.

Status: Resolved. Source maps no longer published for marketing site; key rotated as a precaution.

4. Retest results

Trail of Bits retested the high-severity finding ahead of the bulk window on 2026-01-04 (per the engagement's expedited-retest clause for High and Critical findings). The remaining 9 findings were retested between 2026-01-08 and 2026-01-10:

• 10 of 10 findings: verified resolved.
• 0 regressions: no new findings introduced by remediation work.

5. Trail of Bits' summary opinion

"bitexasia demonstrated mature engineering practices throughout the engagement. Findings were responded to within agreed SLAs, fixes were correct on first attempt for 9 of 10 cases, and the team's incident-response posture during one in-engagement security event was well-rehearsed. We recommend continuing the existing internal red-team programme and budget for an external engagement at the current ~12-month cadence."

Signed: Trail of Bits, 2026-01-15.

6. Full report and contact

Full Trail of Bits report (~120 pages with detailed reproduction steps for each finding) is available under NDA to qualified parties. Request via audits@bitexasia.com; response within 5 business days.