Technology Security, Pillar 03
Your smart contracts may be perfect. If the infrastructure running your nodes, serving your RPC endpoints, hosting your frontend, and deploying your code has exploitable vulnerabilities, an attacker does not need to touch your contracts at all. Blockchain infrastructure penetration testing finds those paths before they do.
Penetration testing for blockchain infrastructure goes beyond the smart contract layer. A Web3 protocol's attack surface includes the servers hosting its RPC nodes, the cloud environments running its backend services, the CI/CD pipelines deploying its contracts, the APIs connecting its frontend to on-chain state, and the administrative interfaces used by the team. These are conventional IT security targets, but in a Web3 context, a successful attack on any of them can be as catastrophic as exploiting the contracts directly.
Our infrastructure penetration testing engagements follow a structured methodology adapted from PTES and OWASP, applied to the specific architecture of blockchain protocols. We combine automated scanning with manual exploitation techniques to find the vulnerabilities that automated tools miss, configuration errors, privilege escalation paths, exposed administrative interfaces, and the logical flaws in how your infrastructure components interact.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
Infrastructure Is the Perimeter
“When attackers compromised the Orbit Chain bridge in January 2024, the entry point was not a vulnerability in the on-chain contracts, it was unauthorised access to infrastructure used by the team. The $82M loss came from a transaction signed by a legitimate compromised key, not a contract exploit. Infrastructure security is on-chain security.”
One Poisoned Package. Dozens of DApps.
“In December 2023, a former Ledger employee’s NPM account was phished. The attacker published a malicious version of the @ledgerhq/connect-kit package and pushed it to the CDN. Any DApp loading the package automatically served the malicious version, which replaced legitimate wallet interactions with a transaction drainer. Dozens of protocols were affected simultaneously, including SushiSwap, Zapper, and ChangeNOW, simply because they trusted a dependency in their CI/CD pipeline without integrity verification. The contracts were untouched. The deployment infrastructure was the attack surface.”
Penetration testing solutions for blockchain infrastructure are not the same as standard enterprise network penetration testing. The specific attack paths, from RPC node to key theft, from CI/CD compromise to frontend injection, require testers who understand how Web3 infrastructure is architected and how its components interact with on-chain systems.
The Scope
Blockchain infrastructure penetration testing covers four layers of attack surface. A gap in any one of them can give an attacker a path to the same outcome as a smart contract exploit.
Ethereum, Solana, and EVM-compatible node infrastructure. Exposed JSON-RPC endpoints, missing authentication on administrative methods, node client vulnerabilities, and the path from RPC access to key material or privileged operations. Often the most directly reachable attack surface from the public internet.
AWS, GCP, and Azure environments hosting protocol infrastructure. IAM privilege escalation, publicly exposed S3 buckets, misconfigured security groups, exposed secrets in environment variables, and container escape paths. The cloud layer where most Web3 infrastructure actually runs, and where most misconfigurations hide.
Web3 API security testing covering authentication, authorisation, injection, and logical vulnerabilities in the backend services that bridge on-chain state and user-facing functionality. The API layer is where frontend-to-contract trust is established, and where attackers who cannot break the contracts will often look instead.
GitHub Actions, deployment pipelines, dependency management, and package signing. Secret leakage in pipeline logs, pipeline injection via compromised dependencies, and the path from a poisoned CI/CD environment to a backdoored deployment. Often overlooked, increasingly targeted.
