Technology Security, Pillar 03
Your smart contracts may be audited. Your frontend is the part your users actually touch, and it is where the most sophisticated attacks against Web3 protocols now happen. A compromised DApp interface can drain wallets without touching a single line of your on-chain code.
Web3 application security is distinct from traditional web application security in a critical way: the consequences of a successful attack are irreversible. A compromised Web2 application can reset passwords and restore from backup. A compromised DApp that tricks users into signing a malicious transaction drains their wallets permanently. This changes the risk calculus for every vulnerability class, an XSS that would be "medium severity" in a traditional application becomes critical when it can inject a wallet-draining transaction approval into a user's signing flow.
Our DApp and Web3 API security testing covers the full user-facing stack: the frontend application, the wallet connection layer, the APIs bridging on-chain and off-chain state, and the transaction construction and signing flow. We test against both conventional OWASP web application vulnerabilities and the Web3-specific attack vectors that standard web application penetration testing services do not cover.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
One Cloudflare Account. $120M Drained.
“The BadgerDAO breach of December 2021 was not a smart contract exploit. An attacker gained access to a Cloudflare account used by the Badger team, likely via phishing, and used it to inject a malicious script into the protocol’s website via a Cloudflare Worker. Every user who visited the DApp while the script was active was prompted to grant an unlimited token approval to the attacker’s address. The Badger smart contracts functioned correctly throughout. $120M was drained from users who trusted the interface they were using. The contracts were fine. The frontend was not.”
Inferno Drainer: $80M via Permit Signatures
“Inferno Drainer was a phishing-as-a-service kit that operated throughout 2023 until its operators shut it down in November. It worked by constructing phishing sites that prompted users to sign EIP-712 permit() messages or setApprovalForAll transactions, presented as routine “wallet verification” or “claim” flows. Each signed message was used on-chain to authorise the drainer to move tokens without further user interaction. Scam Sniffer estimated over $80M was stolen from approximately 100,000 victims. The attack surface was the gap between what users were told they were signing and what the EIP-712 data actually authorised.”
Web security tools and website security testing designed for traditional web applications do not cover the Web3-specific attack surface. Standard scanners have no awareness of wallet connection flows, transaction construction logic, or on-chain signature validity. DApp security testing requires a tester who understands both web application security and how blockchain interactions work.
The Attack Surface
Web3 frontend attacks cluster across four surfaces. Each requires specific testing techniques that go beyond standard web application security assessments.
XSS, DOM manipulation, and content injection that can modify what users see in their transaction approval flow. A one-line script injection that changes a recipient address or approval amount is invisible to the user but permanently destructive. Testing includes both stored and reflected XSS, as well as dependency integrity verification.
WalletConnect session security, MetaMask RPC injection, and the signing flow itself. Whether your application correctly constructs and displays EIP-712 typed data signatures, permit() requests, and setApproval transactions in a way that a user can meaningfully verify, or whether a phishing variant of your interface could extract the same signatures without detection.
The REST and JSON-RPC APIs that serve data to your frontend. Authentication bypass, rate limiting absent for sensitive endpoints, mass assignment, SSRF, and the path from a backend API vulnerability to manipulation of the data your frontend displays to users before they sign transactions.
Third-party JavaScript dependencies, CDN integrity, DNS configuration, and subresource integrity (SRI) enforcement. The Ledger Connect Kit compromise demonstrated how a single poisoned npm package or CDN resource, pulled in by dozens of DApps, becomes a multi-protocol attack surface. Dependency and delivery chain testing is now essential web security practice for any DApp.
