Automated cryptocurrency trading is one of the most technologically demanding challenges today. It requires not only precisely programmed trading logic, but also reliable infrastructure, scalability and a high level of security. When we were approached by the ambitious investment startup Perpeto, which offers an investment platform for automated cryptocurrency trading on crypto exchanges, they asked us to perform a comprehensive analysis of their software solution. The goal was to determine whether the infrastructure was set up correctly, identify security risks and verify the quality of the software code along with the automated trading logic itself.
Data security analysis and API communication
Data and its protection are the most sensitive part of any fintech platform. That is why we focused on security measures when storing and transferring data between the frontend, backend and crypto exchanges.
1. Storing sensitive data
- We verified that API keys and secrets for connecting to crypto exchanges are properly hashed and encrypted.
- We checked whether the database did not contain plaintext passwords or other sensitive data that could be misused in the event of a data leak.
- We verified whether password salting and hashing are used according to NIST recommendations (e.g. bcrypt, Argon2).
2. Secure communication between system components
- We checked whether the frontend communicates with the backend exclusively via HTTPS with TLS 1.2 or higher, or whether it is possible to bypass communication via HTTP.
- We verified how the platform has set up the so-called rate-limiting of its APIs, the correctness of the rate-limiting settings for the user’s IP address, etc.
- We verified that sensitive API requests (e.g., for trading, withdrawals, and authentication) are protected by appropriate mechanisms.
- We tested the correct setting of CORS rules so that the frontend can communicate securely with the backend without the risk of Cross-Site Request Forgery (CSRF) attacks.
Verifying authentication and security of user accounts
Since this is an investment platform where users manage financial assets, we verified how user identification and authorization is handled.
1. Using secure authentication methods
- We checked whether login is handled via tokenized authentication mechanisms (JWT, OAuth2, OpenID Connect) and whether refresh tokens are used correctly.
- We verified whether the system has protection against brute-force attacks on passwords (e.g. ratelimiting, CAPTCHA after multiple failed attempts).
- We analyzed whether two-factor authentication (2FA) is mandatory for critical operations such as withdrawals.
2. Protection against Session Hijacking and Man-in-the-Middle attacks
- We verified the short validity of session tokens and their proper invalidation after logout.
- We checked whether cookies contain the HttpOnly, Secure, and SameSite flags to ensure they are not susceptible to Cross-Site Scripting (XSS) attacks.
- We checked that the system does not store tokens in localStorage, but uses secure solutions such as HttpOnly cookies.
Vulnerability testing in the web interface
Every modern application must be resistant to common web vulnerabilities that attackers often exploit.
1. SQL injection protection
- We checked whether all database queries use prepared statements or stored procedures and ORM to properly escape inputs.
- We attempted to perform manual and automated SQL Injection tests to verify that the inputs are properly filtered.
2. Cross-Site Scripting (XSS) Protection
- We verified that the frontend properly sanitizes inputs and escapes outputs to prevent malicious JavaScript code from running.
- We checked whether Content Security Policy (CSP) headers are set to prevent XSS attacks.
3. Testing for the possibility of performing Cross-Site Request Forgery (CSRF) attacks
- We verified that all important API endpoints are protected by CSRF tokens or use a secure authentication method via JWT.
Infrastructure performance and scalability analysis
Performance and stability are critical for any trading platform, especially if it processes large volumes of trades in real time.
1. AWS infrastructure scalability
- We verified that the infrastructure is automatically scalable according to the number of users and stores.
- We checked whether load balancers are used to balance the load between multiple servers.
- We checked the settings of individual RDS, EC2, etc. instances.
2.Database optimization
- We verified and also proposed a way to use indexes in database tables to speed up queries.
- We analyzed the database design and the efficiency of storing individual data entities, while also proposing improvements for greater robustness in the future.
- We checked whether the system efficiently processes a large number of trades in a short time.
Our analysis helped investment startup Perpeto identify key areas for improvement, particularly in the areas of API security, data protection, and user authentication. Based on our output, developers were then able to make code modifications and implement security measures that strengthen the reliability and protection of the platform. With our support, Perpeto can grow and expand its services with higher levels of security, performance, and scalability.