[ Client ]
[ Client ]
Perpeto — Crypto Trading Platform
Perpeto — Crypto Trading Platform
We found what attackers would find first.
We found what attackers would find first.
Perpeto is an investment platform for automated crypto trading across multiple exchanges. When they approached accute, they had a working product and ambitions to scale — and the clarity to ask a hard question before doing so: is our infrastructure actually secure? We conducted a comprehensive security and architecture audit across their entire platform, from API communication and user authentication to database design and AWS infrastructure.
Perpeto is an investment platform for automated crypto trading across multiple exchanges. When they approached accute, they had a working product and ambitions to scale — and the clarity to ask a hard question before doing so: is our infrastructure actually secure? We conducted a comprehensive security and architecture audit across their entire platform, from API communication and user authentication to database design and AWS infrastructure.
One exposed API key on a crypto trading platform isn't a technical problem. It's a total loss event. We treat it accordingly.
One exposed API key on a crypto trading platform isn't a technical problem. It's a total loss event. We treat it accordingly.
One exposed API key on a crypto trading platform isn't a technical problem. It's a total loss event. We treat it accordingly.
4 areas
security, auth, vulnerabilities & infrastructure — fully audited
AWS
full infrastructure review — EC2, RDS, load balancers, scaling
ZERO
untested attack vectors — SQL injection, XSS, CSRF all covered
1 report
actionable findings with prioritised remediation
[ Results ]
4 areas
security, auth, vulnerabilities & infrastructure — fully audited
AWS
full infrastructure review — EC2, RDS, load balancers, scaling
ZERO
untested attack vectors — SQL injection, XSS, CSRF all covered
1 report
actionable findings with prioritised remediation
"A crypto platform that handles real money can't afford to discover its vulnerabilities the way most platforms do — through an incident."
"A crypto platform that handles real money can't afford to discover its vulnerabilities the way most platforms do — through an incident."
"A crypto platform that handles real money can't afford to discover its vulnerabilities the way most platforms do — through an incident."
[ API SECURITY & DATA PROTECTION ]
[ API SECURITY & DATA PROTECTION ]
[ API SECURITY & DATA PROTECTION ]
The exchange connection is the highest-risk surface. We started there.
Crypto platforms handle API keys and secrets that connect directly to exchange accounts holding real assets. We audited how Perpeto stored and transmitted these credentials — verifying encryption at rest, hashing standards against NIST recommendations (bcrypt, Argon2), and the absence of plaintext sensitive data anywhere in the database. API rate limiting, CORS configuration, and TLS enforcement across all frontend-to-backend communication were tested and validated.
Crypto platforms handle API keys and secrets that connect directly to exchange accounts holding real assets. We audited how Perpeto stored and transmitted these credentials — verifying encryption at rest, hashing standards against NIST recommendations (bcrypt, Argon2), and the absence of plaintext sensitive data anywhere in the database. API rate limiting, CORS configuration, and TLS enforcement across all frontend-to-backend communication were tested and validated.
Beyond credential storage, we examined the full API communication layer: whether sensitive operations — trades, withdrawals, authentication — were protected by appropriate mechanisms, whether HTTPS could be bypassed, and whether the platform's CORS rules were correctly scoped to prevent cross-origin attacks. Each finding came with a specific remediation recommendation, not a generic warning.
Beyond credential storage, we examined the full API communication layer: whether sensitive operations — trades, withdrawals, authentication — were protected by appropriate mechanisms, whether HTTPS could be bypassed, and whether the platform's CORS rules were correctly scoped to prevent cross-origin attacks. Each finding came with a specific remediation recommendation, not a generic warning.
A crypto platform that handles real money can't afford to discover its vulnerabilities the way most platforms do — through an incident.
A crypto platform that handles real money can't afford to discover its vulnerabilities the way most platforms do — through an incident.
[ YEAR ]
[ CATEGORY ]
2025
2025
Security Audit
Security Audit
IT Consulting
IT Consulting
[ INDUSTRY ]
[ SCOPE ]
Crypto & Digital Assets
Crypto & Digital Assets
OWASP Top 10 Coverage
OWASP Top 10 Coverage
FIntech
FIntech
AWS Architecture Review
AWS Architecture Review
Investment Platforms
Investment Platforms
Third Party Code Review
Third Party Code Review
[ CATEGORY ]
Security Audit
IT Consulting
[ YEAR ]
2025
[ INDUSTRY ]
Crypto & Digital Assets
FIntech
Investment Platforms
[ SCOPE ]
OWASP Top 10 Coverage
AWS Architecture Review
Third Party Code Review
[ AUTHENTICATION & ACCESS CONTROL ]
[ AUTHENTICATION & ACCESS CONTROL ]
[ AUTHENTICATION & ACCESS CONTROL ]
Financial assets demand more than a password.
We audited the platform's full authentication architecture — verifying tokenised mechanisms (JWT, OAuth2, OpenID Connect), correct refresh token handling, and brute-force protections including rate limiting and CAPTCHA triggers. For an investment platform where users manage real financial assets, two-factor authentication on critical operations is non-negotiable. We validated that 2FA was enforced for withdrawals and high-risk actions, not left optional.
We audited the platform's full authentication architecture — verifying tokenised mechanisms (JWT, OAuth2, OpenID Connect), correct refresh token handling, and brute-force protections including rate limiting and CAPTCHA triggers. For an investment platform where users manage real financial assets, two-factor authentication on critical operations is non-negotiable. We validated that 2FA was enforced for withdrawals and high-risk actions, not left optional.
Session security received equal scrutiny: token expiry, proper invalidation on logout, cookie flag configuration (HttpOnly, Secure, SameSite), and the absence of token storage in localStorage — a common vulnerability that exposes sessions to XSS attacks. We also tested for session hijacking and man-in-the-middle attack vectors across the full authentication flow.
Session security received equal scrutiny: token expiry, proper invalidation on logout, cookie flag configuration (HttpOnly, Secure, SameSite), and the absence of token storage in localStorage — a common vulnerability that exposes sessions to XSS attacks. We also tested for session hijacking and man-in-the-middle attack vectors across the full authentication flow.
We knew we had a product. accute helped us know we had a secure one. The audit gave us the confidence to scale — and a clear list of what to fix before we did.
[ INFRASTRUCTURE & SCALABILITY ]
[ INFRASTRUCTURE & SCALABILITY ]
[ INFRASTRUCTURE & SCALABILITY ]
Built to handle volume today. Designed to survive it tomorrow.
Beyond security, we audited Perpeto's AWS infrastructure for its ability to scale under real trading conditions. We reviewed auto-scaling configuration, load balancer setup across EC2 instances, and RDS database configuration — identifying both current bottlenecks and architectural risks that would surface under higher transaction volumes. Database indexing strategies, query efficiency, and data model design were assessed and optimised for the volume an automated trading platform generates at peak.
Beyond security, we audited Perpeto's AWS infrastructure for its ability to scale under real trading conditions. We reviewed auto-scaling configuration, load balancer setup across EC2 instances, and RDS database configuration — identifying both current bottlenecks and architectural risks that would surface under higher transaction volumes. Database indexing strategies, query efficiency, and data model design were assessed and optimised for the volume an automated trading platform generates at peak.
The output was a prioritised findings report: not a theoretical vulnerability list, but a practical roadmap. Critical issues flagged for immediate remediation. Architectural improvements scoped for the next development cycle. Perpeto's development team could act on it the day they received it — and did.
The output was a prioritised findings report: not a theoretical vulnerability list, but a practical roadmap. Critical issues flagged for immediate remediation. Architectural improvements scoped for the next development cycle. Perpeto's development team could act on it the day they received it — and did.
[ NEXT WORK ]
[ NEXT WORK ]
[ BUILT FROM THE INSIDE ]