I perform Web3-specific dApp penetration tests covering the attack surfaces that smart contract audits and standard Web2 pen tests both miss — wallet connector security, EIP-712 signature handling, frontend injection to trigger malicious approvals, and off-chain API vulnerabilities.
Test coverage: wallet connector attack surface (phishing-resistant flow analysis, EIP-712 type hash validation, signature replay with missing nonces or domain separators); frontend XSS via injected content triggering malicious transaction popups; JSON-RPC endpoint CORS and authentication; backend API security (auth bypass, IDOR, rate limiting); IPFS metadata endpoint manipulation; transaction simulation bypass (showing safe simulation but executing malicious transaction); and off-chain component security (oracle relay, keeper, relayer authentication).
Deliverables: dApp pentest report with findings, PoC evidence where applicable, severity ratings, and remediation guidance specifically framed for Web3 application developers.
Requires: dApp URL, GitHub repo access, API documentation, and written authorisation. Testnet strongly preferred for active testing.