Turkish crypto exchange with 8M users · API + cold wallet Red Team · 9 critical findings · MASAK compliance
A leading Turkish crypto exchange requested a Red Team from DSET. Target: the REST/WebSocket API, withdrawal flow logic, the cold wallet HSM signing flow. Rule: loss of funds is FORBIDDEN, with an anomaly ban risk. Using a graduated read-only-first method DSET reported 9 critical findings (race + IDOR + signature replay), no funds were lost, and MASAK compliance was achieved.
01 The Challenge
A Turkish crypto exchange with 8M users, MASAK + BDDK compliance mandatory. Test wallet limit 0.05 BTC + 100 USDT. Anomaly detection enabled, aggressive testing = an IP/account ban. Black-box pentest, the withdrawal flow logic the most sensitive area. The previous vendor had been banned with an "aggressive" method and lost the contract.
02 DSET's Approach
T+0 · Graduated plan
First read-only (price feed, order book) → then trading → withdrawal flow last. A progression plan without triggering anomalies.
T+1-7 days · Read-only testing
The authorization layer of the API endpoints was tested. 3 IDOR findings (another user's portfolio + order history).
T+7-10 days · Trading testing
A WebSocket order book front-running attempt. A race condition (double-spend) was detected: a 1.4-second window.