As Web3 adoption accelerates, so does the sophistication of security risks across smart contracts, APIs, and decentralized applications. At Yhbit, our mission is simple: identify weaknesses early and protect users before threats materialize.
Over the past few weeks, our security team conducted a routine assessment of a partner ecosystem — including smart contracts, backend APIs, and wallet interaction flows. During this review, we identified several notable vulnerabilities that could have impacted user trust and financial integrity if left unaddressed.
Below is a transparent, high-level summary of our findings and why they matter.
1. Misuse of delegatecall — Potential Privilege Escalation
One of the smart contracts utilized a dynamic delegatecall to execute logic from an external contract.
While powerful, this pattern becomes risky when the target address can be influenced or when the storage layout is not carefully controlled.
Why it's dangerous
A malicious or compromised target contract could gain unexpected write access to the original contract's storage, potentially affecting balances or roles.
Impact
- Unintended modification of internal state
- Potential unauthorized access to sensitive functions
- Breakage of expected contract behavior across the dApp
Our team advised moving to a controlled execution pattern with strict access validation.
2. Broken Signature Verification in the Transaction Layer
We also identified an issue in the API layer responsible for verifying wallet-signed messages.
What we observed
The backend accepted signatures without fully validating the signer's intent for the requested action. This allowed a narrow chance for signature replay in specific, low-frequency conditions.
Risk
- Execution of unintended user actions
- Unauthorized transaction requests under certain scenarios
The issue was quickly resolved by enforcing strict nonce checks and domain separation.
3. IDOR (Insecure Direct Object Reference) in Dashboard API
While auditing the Web2 part of the platform, we detected an IDOR vulnerability affecting dashboard endpoints.
How it worked
A predictable identifier in an API route allowed unauthorized access to non-sensitive user-related metadata.
Potential impact
Although no financial data was exposed, IDOR weaknesses can escalate if combined with other vulnerabilities. We implemented stricter permission checks and randomized resource identifiers.
4. CORS Misconfiguration Exposing API Responses
During a front-end review, we noticed overly permissive Cross-Origin Resource Sharing (CORS) settings.
Risk
In rare cases, this could leak certain API responses to unintended origins — especially in browsers with outdated security models.
Fix
Restricting allowed origins and implementing fallback validation resolved the issue.
Our Approach: Responsible Reporting & Rapid Mitigation
Every issue above was responsibly disclosed to the respective teams, and all patches were implemented rapidly.
At Yhbit, our philosophy is:
- Proactive detection over reactive defense
- Constant review of both Web3 and Web2 layers
- Collaboration with partners to fix vulnerabilities before exploitation
- Maintaining transparency without exposing sensitive details
Building a Safer Web3 Future
The Web3 ecosystem is still evolving — and with that evolution comes new opportunities, risks, and challenges. Our recent findings are not failures of technology but reminders that security must evolve alongside innovation.
Yhbit remains committed to strengthening decentralized systems and enabling a safer, more resilient blockchain future.
If your team needs a security review, smart contract audit, or end-to-end ecosystem assessment, we're here to help.