HeroFi
HeroFi is a mobile aRPG game in which players can earn tokens through PvP/PvE battles between Heroes. Each Hero is unique and equally accessible to anyone. There is no initial investment barrier in HeroFi. From 08/12/2021 to 16/12/2021, BraveZone engaged CyStack to evaluate the security posture of its infrastructure compared to current industry best practices that included an external penetration test. All testing performed is based on the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, OWASP Testing Guide (v4), and customized testing frameworks from CyStack.
Audit Projects > HeroFi
Audit Report - HeroFi
Type of audit
Pentest
Language
N/A
Testing method
blackbox
Request date
2021-12-07T17:00:00.000Z
Revision date
2021-12-15T17:00:00.000Z
Status
completed
Target distribution
About BraveZone Co.Ltd
Bravestars is one of the top game development studios in Vietnam. Starting with 4 young gamers who dreamt of bringing local culture to the world of video games, Bravestars has grown into a team of 60. Throughout the journey, we published more than 70 games with a total of over 300 million downloads and a dozen of global feature nominations by Google Play and App Store. LaunchZone is the first and best incubator on Binance Smart Chain. They currently have 70k holders, 150k followers on Twitter, and 47k members on Telegram. With an amazing community and excellent products, LaunchZone was titled Star Project by Binance Smart Chain. LZ Swap (formerly SwapX) ranks 4th on the list of Top Decentralized Exchanges and ranks 2nd in terms of users (Dapp Radar).
Type
platform
Platform
N/A
Owner
BraveZone Co.Ltd
Industry
blockchain
Assessment Checklist
Application Deployment and Configuration
Ensure server configuration, network infrastructure, web applications, files are handled correctly and securely.
User Identity Management
The application manages user identities well and does not cause problems in all use cases.
Authentication mechanism
Make sure the application's authentication mechanism has a reasonable logic, preventing the possibility of authentication bypass.
Decentralization mechanism
Check for privilege escalation, decentralization, or path traversal vulnerabilities.
Session management mechanism
Check for errors related to cookies and sessions.
Input data validation mechanism
Check for Reflected XSS, Stored XSS, SQL injection and other injection errors.
Error control ability
Ensure errors are handled properly and do not expose sensitive information through error notifications.
Encode
Test the application's encryption algorithms.
Business logic of the application
Check application integrity, conflict, and responsiveness.
Client-side issues
Check for security flaws that can be exploited from the client side.
About Penetration Testing Service
Pentest service is a security assessment solution provided by CyStack Security to our customers. In this test, security experts usually try to penetrate to customers’ applications to find vulnerabilities that might be exploited by hackers. The test aims to find as many vulnerabilities as possible, in order to secure networks and applications.
Pentest Tools
