Initia Widget and Router API Security Reviewvia Pashov Audit Group
Time-boxed security review of the initia-labs/widget repository — Initia's React SDK for wallet connections, bridging, and transaction signing, plus the Router API (TypeScript proxy for Skip API with Initia-ecosystem extensions). Conducted by Pashov Audit Group (defsec, Bloqarl, 5m477, Shurikenzer) over June 17-23, 2025, with Carlos (Bloqarl) participating as a contractor. Twenty-eight issues were identified: five Medium (raw request chain to external service, unvalidated external image URLs from NFT metadata, stale SigningStargateClient on account change, inadequate URL protocol whitelist in link sanitization, XSS via unfiltered src in img.initia.xyz proxy endpoint) and twenty-three Low covering token approval handling, fee enforcement, Docker and Kubernetes hardening, LayerZero gas limits, IBC packet sizing, security headers, CORS, TLS versions, HTTP timeouts, NFT metadata validation, and various input validation gaps. Fix review commit: de9d3602dc1afcb40312cadf12c6dbf1fb1a1169. Five Medium resolved; nine Low resolved; fourteen Low acknowledged.
0C0H5M23L0ITypescripttypescriptwidgetrouter-api