External contractor

This audit was performed by Carlos (Bloqarl) as an external contractor at Pashov Audit Group, prior to or alongside founding Zealynx Security. It is not a Zealynx engagement, but is included here as part of Carlos’s professional security record.

IInitia · Smart Contract Security AssessmentInitia Client Hub

Initia Widget and Router API Security Review

Time-boxed security review of the initia-labs/widget repository — Initia's React SDK for wallet connections, bridging, and transaction signing, plus the Router API (TypeScript proxy for Skip API with Initia-ecosystem extensions). Conducted by Pashov Audit Group (defsec, Bloqarl, 5m477, Shurikenzer) over June 17-23, 2025, with Carlos (Bloqarl) participating as a contractor. Twenty-eight issues were identified: five Medium (raw request chain to external service, unvalidated external image URLs from NFT metadata, stale SigningStargateClient on account change, inadequate URL protocol whitelist in link sanitization, XSS via unfiltered src in img.initia.xyz proxy endpoint) and twenty-three Low covering token approval handling, fee enforcement, Docker and Kubernetes hardening, LayerZero gas limits, IBC packet sizing, security headers, CORS, TLS versions, HTTP timeouts, NFT metadata validation, and various input validation gaps. Fix review commit: de9d3602dc1afcb40312cadf12c6dbf1fb1a1169. Five Medium resolved; nine Low resolved; fourteen Low acknowledged.

TypescriptSmart Contract Code Review2025-06-23Zealynx methodology

Total findings

14 fixed · 14 acknowledged

Critical

High

Medium

Low + Info

Scope

11 files

Initial commit

c7c7fc23a5d6

Platform

- · Typescript

Methodology

Zealynx audit methodology

File

src/components/

src/data/

src/lib/router/

src/pages/

src/public/

src/styles/

src/app/

src/shared/

src/types/

src/utils/

console / index / constants / env / main / sentry.ts

Findings

click any row for the full write-up

Severity

Finding

Status

mediumF-2025-0001Raw request chain to external service (open proxy to Skip API)Fixed›mediumF-2025-0002Unvalidated external image URLs from NFT metadataFixed›mediumF-2025-0003Stale SigningStargateClient when changing accountsFixed›mediumF-2025-0004Inadequate URL protocol whitelist in link sanitizationFixed›mediumF-2025-0005XSS possible via unfiltered src in img.initia.xyz proxy endpointFixed›lowF-2025-0006ERC-20 approval failure handlingAck›lowF-2025-0007Fee validation calculated but not enforced allows transaction failureFixed›lowF-2025-0008Docker image runs as root userFixed›lowF-2025-0009Missing Kubernetes security controls risk container escapeAck›lowF-2025-0010Fixed gas limits in LayerZero cause transaction and fund locksAck›lowF-2025-0011Information disclosure through console loggingFixed›lowF-2025-0012Tabnabbing vulnerability in external linksAck›lowF-2025-0013Missing security headersAck›lowF-2025-0014Overly permissive CORS configurationAck›lowF-2025-0015X-Powered-By: express header leaks technology stackFixed›lowF-2025-0016Oversized packet in ORDERED IBC channel can cause channel closureFixed›lowF-2025-0017Missing await prevents proper error handling in Erc20ServiceFixed›lowF-2025-0018Improper exception type and lack of input validation in OP bridge checkFixed›lowF-2025-0019Lack of validation on NFT metadata in WithNormalizedNftAck›lowF-2025-0020No response validation for external skip APIAck›lowF-2025-0021Insecure TLS (1.0 and 1.1) active on public endpointsFixed›lowF-2025-0022Missing HTTP request timeouts in axios clients on SKIP APIsFixed›lowF-2025-0023Missing HTTP request timeouts across modules in widgetsAck›lowF-2025-0024Unhandled exception in quantitySuperRefine()Ack›lowF-2025-0025Missing curve validation in encodeEthSecp256k1PubkeyAck›lowF-2025-0026Insufficient confirmation depth for reorg protectionAck›lowF-2025-0027Unescaped NFT metadata in CollectionDetails.tsxAck›lowF-2025-0028Unvalidated wallet image sourceAck›

Key Findings

Five Medium findings (all resolved). Raw request chain to external service (open proxy to Skip API), unvalidated external image URLs from NFT metadata, stale SigningStargateClient when changing accounts, inadequate URL protocol whitelist in link sanitization, and XSS possible via unfiltered src parameter in the img.initia.xyz proxy endpoint.
Twenty-three Low findings. Covered ERC-20 approval failure handling, fee validation that was calculated but not enforced, Docker image running as root, missing Kubernetes security controls (container escape risk), fixed gas limits in LayerZero causing transaction and fund locks, information disclosure through console logging, tabnabbing in external links, missing security headers, overly permissive CORS, X-Powered-By header leaking technology stack, oversized packets in ORDERED IBC channels causing channel closure, missing await in Erc20Service, improper exception types in OP bridge check, lack of validation on NFT metadata in WithNormalizedNft, no response validation for external Skip API, insecure TLS 1.0/1.1 on public endpoints, missing HTTP request timeouts in axios clients, unhandled exceptions in quantitySuperRefine(), missing curve validation in encodeEthSecp256k1Pubkey, insufficient confirmation depth for reorg protection, unescaped NFT metadata in CollectionDetails.tsx, and unvalidated wallet image sources.
Fix outcomes. All five Medium findings resolved by Initia. Nine Low findings resolved; fourteen Low findings acknowledged as known limitations or out-of-scope hardening items.

For the full per-finding write-up, see the original Pashov Audit Group report PDF.

Team & approval

Auditor

Carlos (Bloqarl)

@TheBlockChainer

Auditor

defsec

@defsec

Auditor

5m477

@5m477

Auditor

Shurikenzer

@Shurikenzer

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (38p)