Novaswap Blackbox Pentest

• WAF rate limiting applied per browser session rather than per client (M-01, fixed). The Vercel WAF enforced rate limiting and browser-verification challenges scoped to the affected browser session rather than the underlying client. Switching browsers on the same host bypassed the block, reducing the effectiveness of WAF-driven abuse prevention.
• Reflected user input in API validation error messages (L-01 through L-04, fixed). Multiple Mynth API endpoints (/api/address/balance, /api/address/generate, others) echoed untrusted user input verbatim into validation error responses, including full route + query string in "Route Not Found" errors. Risk is low directly but compounds if responses are rendered by downstream consumers.
• Insufficient entropy in access code based access control (I-02, fixed). The access code relied on limited character sets and length, making it vulnerable to brute force under realistic conditions.
• Reusable shared access code allows unlimited unauthorized access (I-03, fixed). A single valid access code could be reused an unlimited number of times across browser sessions, browsers, and devices.
• Inactive QR code scanning feature exposed in desktop web interface (I-01, fixed). A QR feature meant for mobile rendered on desktop, creating user confusion.
• Publicly accessible OpenAPI specification (I-04, fixed). The OpenAPI spec was publicly fetchable, providing attackers an unnecessary map of the backend API surface.

All nine issues were fixed by Novaswap and verified by Zealynx.