TN7 NFT Minting Platform Penetration Testing Report

TN7 is not just an NFT minting platform, it’s the gateway to an expansive digital content universe. Anchored by Viu’s first-ever digital comic series, Path of Vengeance, TN7 offers an interactive ecosystem where fans don’t just consume stories, they co-create them.

Through NFT-powered digital packs, users unlock unique characters, gain access to evolving narratives, and contribute original creations that shape the TN7 universe. With Viu’s reach across 16 global markets, TN7 is powered by one of the world’s leading OTT platforms, bridging Web2-scale distribution with Web3 community-driven ownership.

As TN7 prepares for large-scale adoption, security is paramount. Any vulnerabilities in authentication, payments, or wallet integrations could compromise trust in the platform. To ensure resilience, TN7 engaged FailSafe to conduct a comprehensive penetration test across its frontend and backend systems.

This report highlights the findings, the vulnerabilities resolved, and how TN7 reinforced its security posture to protect its growing universe of fans and creators.

Audit Overview

• Auditor: FailSafe
• Project Name: TN7 NFT Minting Platform
• Audit Timeline: July 10 – August 1, 2025
• Scope:
  • Frontend: Staging and production (mint.tn7.co)
  • Backend: wfstudiobe.morpheuslabs.io
  • Environment: Staging/Production
  • Type: Blackbox penetration test with intrusive testing
• Objective: Assess authentication flows, wallet integrations, payment handling, and backend API security .

FailSafe applied a hybrid methodology combining OWASP Testing Guide, NIST 800-115, and PTES, along with dApp-specific assessments for wallet and Web3 authentication .

Summary of Findings

The penetration test revealed 11 issues across varying severity levels:

Severity	Total	Status
Critical	2	Resolved
High	3	Resolved
Medium	4	Mixed (2 Resolved, 1 Partially Resolved, 1 Acknowledged)
Low	2	Mixed (1 Resolved, 1 Acknowledged)
Info	0	–

Total Issues: 11

Key Findings

1. Price Manipulation to Any Amount

• Severity: Critical | Status: Resolved
• Attackers could manipulate client-side values to mint NFTs at arbitrary or zero prices.
• Impact: Direct financial loss and broken pricing integrity.
• Fix: Enforced server-side price validation tied to backend and blockchain data .

2. Static Nonce & Missing Domain Binding in Authentication

• Severity: Critical | Status: Resolved
• Authentication reused static nonces and lacked domain binding, enabling phishing and replay attacks.
• Fix: Introduced server-generated unique nonces, timestamp checks, and domain-bound signatures .

3. API Key Validation Bypass in Stripe Webhook

• Severity: High | Status: Resolved
• The webhook accepted requests without validating API keys, allowing fraudulent intents.
• Fix: Strict API key verification and rejection of invalid/missing keys .

4. Wallet Mismatch & Authorization Bypass

• Severity: High | Status: Resolved
• Wallet addresses in JWTs weren’t validated against payloads, letting attackers execute actions on behalf of others.
• Fix: Enforced wallet matching and EIP-55 checksum validation .

5. Authorization Tokens Valid After Logout

• Severity: High | Status: Resolved
• Tokens stayed valid after logout, leaving accounts exposed to hijacking.
• Fix: Implemented backend token revocation and shortened token lifetimes .

6. Potential SQL Injection via Unsanitized Inputs

• Severity: Medium | Status: Resolved
• Metadata fields were unsanitized, risking SQL injection.
• Fix: Switched to parameterized queries and strict input validation .

7. Missing Security Headers

• Severity: Medium | Status: Partially Resolved
• Missing CSP, X-Content-Type, and HSTS headers increased risk of XSS, clickjacking, and MITM attacks.
• Fix: Headers added on production, though CSP misconfiguration remains to be tightened .

8. Outdated Software Components

• Severity: Medium | Status: Acknowledged
• Kong gateway (v3.2.2) contained a known DoS vulnerability (CVE-2023-44487).
• Fix Suggested: Upgrade to latest stable release (3.11.0+) .

9. Lack of Rate Limiting & Brute Force Protection

• Severity: Medium | Status: Resolved
• API endpoints allowed unlimited requests, enabling brute force and DoS.
• Fix: Implemented rate limiting and monitoring on sensitive endpoints .

10. Always Returning HTTP 200 on Errors

• Severity: Low | Status: Acknowledged
• Webhooks always returned HTTP 200, even on failures, hiding issues from monitoring.
• Fix Suggested: Use proper HTTP status codes and consistent error handling .

11. Hardcoded API Key Disclosure

• Severity: Low | Status: Resolved
• API keys were exposed in frontend JavaScript.
• Fix: Keys moved to secure server-side storage with rotation in place.

Final Thoughts

All critical and high-severity issues were fully resolved, while medium/low issues were either fixed or acknowledged for upcoming patches. TN7’s proactive response underscores a serious commitment to security, ensuring that fans and creators can engage in its universe safely.

With its penetration test completed, TN7 NFT Minting Platform now operates on a much stronger security foundation. By addressing pricing manipulation, authentication bypasses, and insecure API handling, TN7 demonstrates its readiness to scale securely.

As the TN7 universe expands with NFTs unlocking characters, stories, and fan participation, the platform is now better equipped to safeguard its ecosystem and community.

Looking for a security auditor?