MEXC, a cryptocurrency exchange, announced the successful completion of an independent audit of its mobile application and website by Hacken, a Web3 cybersecurity pioneer.
The audit was conducted using the pentest methodology, during which experts analyze potential attack vectors, simulate the actions of intruders, and test the platform’s resilience to compromise of user data and assets.
MEXC has gone through three independent penetration tests on its Android, iOS, and web platforms. Special attention was paid to the architecture of the mobile app: trading execution systems, funds management, data processing, and user session security.
These scans initially revealed a total of 26 vulnerabilities—9 in the Android app, 12 on the web platform, and 5 in the iOS app.
Notably, two issues of high-risk were identified in the mobile app audit: an email spoofing vulnerability due to the lack of DMARC, SPF, and DNS protections, and a prevalent reflected XSS vulnerability impacting several token airdrop endpoints. MEXC subsequently resolved both. The high risk issues have been fixed to increase the platform’s security and build trust among users.
Other fixed issues included hardcoded credentials, insecure CORS policy, missing root detection, and copyable password fields. One low-severity SSL pinning bypass issue was accepted by the team, and insecure random number generation was marked as an observation.
Hacken specifically noted the balance between technical security measures and the ease of use of the interface, a factor that is especially important for retail traders who prefer mobile access to trading.
Additionally, in the audit of MEXC’s web platform, Hacken identified 12 security issues. Out of these, MEXC quickly fixed 4, while the remaining 8 were accepted by the team for future resolution. The findings included issues like reflected XSS and improper email protections, which could have been used by attackers to trick users or expose data.
The iOS app review identified five security issues. MEXC addressed four of them, such as SSL pinning bypass issues and the absence of jailbreak detection, through which some attackers could have tampered with the software on jailbroken devices. One issue, where certain user information was temporarily kept in app memory, was accepted but not implemented yet.
These audits mark an important step toward transparency in a space where most exchanges still avoid publishing full security reports.
The crypto industry is slowly moving toward more transparency through external audits, but progress is limited. Most exchanges still don’t share their audit results, mainly because there are no clear legal rules requiring them to do so unless they’re tied to traditional finance licenses.
While some large platforms have started doing regular audits due to pressure from users and partners, only a few publish full reports. This makes it hard for users to truly judge how secure a platform is, often relying instead on reputation or ratings.
Also Read: MEXC Lists GUNZ (GUN), Offers 180,000 USDT Rewards
