A Month of Pentesting Completed

Over the past month, Dfns completed a full-scope black-box penetration test conducted by Borg Security, a cybersecurity firm known for auditing digital asset infrastructure and enterprise authentication systems. The goal was to measure the resilience of Dfns’ Wallet Infrastructure platform (i.e., its dashboard, APIs, cryptographic services, and deployment stack) against sophisticated real-world attacks.

This exercise is part of Dfns’ continuous security assurance process. We routinely invite independent auditors to validate our security posture across every layer of our stack, from frontend and backend behavior to cryptographic signing and policy enforcement, as security is core to our engineering culture.

Scope and coverage

The penetration test lasted one month and covered the entire Dfns production environment. Borg’s engineers probed every public-facing surface, including:

• the Dfns dashboard and user interface
• the public API gateway serving developers and organizations
• internal API surface for secure back-channel operations
• restricted admin and staff interfaces

In addition to the web and API layers, Borg examined the MPC local deployment and HSM integration flows, the cryptographic backends that execute signing operations in Dfns’ infrastructure. 

This test was fully black-box, meaning the auditors had no internal documentation, credentials, or source code access. They interacted with the platform as an external attacker would, relying only on observation, network behavior, and inference.

Testing approach

Borg Security’s methodology combined manual penetration testing, static and dynamic analysis, and protocol-level inspection. Their focus areas included:

1. Authentication and session management: Testing WebAuthn and FIDO2-based authentication flows, replay protection, and resistance to phishing and credential theft.
2. Authorization and role enforcement: Verifying separation of privileges between member and admin roles, policy approval mechanisms, and the integrity of organization-level permissions.
3. Input validation and API hygiene: Injecting malformed and boundary-breaking payloads to identify potential XSS, SQLi, CSRF, IDOR, or deserialization vulnerabilities.
4. Cryptographic operations: Reviewing the design and implementation of key generation and signature creation (EdDSA via SHAKE256), validating resistance to side-channel and malleability attacks.
5. Denial-of-service and resource exhaustion: Stress testing endpoints with large payloads and concurrent requests to assess system resilience and fail-safe behavior.
6. Infrastructure and configuration: Evaluating AWS CloudFront, WAF configurations, CDN cache policies, and dependency hygiene across the stack.

Their analysis followed OWASP and MITRE CWE standards to ensure coverage of all relevant web and cryptographic attack families.

What the test reveals about Dfns’ security posture

1. Authentication and access control: Borg’s report highlighted Dfns’ exceptional authentication model. All sensitive operations, such as wallet creation, key recovery, and transaction approval, require hardware-bound WebAuthn signatures. Even if an attacker compromised access tokens or intercepted requests, they couldn’t perform critical actions without a verified passkey. The testers also confirmed there were no IDORs or privilege escalation paths on any API endpoint. Sessions were properly scoped and revoked on logout, with reasonable timeouts for usability.
2. Authorization and role separation: The least-privilege model is rigorously enforced. Non-admin accounts cannot create or delete policies, assign privileges, or manage wallet configurations. Policy approval flows were validated and confirmed tamper-proof, approvals can’t be reassigned or forced, and authorization checks remain consistent across dashboard and API layers.
3. Developer and API security: Endpoints like /wallets/all/history and /v2/policy-approvals rejected malformed inputs cleanly, returning generic errors without leaking stack traces or system details. Admin-only routes were correctly restricted to privileged users. Service accounts and personal access tokens could only be managed by administrators, another strong control point.
4. Cryptography and signing: Dfns uses EdDSA over SHAKE256 as defined in RFC 8032, a modern, secure, and deterministic signature scheme resistant to known side-channel attacks. Borg confirmed correct cofactor handling, randomness generation, and context isolation. They recommended periodic reviews of entropy sources, a best practice that we already incorporate in our cryptographic lifecycle.‍
5. Infrastructure resilience: Payload flooding and stress tests demonstrated high fault tolerance. Even when bombarded with multi-megabyte requests, the backend remained stable and self-contained, with only isolated request stalling. AWS CloudFront’s WAF layer effectively blocked malicious probes, confirming a strong perimeter defense. Borg also noted that Dfns’ stack had no known vulnerabilities (CVEs) at the time of testing.
6. ‍Observations and recommendations: Minor operational improvements were suggested to help maintain operational hygiene.

After 4 weeks of deep testing, the results are clear: 0 Critical, 0 High, 0 Medium, 0 Low, 4 Informational. In short: no vulnerability affected confidentiality, integrity, or availability.

Overall, Borg concluded that Dfns demonstrates mature engineering discipline and a robust security model, emphasizing strong cryptography, identity assurance, and defense-in-depth across layers.

Contact us if you want to access the full report: security@dfns.co

A continuous security program, not an occasional audit

This audit is one milestone in a broader effort. Dfns operates under SOC 2, ISO 27001, 27017, and 27018 frameworks, and every release goes through internal security reviews, dependency scanning, and change control. External audits like Borg’s provide an additional, independent validation that our controls remain effective and up to date. We plan to continue engaging with third-party firms annually and to open selected components to continuous testing through responsible disclosure programs.

We want to thank Borg Security for their meticulous and transparent work. Their process was collaborative, constructive, and adversarial in the best possible sense, pushing our systems to their limits and confirming their resilience.

Their final conclusion summed it up best: “No instances of SQLi, XSS, CSRF, or business logic vulnerabilities were detected. Dfns exhibits high engineering maturity and a security model that aligns with industry best practices for cryptographic integrity, access control, and WebAuthn authentication.”

Feel free to reach out to their highly skilled team X or LinkedIn.

Start building: app.dfns.io/get-started