WEBTHREE

®
Temple Digital Group

Temple Frontend

Security Review

Ziggy
Ziggy
Lead Reviewer
Review date
2026-06-24
Review window
Initial review 2026-04-12 to 2026-04-14 · Remediation review 2026-06-24
Commit reviewed
429f9a6 (initial · v2) → a3a6195 (remediation · main-dev)
Contract
Next.js 15 App Router Frontend (BFF)
Method
Multi-phase security review: static analysis, manual code review, live testnet probing, and targeted attack-surface testing across 10 categories

Overview

We performed a comprehensive security audit of the Temple trading platform frontend (commit 429f9a6) across authentication, middleware, XSS/injection, data exposure, Web3 integration, route protection, and security headers, followed by independent re-validation and a comparison review that removed overstated, backend-dependent, and purely informational findings. The initial review (commit 429f9a6, v2 branch) produced 16 actionable findings: 6 medium and 10 low severity. A second-look remediation review against the main-dev branch (commit a3a6195c) then independently re-verified every finding with adversarial validation: 14 are now resolved at the root cause with regression tests, and the remaining 2 (M-1 parent-domain WebSocket cookie and L-6 analytics SRI) have been formally acknowledged and accepted by the team as bounded, low-likelihood risks. No findings remain unaddressed. The codebase demonstrates strong security fundamentals: HttpOnly cookies, server-side token validation via a BFF pattern, OWASP security headers, and rate limiting. No critical or high severity vulnerabilities were identified. The most notable initial finding was a debug console.log in the WebSocket manager that dumped all real-time user trading data to the browser console in production (since removed). A comparison review also identified a missed finding: verification and password-reset codes were exposed in URL query parameters and could leak to third-party services via the Referrer header before client-side cleanup removed them. Other notable findings included an open redirect via protocol-relative URLs, a bypassable middleware Referer check, and rate limit fingerprinting composed entirely of attacker-controlled headers. All of these have since been remediated and re-verified on main-dev.

Critical0
High0
Medium6
Low10
Informational0
Unresolved0
Acknowledged2
Resolved14

Key Takeaways

  • No critical or high severity vulnerabilities were identified in either the initial review or the remediation review.
  • 14 of the 16 findings were remediated at the root cause on the main-dev branch, each independently re-verified against the current code and, where applicable, backed by new regression tests.
  • The most impactful initial finding — a debug console.log dumping all real-time trading data to the browser console (M-0) — has been removed.
  • The middleware Referer substring bypass (M-2), attacker-controlled rate-limit fingerprint (M-3), protocol-relative open redirect (M-8), and reset/verification code Referrer leak (M-9) are all resolved and covered by tests.
  • M-1 (access token duplicated to a parent-domain WebSocket cookie) is accepted as-is: the team will issue a separate short-lived WebSocket token only if the domain is ever shared with a third party.
  • L-6 (analytics script without Subresource Integrity) is accepted as a documented vendor-trust tradeoff because the script is served from an unversioned, rolling endpoint.
  • Two residual hardening notes carry forward: ensure JWT_PUBLIC_KEY is set in production so JWT verification cannot fail open (L-2), and add a default strict-mode query whitelist for future protected routes (L-16).

Scope

  • Next.js 15 App Router frontend with React 19 and TypeScript
  • Authentication and token handling (JWT, cookies, refresh flow)
  • Middleware security pipeline (rate limiting, auth redirects, cache-bust detection)
  • XSS and injection surface analysis
  • Web3 wallet integration (Wagmi, Reown AppKit, Loop SDK)
  • API route proxy layer (BFF pattern) and input validation
  • Bridge flow (Circle, Brale) and financial transaction routes
  • WebSocket real-time data handling
  • Content Security Policy and security headers

Methodology

  • Phase 1: Independent vulnerability searches across seven separate attack surfaces with cross-challenge validation on each. Reduced 78 raw findings to 26 after deduplication and false-positive elimination.
  • Phase 2: Dependency supply chain analysis via pnpm audit. 65 instances across 12+ distinct advisories triaged individually for exploitability in context.
  • Phase 3: Live testnet verification at v2.templedigitalgroup.com. Key findings confirmed against deployed environment.
  • Phase 4: Targeted attack-surface testing across 10 categories (API fuzzing, CSRF, open redirect, wallet exploit, hidden routes, rate limit bypass, cookie injection, auth flow, WebSocket protocol, bridge financial) produced 9 additional findings.
  • Phase 5: Independent re-validation and comparison review. Reduced 78 raw findings to 16 actionable items after deduplication, false-positive elimination, independent re-validation, and a final comparison review that removed overstated, backend-dependent, and purely informational findings.
  • Phase 6: Remediation review (second look). Independently re-audited all 16 findings against the main-dev branch (commit a3a6195c) with adversarial verification of each fix, confirming 14 resolved at the root cause and 2 formally accepted by the team.

Trust Assumptions

  • The backend API independently validates JWT signatures and enforces authorization on all endpoints.
  • The backend enforces CSRF token validation via the double-submit cookie pattern.
  • The backend validates on-chain transaction data for bridge operations (chain ID, amounts, addresses).
  • AWS ALB is in front of the application and appends real client IPs to X-Forwarded-For.

Findings Overview

IDSeverityTitleStatus
M-1mediumAccess Token Duplicated to Parent Domain Cookie for WebSocketacknowledged
M-0mediumWebSocket Debug Logging Leaks User Financial Data to Browser Consoleresolved
M-2mediumMiddleware Referer Check Bypassable via Substring Matchresolved
M-3mediumRate Limit Fingerprint Composed Entirely of Attacker-Controlled Headersresolved
M-8mediumOpen Redirect via Protocol-Relative URL in Redirect Parameterresolved
M-9mediumVerification and Reset Codes Leaked via Referrer to Third Partiesresolved
L-6lowExternal Analytics Script Without Subresource Integrityacknowledged
L-10lowTrading and Withdrawal API Routes Lack parseBodyWithLimitresolved
L-12lowmfa_token Cookie Not Cleared on Logoutresolved
L-14lowStaging Password Gate Brute-Forceableresolved
L-16lowQuery Parameter Whitelist Absent for Protected Routesresolved
L-2lowJWT Decoded Without Signature Verification in Middlewareresolved
L-3low/export Route Missing from Middleware Matcherresolved
L-4lowBackend Error Handler Serializes Full Response to Server Logsresolved
L-5lowUnused cdn.jsdelivr.net in CSP script-src Allowlistresolved
L-9lowNo Provider Allowlist on Wallet Link API Routeresolved

Disclaimer

This is a limited report based on our analysis of the frontend security audit and performed in accordance with best practices as of the date of this report, in relation to cybersecurity vulnerabilities and issues in the frontend source code analyzed, the details of which are set out in this report. In order to get a full view of our findings and the scope of our analysis, it is crucial for you to read the full report. While we have done our best in conducting our analysis and producing this report, it is important to note that you should not rely on this report and cannot claim against us on the basis of what it says or does not say, or how we produced it, and it is important for you to conduct your own independent investigations before making any decisions.

By reading this report or any part of it, you agree to the terms of this disclaimer. If you do not agree to the terms, then you must immediately cease reading this report, and delete and destroy any and all copies of this report downloaded and or printed by you. This report is provided for information purposes only and on a non reliance basis and does not constitute investment advice. No one shall have any right to rely on the report or its contents and the individuals and or team providing this report owe no duty of care towards you or any other person, nor does the individuals and or team make any warranty or representation to any person on the accuracy or completeness of the report.

The report is provided as is without any conditions, warranties, or other terms of any kind except as set out in this disclaimer and the individuals and or team hereby exclude all representations, warranties, conditions and other terms including without limitation the warranties implied by law of satisfactory quality, fitness for purpose and the use of reasonable care and skill which, but for this clause, might have effect in relation to the report. Except and only to the extent that it is prohibited by law, the individuals and or team hereby exclude all liability and responsibility, and neither you nor any other person shall have any claim against the individuals and or team for any amount or kind of loss or damage that may result to you or any other person including without limitation direct, indirect, special, punitive, consequential, or pure economic loss or damages, or any loss of income, profits, goodwill, data, contracts, use of money, or business interruption in any way arising from or connected with this report and any reliance on this report.