Latest Security Report
This page summarises how to interpret the most recent full run of the automated security test suites for the Keythings Wallet monorepo.
Executive summary
The monorepo is exercised by unit, integration, end-to-end and several security-focused test suites. These suites are designed to surface issues in cryptographic operations, input validation, UI security, builder-based transaction flows, session secret handling, and data exfiltration risks.
Critical and high-severity findings from these suites are treated as release blockers. Medium and low-severity findings are tracked in the issue tracker and addressed as part of normal engineering work. This report should be read as an engineering artefact that documents coverage and known residual risk, not as a guarantee that no weaknesses exist.
Current run snapshot
The most recent full run of bun run security:all completed successfully with no critical or high-severity findings reported by the automated suites. Any medium or lower-severity observations are recorded in the command-line JSON summaries and tracked through the normal issue management process.
Suites included in a full security run
A complete security run typically invokes the following from the monorepo root:
# From keythings-monorepo/
bun run security:all
# Equivalent to:
bun run security:comprehensive # fuzzing, secret input tests, builder/session/data-exfil suites
bun run security:advanced # differential, mutation, chaos, timing, memory, side-channel tests
bun run security:crypto # cryptographic security tests
bun run security:ui # UI/UX security tests
bun run security:fuzz # token amount fuzzing suiteDepending on context, additional runs may include bun run security:memory-safe (for focused memory-leak detection) and bun run security:pentest (for retire.js and OWASP ZAP-based penetration testing).
Interpreting findings by severity
All suites report findings with a normalised severity scale. The table below describes how these levels are intended to be interpreted:
| Severity | Meaning | Typical action |
|---|---|---|
| Critical | Exploitable issue that can lead to loss of funds, keys, or complete compromise. | Block releases; fix immediately; consider emergency patch and coordinated disclosure. |
| High | Serious weakness with practical impact on confidentiality, integrity, or availability. | Prioritise in the current iteration; no production rollout until resolved or mitigated. |
| Medium | Issue with meaningful risk or defence-in-depth implications, but with constraints on exploitation. | Track in the backlog; schedule remediation; consider configuration changes as interim mitigation. |
| Low | Minor issue, hard to exploit or with limited security impact (for example logging or ergonomics). | Address when touching nearby code or as part of periodic hardening work. |
| Info | Observation that is useful for audit or tuning but does not represent a vulnerability. | Use for monitoring, documentation, and to guide future test improvements. |
Per-suite coverage
The main security suites exercise different parts of the system:
- Comprehensive security runner (
security:comprehensive) — combines fuzzing of numeric parsing and secret inputs with dedicated suites for builder/transaction security, session secret lifecycle, and data exfiltration / non-custodial guarantees. - Advanced security suite (
security:advanced) — applies differential testing, mutation testing, chaos engineering, timing analysis, memory-safety checks, and side-channel analysis to wallet internals. - Cryptographic security tests (
security:crypto) — focus on entropy quality, mnemonic generation and validation, key-generation uniqueness, and protocol-level consistency with the Keeta SDK. - UI/UX security tests (
security:ui) — target UI injection, clickjacking, button and form manipulation, UI timing behaviour, memory usage of interactive components, and accessibility-related security. - Token amount fuzzing (
security:fuzz) — performs property-based, strategic, and random ASCII fuzzing of decimal amount parsing and normalisation.
Running the suites locally
To reproduce the latest security run on a local workstation, execute:
# Full security run (may take several minutes)
bun run security:all
# Or run a specific suite, for example:
bun run security:advanced
bun run security:crypto
bun run security:ui
bun run security:fuzzThe CLI output from these commands includes a JSON summary of findings, with per-severity and per-suite counts. When publishing a formal written report, copy the actual numbers from the most recent run rather than re-entering them by hand.
Using this report in reviews and audits
For internal reviews and external audits, this page should be read together with:
- The Testing & Assurance overview, which documents core test commands and links to per-suite documentation.
- The External Audit Guide, which explains how auditors can run the suites independently and how to interpret coverage diagrams.
- CI/CD logs and artefacts associated with
security:allandsecurity:pentestworkflows.
Together, these artefacts provide a traceable record of how security testing is performed, what it covers, and how findings are triaged and remediated over time.