The Neobank Stack: 11 attack surfaces card issuing crypto fintechs ignore.

On February 24, 2025, Infini, a Hong Kong stablecoin neobank, suffered a loss of $49.5 million in two transactions. The amounts were $11.45 million and $38.06 million, taken from their Morpho MEVCapital USDC Vault. The stolen funds were switched to DAI, then turned into 17,696 ETH, and moved through Tornado Cash.

It wasn’t due to a zero-day exploit. An ex-developer still had admin privileges on the platform's smart contract, even though they left the team months ago. For 100 days, no one noticed or did anything about it. But then the developer made the unauthorized withdrawal.

Christianeth, the founder, admitted fault right away. He blamed negligence during authority transfer. This incident isn't about code failing. It shows how badly governance can fail in the crypto world. Many teams think their work is done after a smart contract audit, when really, that’s just the beginning.

What a Crypto Neobank Actually Is

A crypto card-issuing neobank combines traditional banking with crypto infrastructure, inheriting risks from both. This system is stacked into six layers:

The User App, which handles authentication and interfaces for users on mobile and web, can fail due to session hijacking, overlay injection, or runtime hooking.

Next up is the KYC/AML Pipeline, covering user identity checks and security. It can be compromised by synthetic identities, deepfakes, or vendor breaches.

Then there’s the Core Banking Ledger that deals with balance records and settlements. Risks here include ledger desyncs, rounding errors, and race conditions.

Moving on to the Card Issuing Stack, this part uses BIN sponsors and card schemes like Marqeta or Galileo. Problems can pop up with BIN suspensions or sponsor failures.

The Crypto Custody and Conversion layer safeguards wallets and conversion processes. However, it can fall prey to key theft, oracle meddling, and UI compromises.

Lastly, On-Chain Settlement handles DeFi and smart contracts. Issues arise from smart contract flaws and oracle tampering.

Now, smart contract audits only cover that last layer. All others don’t even have set audit standards.

Architecture Level Attack Surfaces

Structural vulnerabilities built right into how the product is constructed and its dependencies contribute to major security issues.

1. Custody Infrastructure Compromise

First off, when an attacker gets ahold of the MPC/TSS signing layer, HSM, or private key material, they can clean out an entire neobank treasury with just one move. This happened to Bybit in February 2025 when their signing interface got poisoned, leading to a loss of $1.5 billion. Then there was Infini where an insider with key privileges stole $49.5 million. Or consider cryptographic flaws in the MPC setup that let hackers exploit the system wide open.

Take Fireblocks BitForge discovery from 2023, revealing zero-day bugs in GG-18, GG-20, and Lindell17 MPC protocols. These let attackers extract full private keys from only 16 signing ops, leaving users and vendors none the wiser.

In each case, a custody breach doesn’t hit the neobank partially, it wipes out everything. All user stablecoin balances, reserve funds, and operating cash vanish in one fell swoop, and once it’s gone, there’s no bringing it back.

2. BIN Sponsor and Card Processor Dependency

Crypto neobanks don’t have direct Visa or Mastercard membership. Instead, they rely on a sponsor bank’s BIN range through a program manager. This setup isn't typically seen as a security risk, though.

A case in point is when Synapse Financial collapsed in 2024. Tens of thousands of fintech users were without card access for months, even though the issue was with the BaaS layer, not their neobank directly. If a processor gets breached, all cardholder PII and transaction records are exposed, no matter how secure the neobank’s systems are. Plus, BIN ranges can be shut down at the scheme level, leaving everyone using cards from that range out in the cold all at once. To make matters worse, card tokenization vaults and transaction records are often copied to the sponsor layer, meaning the neobank's security mirrors its weakest link. There's no audit process for this, either.

3. Cross-Chain Bridge Exposure

Yield features transfer stablecoin balances through cross-chain bridges to higher-yield chains for users. From the user's perspective, it looks like just a USD balance. Behind the scenes, though, the funds might hop across three bridges and touch four different chains, none of which show up in your card's transaction history.

In April 2026, the Lazarus Group pulled off a big heist, stealing about $292 million from KelpDAO's bridge. Later, the thief’s wallet was connected to the Infini exploit. When a bridge gets hacked, users lose their balances, and there's no trace in the neobank's contract records. Validator attacks, bug exploits, and wrapped asset issues slip through because they're outside a neobank's audit scope. These risks go unnoticed in a yield feature that no one on the compliance team checks.

Operational Level Attack Surfaces

The time gaps between how systems run, user interactions, and third-party integrations.

4. Mobile App Virtualization Attacks

Mobile apps have become a big target for attacks these days. Malware that wraps around legit neobank apps, hiding in a bad virtual space. It steals info like PINs, fingerprints, card numbers, and session tokens without the user knowing. The funny part? The backend thinks everything's cool since the activities come from genuine authenticated devices.

One attack collected credentials from thousands of people without setting off any alarms. To get in, the hackers use tricks like abusing Android’s accessibility services, throwing overlays on screens, and runtime hooking using tools like Frida or Xposed on banking apps.

5. API Layer Authorization Bugs (BOLA)

Neobank APIs manage things like card issuance, spending controls, KYC exceptions, and fiat transfers. According to the arXiv CNTMF framework, Broken Object Level Authorization, or BOLA, is the most commonly overlooked security issue in crypto neobanks.

With BOLA, an API properly verifies the user's identity, but doesn’t check if that user actually owns the specific object they’re requesting. For example, if one user on a card program API changes the account ID to another user’s, they could access or even alter their spending controls. There’s no need for privilege escalation or exploiting any part of the system. All you need is a valid session and an account ID that can be figured out. These requests appear completely normal.

6. Frontend and Signing UI Supply Chain

Bybit lost $1.5 billion in February 2025 even though they had multi-signature protections. The Lazarus Group found a way to inject harmful JavaScript into Safe Wallet's signing interface through a compromised dependency. Signers saw accurate transaction info but were actually approving something different. Multi-signature offered no defense since every signer encountered the same poisoned interface.

Crypto neobanks face risks from any third-party code with DOM write access. Think analytics SDKs, A/B testing libraries, and KYC vendor scripts. There were 10,500 variations of Magecart-style tools that ended up compromising over 23 million transactions.

7. KYC Deepfake Injection

Making fake accounts isn’t hard. You start by getting an AI face (costs $5 to $15). Then, grab a fake ID template from the dark web. After that, use a virtual camera driver to feed a made-up stream right past the liveness checks, skipping the real sensor. It costs less than $20 and only takes about 30 minutes per account.

In December 2025, the FATF Horizon Scan officially said this process hurts AML and CDD controls. Zyphe reports that synthetic identity attacks rose 31% year-over-year. Once set up, the bogus account looks good in every KYC test, works for card issuance and cash withdrawal right away, and can dodge all compliance checks until someone uncovers the scam.

Code Level Attack Surfaces

The vulnerabilities that smart contract audits find and the ones they miss.

8. Upgradeable Proxy Without Governance Controls

One big issue auditors often don't catch involves upgradeable proxies without proper governance controls. Under UUPS and clear proxy setups, problems arise when the ProxyAdmin or owner links to a single EOA instead of a TimelockController. If a hacker gets hold of that key, they can swap out the whole contract with something harmful and siphon off funds right away.

Because of these issues, OWASP added a new category in its 2026 Smart Contract Top 10 for proxy and upgradeability issues. This is the first addition driven by governance failures, not coding mistakes. In other words, if an attacker grabs the ProxyAdmin key, they could swipe all user deposits with a simple contract switch, no fancy reentrancy or flash loans needed.

9. Oracle Manipulation in DeFi Integrations

When a neobank depends on on-chain price feeds for its strategies, trouble happens if an oracle gets manipulated. The exchange rate changes in the wrong way, leading to some hefty losses. Take KiloEx, which lost about $7 million, or ZKsync wUSDM that was hit for $717,000. Then there’s the Chainlink glitch on Avalanche, resulting in half a million dollars of incorrect liquidations.

The common thread is using just one DEX pool as the price reference, without any TWAP or deviation threshold. This means if something goes south, it affects real-time decisions big time.

Here’s the kicker: When an oracle fails, it doesn’t trigger alarms in the neobank’s contracts. Instead, users notice their balances are off or that card authorizations are way off the mark. It often takes customer support getting involved because of confused or upset customers.

10. Business Logic Violations in Vault Accounting

OWASP SC02:2026 is the second most prominent risk, and the kind that usually escapes standard audits. Each check seems fine individually, but there's a bigger issue with how the vault, ledger, and yield strategy interact, they just don't mesh properly. This caused big problems for Stream Finance, losing them $93 million in 2025, the biggest loss that year. Not long after, Abracadabra faced a similar fate, coughing up $12.9 million due to borrowing issues with CauldronV4.

In a neobank vault, you could end up letting users withdraw more than what they deposited, giving out rewards on top of what's fairly earned, and showing solvency even when the actual value isn't there. These problems aren't caught by static analysis or fuzzers because they're looking at individual pieces rather than the overall economy. To spot this, you need special tests designed to understand the intended flow of funds within the system.

11. Internal Backend Accounting Exploits

Card authorization, crypto liquidation, and fiat settlement each use separate systems with different timelines. When these processes aren't atomic, inconsistencies become exploitable.

Revolut had a sequencing glitch where about $20 million in unauthorized transactions got through because of backend logic issues. Users could authorize a card transaction, then quickly liquidate that same balance before the card auth even settled. They could do this repeatedly using parallel API requests.

For crypto neobanks, just-in-time funding makes this kind of exploit possible. If checking your balance and converting funds aren't atomic, you can clear multiple auths against the same balance. This all happens before the bank can move funds from its reserves to cover it. Also, no amount of blockchain checks can catch this specific type of vulnerability.

Why Standard Audits Are Insufficient

The audit only looked at the contract itself across all 11 surfaces, access was never restricted, and the third party involved had way more reach than people thought.

In 2025, crypto lost $2.54 billion. For 2026, that number stands at $847 million so far. Some crypto neobanks managed to raise $200 million in just 90 days, yet almost none of them had a dedicated CISO.

Above the smart contract layer, the five tiers store more user value and pose greater operational risks. There's no standardized security review for them either. A crypto neobank's safety plan must consider much more, like custody infrastructure, all those third-party connections from mobile software to card processors, making sure the onboarding system is secure, and checking API authorizations and backend processes. Security needs constant monitoring too, because team compositions are always shifting.

So remember, an audit report doesn’t equal total security, it’s merely the beginning of the process.

How QuillAudits Approaches Neobank Security

We were quoted in Decrypt after the Infini exploit since the failure wasn't new. We've spotted this issue many times before. Our methods are thorough, covering smart contract review, custody architecture assessment, API authorization testing, third-party dependency mapping, and ongoing access control governance.

It's not enough to just check if your contracts are right. The real questions are more like, do you still have keys you shouldn't? Which outside scripts can write to your signing flow? Has your KYC provider had their own audit? And does your JIT funding logic work atomically?

We're actively working on this security framework for neobanks. If you're building on-chain banking stuff, get in touch.

Conclusion

Crypto neobanks combine elements of traditional finance, payment infrastructures, and decentralized systems, which means they inherit risks from each area. Incidents like Infini's issues mostly arise from things like poor governance, weak custody measures, and operational flaws, not usually from smart contract bugs. You can't just do one audit and consider security covered, it needs ongoing assessment throughout the entire system, from mobile apps to on-chain settlements. To stay resilient, these banks must develop a comprehensive security approach that adapts as their products, teams, and threats evolve.