QuillAudits × Tria: Building a $12M Crypto Neobank That Doesn’t Compromise on Security

Tria is a self-custodial digital finance platform built to make crypto usable in everyday life. It combines a consumer neobank with its interoperability engine, BestPath, enabling users to trade, earn, and spend assets seamlessly across multiple blockchains without dealing with wallets, gas fees, or complex setups. Overall, Tria focuses on turning digital assets from passive holdings into an active, accessible financial system.

From Risk to Resilience: Securing Tria

Tria is a self-custodial digital finance system designed to make crypto usable, programmable, and scalable. Its ecosystem combines multiple smart contracts to enable seamless asset management—where users can receive, store, stake, and spend tokens within a unified flow. The TriaStakingPool acts as a fixed-APR vault for time-based rewards, TriaSpend functions as an escrow-style wallet for controlled withdrawals, and TriaClaim enables secure token distribution via Merkle proofs with flexible routing into savings or spending. Supporting this system is the Tria Token, an ERC20-based asset built on OpenZeppelin standards with a fixed supply, ensuring reliability and consistency across the platform. Together, these components create a structured infrastructure that turns digital assets into an active financial layer rather than passive holdings.

Tria’s Journey Through Our Audit Process

1. Client Onboarding & Scoping
   • Collected asset list, defined in-scope and out-of-scope targets, agreed on testing windows, and signed NDA, MSA, and Authorisation Letter before engagement began.
2. Requirement Gathering
   • Completed a full-stack technical questionnaire and produced an architecture overview, API specs, and authentication flow diagram.
3. Kickoff Meeting
   • Walked through all in-scope assets with client engineering, validated credentials across all role tiers, confirmed staging mirrors production, and ran a smoke test against key endpoints.
   • Established real-time communication channel, defined a critical severity escalation path, and locked the testing and delivery timeline.
4. Reconnaissance & Threat Modelling
   • Conducted passive and active recon, including subdomain enumeration, port scanning, JS bundle analysis, and secret scanning.
   • Applied STRIDE threat modelling across all components, mapping DApp-specific attack vectors.
5. Manual Security Testing
   • Tested authentication and authorization flaws — JWT attacks, SIWE bypass, RBAC escalation, and OAuth2 vulnerabilities.
   • Tested API abuse — IDOR, mass assignment, rate limit bypass, GraphQL attacks, and WebSocket hijacking.
   • Tested frontend vulnerabilities — XSS, malicious wallet injection, clickjacking, and missing SRI on CDN scripts.
   • Tested backend flaws — SSRF, signature replay, injection, deserialization, and SSTI/RCE.
   • Tested Web3-specific vectors — RPC key leakage from JS bundles, chain spoofing, ENS/oracle manipulation, and Subgraph abuse.
   • Tested infrastructure — secrets leakage, S3 misconfigurations, container security, and CI/CD pipeline vulnerabilities.
6. Automated Scanning
   • Ran Nmap, Nessus, Burp Suite Pro, OWASP ZAP, GraphQL Cop, Arjun, ScoutSuite, Prowler, and Trivy for comprehensive vulnerability and misconfiguration coverage.
7. Vulnerability Analysis & Exploitation
   • Deduplicated all findings, scored each using CVSS v3.1, developed proofs-of-concept, and classified them by severity with defined disclosure timelines.
8. Reporting & Remediation
   • Drafted a full technical report with per-vulnerability detail, reproduction steps, remediation guidance, and a prioritised fix roadmap.
   • Reviewed client fixes, re-executed PoCs, and classified each finding as Fixed, Partially Fixed, or Open.
9. Final Delivery
   • Delivered full technical report, executive summary, evidence archive, and Certificate of Audit — all transmitted encrypted via PGP.
   • Conducted a handover meeting with root cause walkthroughs and a 30-day post-engagement support window.

QuillAudits' Strategic Approach to Tria’s Security Audits

Our approach to auditing Tria’s combined a security-first mindset, comprehensive threat modelling, and rigorous testing methodologies. By leveraging both white-box and black-box testing techniques, we conducted an in-depth assessment of the system. Throughout the process, we maintained transparency and clear communication with the Tria team, ensuring a collaborative and thorough security review.

Comprehensive Audit Discoveries and Remediation Strategies

• Medium Severity Issues (2): Moderate risks that could affect security if not addressed.
• Low Severity Issues (1): Minor issues with limited impact, but recommended for improvement.
• Informational Severity Issues (3): Observations and best-practice suggestions with minimal impact.

Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:

Audit Findings:

Potential Gas-Griefing via Unbounded Deposit Storage

Description:

The deposit() function allows deposits to be made for an arbitrary _recipient, and user deposits are stored in an append-only array. Although deposits can be withdrawn, withdrawn entries are only zeroed out and not removed from storage, causing unbounded growth of the per-user deposits array over time. While removal of maxDepositsPerUser eliminates the permanent lockout vector, a malicious actor can still intentionally create many Minimum value deposits for a victim address, inflating storage and increasing gas costs for withdrawal operations.

Emergency Withdraw is Blocked by Pause

Description:

The emergencyWithdraw function is intended as a safety hatch for users to retrieve their principal in case of critical issues. However, it includes the whenNotPaused modifier. If the Admin detects a bug and pauses the contract to stop exploits, they inadvertently trap all honest users, preventing them from using the emergency exit

Consider using Ownable2Step

Description:

The project intends to use Ownable2Step semantics (safe 2-step ownership transfer), but currently inherits from Ownable, not Ownable2Step. This means the owner can instantly transfer ownership in one transaction defeating the intended Two-Step security model documented in comments and project requirements. If the owner key is compromised or misused, privileged control can be reassigned instantly without the beneficiary’s acceptance

Remediation Strategies:

Potential Gas-Griefing via Unbounded Deposit Storage

Implement storage cleanup or indexing (e.g., head/tail pointers) to skip withdrawn entries

Emergency Withdraw is Blocked by Pause

Remove the whenNotPaused modifier from the emergencyWithdraw function. It should be callable even (and especially) when the contract is paused

Consider using Ownable2Step

Replace Ownable with Ownable2Step to enforce a safer two-step ownership transfer process

Conclusion

The audit uncovered critical weaknesses across authentication, wallet interactions, and claim logic areas that sit directly on the path of user funds.

By addressing these issues, Tria eliminated multiple real-world attack vectors that could have led to unauthorized claims, account compromise, and fund loss. The fixes not only strengthened security but also restored the core guarantees of ownership and trust that Web3 systems rely on.

This engagement highlights a key reality: in Web3, even small gaps in validation or access control can turn into high-impact exploits. Proactively identifying and fixing these issues before production significantly reduced Tria’s risk surface and positioned the platform for a more secure launch.