Fystack Completes Apex Backend Infrastructure Audit with Adevar Labs
Phoebe Duong
Author
At Fystack, we've built Apex Backend as enterprise-ready infrastructure for institutions that move, store, and settle digital assets. Delivering on that promise means inviting independent scrutiny on a regular basis, not just once at launch.
Apex Backend is the layer that handles payment processing, wallet signing, API access, and the webhook connections that tie Fystack into your own systems. It's also the layer where a security gap would matter most, which is why we engaged Adevar Labs, a security firm built by veterans of Bitdefender, Quantstamp, and Chainproof, to put it through a comprehensive post launch hardening review.
Independent Review, End to End
Adevar Labs' engagement wasn't a surface level check. Their team reviewed authentication and session handling, checkout and payment flows, wallet signing and MPC message handling, webhook delivery, database configuration, and the CI/CD pipelines that ship code to production. The review ran in two stages: a full audit at a fixed starting point, followed by a dedicated fix review once Fystack's engineering team had remediated what was found, with Adevar Labs independently verifying each fix before signing off.
That two stage structure matters. A vendor that only publishes "we got audited" tells you an audit happened. It doesn't tell you whether anything actually got fixed, or whether anyone checked.
What Was Audited?
- Authentication, sessions, and API access control
- Checkout and payment flows
- Wallet signing and MPC message handling
- Webhook delivery between Fystack and partner systems
- Database, deployment, and CI/CD configuration
Key Results
| Risk Level | Found | Fixed | Acknowledged | Won't Fix |
|---|---|---|---|---|
| Critical | 1 | 1 | 0 | 0 |
| High | 9 | 6 | 3 | 0 |
| Medium | 29 | 10 | 13 | 6 |
| Low | 23 | 0 | 23 | 0 |
The single Critical finding, a hardcoded production credential, was resolved and independently verified during the engagement. Most High severity findings were fixed the same way. The remaining items weren't waved away: each was reviewed and documented with its own specific reasoning, whether that's a control already in place elsewhere in production, a deliberate compatibility decision, or work that's planned but not yet shipped.
What Improved?
Stronger Protection for Sensitive Information
Critical credentials and security-sensitive configurations are now managed through a more secure process, reducing the risk of accidental exposure and minimizing configuration-related security issues across environments.
Better Security for Payments and Wallet Operations
The systems responsible for payment processing, transaction signing, and integrations with customer infrastructure have been further strengthened to improve security and reduce operational risk around digital asset workflows.
Improved Monitoring and Reliability
Monitoring and alerting capabilities have been expanded across critical infrastructure components, enabling earlier detection of potential issues, faster response times, and improved overall platform reliability.
Technical Notes
For readers interested in the underlying remediation work, notable improvements included:
- Migrating production credentials and security-sensitive values to environment-based secret management
- Enforcing fail-closed behavior when required security configurations are missing
- Hardening webhook validation against DNS rebinding attacks
- Strengthening cryptographic configuration and key derivation parameters
- Aligning transaction signing workflows with RFC 8785 JSON Canonicalization standards
- Restricting access to internal metrics endpoints
- Expanding monitoring and alerting for payment processing, messaging infrastructure, and operational failures
The complete list of findings, remediation details, and verification results is available in the full audit report published by Adevar Labs.
Why We Are Publishing The Report
Plenty of companies in this space publish an audit badge and stop there. A badge confirms an audit took place. It says nothing about what was found, what got fixed, and what's still open.
We think customers evaluating custody infrastructure deserve better than a badge, especially when that infrastructure is self hosted and runs inside your own environment rather than ours. You should be able to read the actual findings, the actual remediation work, and the actual remaining risk for yourself, not take our summary of it on faith.
That's why the full Apex Backend audit report from Adevar Labs is publicly available, in full.
Summary: https://github.com/AdevarLabs/audit-reports
Full report: https://docsend.com/view/ivwjqhdxq5epwcer
