Frontend Application Reviews
A frontend application review focuses on the systems users and operators actually touch: dapp frontends, wallet integrations, signing flows, APIs, admin panels, dashboards, and deployment surfaces. We look for ways an attacker can trick users, compromise operators, manipulate transactions, or abuse application logic around otherwise audited contracts.
What we cover.
The review is scoped to the product surface and the critical user or operator flows. Typical scope includes:
-
01
Transaction construction and signing flows. What users are asked to sign, how transaction intent is represented, and how malicious inputs can alter outcomes.
-
02
Wallet and session handling. Connector assumptions, session persistence, chain switching, account changes, and phishing-resistant UX controls.
-
03
Frontend supply chain. Dependency risk, build pipeline integrity, hosted asset controls, CDN assumptions, and environment variable exposure.
-
04
API and application logic. Authorization, rate limits, data validation, business logic, and administrative endpoints that can affect user or protocol state.
-
05
Admin and operations panels. Privileged workflows, approval controls, audit logs, and break-glass access for high-impact actions.
-
06
Web application security. XSS, CSRF, SSRF, insecure direct object references, authentication weaknesses, and browser-side trust boundaries.
How we review applications.
We trace the highest-value flows first: user deposits, withdrawals, order placement, governance actions, operator approvals, and admin controls.
Application review combines manual code review, browser-side testing, API testing, and threat modelling around signing intent and privileged workflows.
Where a frontend composes with smart contracts, findings make the boundary explicit: what the contract guarantees, what the application assumes, and how an attacker can exploit the gap.
What frontend security means in web3.
The interface constructs security-critical actions
A dapp frontend does more than display state. It chooses contract addresses, chain IDs, calldata, permit payloads, approval amounts, typed-data fields, slippage defaults, and signing prompts. If an attacker can influence that path, audited contracts may still receive transactions the user never intended to send.
Release integrity is in scope
Frontend compromise often happens outside the application code that reviewers read: dependency updates, build scripts, environment variables, CDN settings, DNS, analytics tags, or a deployment token with too much access. We include the path from source to hosted application when it can affect transactions or privileged operator actions.
Flows we ask to see
-
Wallet connection, chain switching, account changes, typed-data signing, and transaction preview.
-
Deposit, withdrawal, order, claim, governance, and admin flows with real contract calls.
-
API authorization, privileged dashboards, audit logs, and break-glass procedures.
-
Build, release, hosting, CDN, and rollback controls for production deployments.
Related research and guidance.
-
analysis · 10 October 2023
New Blockprint Graphs and Visuals
Announcing a graphical interface for Blockprint
-
siren · 23 September 2024
Siren Features that Enhance the Lighthouse Experience
Explore features from Siren that enhance the Lighthouse experience.
-
siren · 24 August 2023
Siren - The Lighthouse UI
Siren v1.0.0 release
Frequently asked questions.
-
Is this a traditional web application pentest?
It includes web application testing, but web3 adds signing intent, wallet behavior, chain context, and transaction construction risks that traditional testing often misses.
-
Do you review frontend deployment security?
Yes. Build provenance, hosting, CDN controls, environment variables, and release process are in scope when they can affect user transactions or privileged actions.
-
Can this run alongside a contract audit?
Yes. It is often most useful alongside a contract audit because it tests the path from user intent to contract call.
Other engagements you might be considering.
-
Smart Contract Audits
A Sigma Prime smart contract audit is a manual line-by-line review of your Solidity, Vyper, or Rust contracts by an engineer who has audited the protocol class your code belongs to.
-
Infrastructure Audits
Infrastructure audits cover the systems that build, deploy, operate, and protect blockchain software in production.
Scope a frontend application review.
Tell us which user and operator flows are highest risk. We will scope the review around those paths.
Request a scoping call
Services
Products
Resources
Company
Social
© Copyright 2026 by Sigma Prime. All Rights Reserved.