RVA Wallet Audit Scope
RVA Wallet has undergone an independent security assessment by CertiK, focusing on the mobile applications and backend API infrastructure.
Most recent assessment completed in Q4 2025 as part of RVA's security roadmap.
RVA Wallet has undergone an independent security assessment by CertiK, focusing on the mobile applications and backend API infrastructure.
Most recent assessment completed in Q4 2025 as part of RVA's security roadmap.
RVA commissioned CertiK to perform a dedicated penetration test of RVA Wallet as a non-custodial gateway to the RVA ecosystem. The objective was to subject the wallet to realistic attack scenarios and independent scrutiny, using industry-standard frameworks and tools, so that end-users and institutions can rely on a thoroughly tested platform.
The engagement combined formal verification, static analysis and deep manual review of both the backend API and mobile clients. CertiK's team focused on business logic, access control, cryptographic handling and operational controls, not just surface-level scans.
The audit focused on the operational components that power RVA Wallet in everyday use, covering the full surface area exposed to users.
| Component | What was tested | Key Focus Areas |
|---|---|---|
RVA Wallet backend API Production Environment | Public/Auth endpoints, user mgmt, transactions | Access control, rate-limiting, encryption, HTTP config |
iOS mobile application Production Build | Official store build | Local storage, key handling, device compromise checks |
Android mobile application Production Build | Official store build | Keystore usage, root detection, secure network config |
Background jobs Notification Services | Chain monitoring & alerts | Transaction status logic, spoofing protection |
CertiK's penetration test followed a structured methodology aligned with OWASP, NIST and the Penetration Testing Execution Standard (PTES).
The assessment included mapping the RVA Wallet application and API to identify exposed functionality, combined with automated tools and manual analysis. This approach ensures that the audit did not only look for theoretical issues, but also examined how multiple weaknesses could be chained together in practice.
Identifying exposed functionality.
Automated & manual testing.
Chaining vulnerabilities.
Remediation planning.
The audit identified a full spectrum of issues. RVA's priority has been to eliminate any pathway to privilege escalation or fund diversion.
| Severity | Coverage | Current Status |
|---|---|---|
Critical | Access control & privilege boundaries | All resolved through code changes. |
High | Sensitive workflows & key handling | Majority resolved; remaining tracked. |
Medium | Info disclosure & config tuning | Most addressed; rest in hardening plan. |
Low | Defense-in-depth hardening | Substantial portion resolved. |
Informational | Configuration & naming | Used for future architectural decisions. |
* All critical and the majority of high-impact issues are resolved, with others tracked in governance.
Some external messaging and delivery systems (e.g., third-party OTP providers) were not fully active in the test environment. Associated flows were simulated to exercise logic without touching live external infrastructure.
The audit did not constitute a full review of all infrastructure, service providers, or end-user devices. It assessed the RVA Wallet backend and mobile applications as deployed, with reasonable constraints to avoid disrupting live services.
No audit can guarantee complete absence of vulnerabilities. This assessment is part of a broader security programme that includes continuous internal testing and monitoring.
RVA treats the CertiK assessment as a baseline, not an end point. The engineering and security teams have already implemented concrete improvements informed by the findings.
These improvements span from device integrity checks to network safeguards, ensuring that the wallet becomes more resilient with every update.
Enhanced protection on compromised devices
Stronger network connection safeguards
Production-only debug and diagnostic settings
Hardened error handling and responses
Tuned session, token and rate-limiting controls
RVA Wallet is designed as a non-custodial, multi-platform wallet at the heart of the RVA ecosystem. By subjecting the codebase and operational behaviour to independent penetration testing by CertiK, RVA provides users and institutions with transparent evidence that security is engineered, tested and continually improved rather than assumed.
For anyone evaluating a crypto wallet, the audit scope matters as much as the audit badge. Combined with rigorous operational controls, this makes RVA Wallet a secure and efficient choice for managing digital assets on SmartChain, RVA Exchange and the wider Web3 environment.