Full name
Jan. 11th, 2022
◆
5 min read

When you help businesses raise capital and let people invest in bonds, funds, and digital equity, there is one thing you can never compromise on: security. Trust is the foundation of every investment platform — and trust has to be earned, tested, and proven again and again.
That's why we did something that might sound counterintuitive: we paid professional security experts to attack us.
In May 2026, Hacken — one of the world's leading blockchain security firms, trusted across the digital assets industry since 2017 — conducted an in-depth penetration test of the NYALA Internal API, the engine room behind our securities tokenization platform. Their mission: find weaknesses before anyone with bad intentions ever could.
The results are now public, and we couldn't be prouder to share them.
Think of the NYALA Internal API as the control center of our platform. It handles the most sensitive operations we run:
Token issuance — turning securities like corporate bonds, fund shares, and equities into digital assets on the blockchain
Wallet management — creating, securing, and recovering the digital wallets that hold investors' tokenized securities
Transaction processing — signing and executing blockchain transactions safely
Smart contract lifecycle management — deploying and managing the code that makes asset tokenization work
In other words: Hacken didn't test a side feature. They went straight for the heart of the system that powers every issuance, every capital raise, and every private placement on our platform.
Using internationally recognized standards — including the NIST SP 800-115 guide, the Penetration Testing Execution Standard (PTES), and the OWASP Testing Guide — Hacken's ethical hackers probed our defenses the same way a real attacker would.
Here's the headline, in plain language:
Hacken found no critical vulnerabilities and no high-risk vulnerabilities in the NYALA API.
Across the entire assessment, the auditors identified just five findings:
Severity Findings Status
Critical 0 —
High 0 —
Medium 1 ✅ Fixed
Low 1 ✅ Fixed
Observation 3 ✅ 2 Fixed, 1 Accepted after review
For a system that processes highly sensitive operations around digital securities, wallets, and blockchain infrastructure, this is an outstanding result. Most of the findings weren't security holes at all — they were observations: fine-tuning suggestions like making error messages even less informative to potential attackers.
We believe transparency builds trust, so here's a plain-English summary of what came up:
One medium finding related to how our testing environments are separated — a setup issue in the test environment that made one specific authorization check harder to verify, not a live vulnerability affecting client assets. Fixed.
One low finding about stricter server-side validation of key management configuration values. Fixed.
Three observations — minor polish items around error messages and validation order. Two were fixed; one (about intentionally generic error responses) was reviewed and formally accepted, as documented in the report.
And here's the part we're most proud of: our engineering team resolved the findings within days of receiving Hacken's preliminary report. By the time the final report was approved, four of the five findings were verified as fixed by Hacken's team.
No drawn-out remediation cycles. No lingering risks. Just a fast, focused response — the same speed and discipline we bring to every asset issuance on our platform.
Whether you're a crowdfunding platform helping SMEs access business funding, a developer exploring tokenized real estate, an asset manager looking into fund tokenization, or a startup planning an equity raise — you're trusting your issuance, and your investors' money, to technology.
Real-world asset (RWA) tokenization only works if the infrastructure underneath it is bulletproof. When securities are tokenized — whether corporate bonds, subordinated bonds, structured debt, or digital equity — the platform managing those blockchain securities becomes critical financial infrastructure. It deserves the same scrutiny as any bank system. Arguably more.
That's exactly why we don't just rely on our own internal checks. As the operator of a regulated crypto securities registry under Germany's Electronic Securities Act (eWpG), and as an ISO 27001 certified company supervised in Germany, independent verification is part of our DNA:
Regulated by design — our crypto securities registry operates under BaFin supervision
Certified security management — ISO 27001 compliant information security processes
Independently tested — external experts like Hacken regularly stress-test our systems
Over €160 million in digital assets already run on our platform, with more than 90 corporate bonds tokenized for leading investment platforms. Every one of those issuances — and every future one, from private market investments to secondary market trading — depends on infrastructure that has been challenged, tested, and hardened.
We'll be honest: no system on earth is 100% unhackable, and anyone who claims otherwise shouldn't be trusted with your assets. What separates serious financial infrastructure from the rest is a simple habit — invite scrutiny, act fast on what you learn, and publish the results.
This audit is one milestone in a continuous program. We will keep inviting the world's best security researchers to break our systems, because every test they run makes the platform safer for every issuer raising money and every investor participating in tokenized securities.
The full audit report is publicly available on Hacken's website. We encourage you to read it — transparency shouldn't require trust; it should create it.
Whether you want to launch a capital raise, tokenize bonds, funds, or equity, or plug tokenization into your existing fundraising platform — our team is happy to walk you through how it works, including the security architecture behind it.
👉 Book a free call with our experts or create your first project today.
NYALA Digital Asset AG operates a licensed crypto securities registry under the German Electronic Securities Act (eWpG). Learn more about our platform and the legal framework behind electronic securities.
Book a call with our expert.

