Welcome back, Helios Banking
Latest scan finished 4 minutes ago across 7 connected repositories. Score is up 3 points from last week.
Org-wide score · trailing 7 days
You're in the top 18% of fintechs your size.
Strong coverage on PCI-DSS, SOC 2, and MiCA. Two critical findings are blocking a higher grade — both have AI-generated patches ready to review.
A−
Letter grade
87/100
Numeric score
+3 pts
Week-over-week
Repositories7connected
Critical findings2−1 this week
High findings5−2
Frameworks covered12 / 33+2 (DORA, MAS TRM)
Score · trailing 90 days
+11 pts
Feb 4Mar 4Apr 4May 4
Top critical findings
CRITICAL
P-103 Money idempotencypayments-api · transfer endpoint missing dedup
CRITICAL
P-712 Refund authorizationhtlc-bridge · refund() lacks msg.sender check
Framework coverage
PCI-DSS v4.0
SOC 2 (TSC 2017)
MiCA (EU 2024)
OWASP API Top 10 2023
Repositories
7 repositories connected. Each ran its latest scan via the GitHub Action; click a repo for findings, history, and trend.
| Repository | Language | Score | Critical | High | Last scan | 30d trend |
|---|---|---|---|---|---|---|
| payments-apihelios-banking/payments-api | TypeScript | A− | 2 | 3 | 4m ago | |
| core-ledgerhelios-banking/core-ledger | Java | A | 0 | 1 | 4m ago | |
| htlc-bridgehelios-banking/htlc-bridge | Solidity | B+ | 1 | 2 | 4m ago | |
| aml-screeninghelios-banking/aml-screening | Python | A− | 0 | 2 | 5m ago | |
| wallet-svchelios-banking/wallet-svc | Go | B | 1 | 3 | 5m ago | |
| customer-portalhelios-banking/customer-portal | TypeScript | A | 0 | 1 | 6m ago | |
| analytics-batchhelios-banking/analytics-batch | Python | B+ | 0 | 2 | 6m ago |
Findings
26 active findings across 7 repos. AI assessment + suggested patch shown for each. Mark as accepted-risk or false-positive — feedback flows back into the AI training set.
CRITICAL
P-103 Money idempotencypayments-api · src/transfer.ts:142 · OWASP-API4 · PCI-DSS 6.5.5
src/transfer.ts:142: app.post('/transfer', async (req, res) => { const { amount, to } = req.body; ...
AI assessment
confidence: 0.94 · real vulnerability
The /transfer endpoint accepts client-supplied amount and recipient with no idempotency key — a network retry or accidental double-click will execute the transfer twice. The fix is a server-side dedup window keyed on (caller_id, request_id, amount_hash) with a TTL ≥ the client retry budget.
- app.post('/transfer', async (req, res) => {
+ app.post('/transfer', requireIdempotencyKey, async (req, res) => {
+ const dedupHit = await redis.set(`dedup:${req.idempotencyKey}`, '1', 'EX', 300, 'NX');
+ if (!dedupHit) return res.status(200).json(await getStoredResult(req.idempotencyKey));
const { amount, to } = req.body;
CRITICAL
P-712 Refund / claim authorization missinghtlc-bridge · contracts/HTLCEscrow.sol:228 · OWASP-SC02 · CWE-284
contracts/HTLCEscrow.sol:228: function refund(bytes32 htlcId) external nonReentrant whenNotPaused { ...
AI assessment
confidence: 0.91 · real vulnerability
refund() doesn't enforce that the caller is the original sender. Funds still go to the original sender, but anyone can grief the swap by triggering refunds before the legitimate counterparty claims. This breaks atomic-swap semantics. Pattern matches the digital_escrow SC-C1 finding — see P-712 for the canonical fix.
function refund(bytes32 htlcId) external nonReentrant whenNotPaused {
HTLC storage htlc = htlcs[htlcId];
if (htlc.sender == address(0)) revert HTLCNotFound();
+ if (msg.sender != htlc.sender) revert UnauthorizedRefund();
if (htlc.claimed) revert AlreadyClaimed();
HIGH
P-308 Bridge replay protectionhtlc-bridge · contracts/Relayer.sol:84 · CCSS:9.0:Level2
contracts/Relayer.sol:84: function relay(bytes calldata message, bytes calldata sig) external { ...
AI assessment
confidence: 0.86 · real vulnerability
The relay() function accepts a signed cross-chain message but does not bind block.chainid into the signed payload. An attacker who captures a message on chain A can replay it on chain B at the same contract address. Wormhole lost $320M to a structurally similar bug in February 2022.
HIGH
P-12 Balance validationwallet-svc · internal/withdraw.go:67 · OWASP-API3
internal/withdraw.go:67: func (s *Service) Withdraw(ctx context.Context, accountID string, amount decimal.Decimal) error {
AI assessment
confidence: 0.78 · needs review
Withdraw() reads balance and decrements without a SELECT FOR UPDATE or advisory lock. Under concurrent withdrawals from the same account, the balance check can succeed twice before either decrement persists. Add a row-level lock or atomic UPDATE-WHERE for safety.
Compliance
Framework-control rollups across all 7 repos. Click any framework for the per-control breakdown and a one-click evidence bundle for your auditor.
Frameworks evaluated12+2 this quarter
Total controls241across all frameworks
Passing214+11
Evidence bundles ready8+3
Frameworks
PCI-DSS v4.0
SOC 2 (TSC 2017)
ISO 27001:2022
MiCA (EU 2024)
DORA (EU 2025)
NIST CSF 2.0
Settings
Organization, team, billing, license, API tokens, notifications, data export.
Organization
Organization nameShown on branded reports.
LogoSVG or PNG, displayed on PDF cover pages and the customer portal.
Current: helios-banking.svg (140 × 36 px) · uploaded 2026-04-12
Primary colorUsed as the accent color on branded PDFs.
PlanCurrent billing plan. Change at any time; pro-rated to today.
Enterprise · 24 seats
$29,999/yr · renews 2027-04-12
RegionWhere Preston-Check stores your scan history. Cannot be changed without re-issuing licenses.