Bedrock vulnerability disclosure and actions

Bedrock vulnerability

A few hours ago, the Dedaub team discovered a smart contract vulnerability in a number of uniBTC vault smart contracts in the Bedrock project. We disclosed the issue to the Bedrock account on Twitter and soon thereafter (after no response in 20 mins) to SEAL 911 for immediate investigation and action.

A SEAL 911 war room, under the guidance of @pcaversaccio, was created and we frantically tried for two hours to reach Bedrock developers. At that time, blackhats exploited the vulnerability for a $1.8m loss. However, given that this was an infinite-mint vulnerability on the uniBTC token, it is perhaps fair to assess that the damage was contained. Most of the potential losses were averted by pausing third party protocols exposed to the at-risk funds, including Pendle and Corn. Notably, Pendle had over $30M of liquidity on the Corn network for the vulnerable asset. On Ethereum, the market cap of uniBTC was $75M, which an infinite mint renders worthless, and the asset was deployed in (at least) 8 networks.

Root Cause

The root cause of this vulnerability is a mismatched calculation of the exchange rate between Ethereum and Bitcoin, in one path of the minting logic. In turn, this allows anyone who deposits Ethereum to the vulnerable smart contract vault to mint uniBTC in equal amounts. (Up until the vulnerability, uniBTC could exit to Wrapped Bitcoin at 1-1 rates.) Since the price of Ethereum is many times lower than the price of BTC, this creates an instant profit for any attacker exploiting any of these vaults. The vulnerable vault contract was a permissioned minter for uniBTC, so infinite amounts could be minted. The only adjustment made during this minting function is appropriate scaling in the number decimals of the assets.

In order to appreciate the gravity of this issue, we can illustrate this directly on the following code, straight from the vulnerable uniBTC vault smart contract (the implementation behind the proxy for the Vault):

function mint() external payable {
    require(!paused[NATIVE_BTC], "SYS002");
    // Dedaub: adjust decimals and mint equal amount
    _mint(msg.sender, msg.value); 
}

Once the issue is exploited, the next step of a potential attacker would be to make use of this ill-gotten token on a number of other DeFi protocols, such as decentralized exchanges like Uniswap.

Reporting the issue to Bedrock and exploitation

As soon as our team had the issue, we contacted Bedrock on Twitter and entered a war room on SEAL 911.

Initial X.com exchange (time in UTC+2).

Unfortunately, even though we found the issue in the smart contract several hours before, by the time the team responded, the vulnerability had been exploited. The vulnerability could be discovered via shallow means (e.g., fuzzing bots) and the smart contract had only been deployed for under two days.

Timeline prior to exploit:

UTC 16:00 – issue discovered by Dedaub team and confirmed through simulation

UTC 16:27 – issue reported to Bedrock team

UTC 16:41 – war room on seal created on telegram

UTC 18:28 – First exploit transaction on Ethereum

The exploiter(s) subsequently minted large amounts of uniBTC and swapped them on a number of Uniswap and other AMM pools, stealing around $2M in funds directly. Note that the market cap of uniBTC on the Ethereum mainnet is $75M, which is the real potential loss for an infinite mint vulnerability.

Notably, the vulnerable contract was deployed on (at least) 8 different chains. We are aware of Ethereum, Binance, Arbitrum, Optimism, Mantle, Mode, BOB, and ZetaChain.

Averting Larger Losses

In addition to a number of pools on Uniswap (and Pancakeswap on Binance), the largest holder of uniBTC was Pendle. Luckily through war room actions, the Pendle team disabled the uniBTC token on their platform. With the main exit liquidity gone, the Bedrock team reacted some hours later (with the main devs in a 2-5am timezone) to also pause the relevant vaults. 

This article will be updated with more detail and context on the discovery (which happened as part of a challenge task during our company retreat) in the next days.

Dedaub coordinated the Secureum RACE-32

Smart contracts are the underpinning of blockchain technology, and they present unique security challenges. To address this, platforms like Secureum have emerged, focusing on training researchers and developers to navigate and mitigate security risks, and we at Dedaub decided we wanted to partner Secureum in this mission.

Why we support the Secureum RACE

We decided to be part of the Secureum RACE because we believe hands-on challenges are the best way to learn. Security isn’t something you can fully grasp from reading papers or attending lectures—you need to get your hands dirty, confront real-world vulnerabilities, and think like an attacker.

The security of smart contracts is challenging due to the inability to modify the code once it goes live. This makes it extremely difficult to fix bugs or vulnerabilities. It’s even more complex, because contracts frequently interact with other contracts and different platforms, which adds even more complexity and multiplies the risk factor.

Secureum platform empowers researchers and developers to help improve their technical skills for what is needed in the challenge to secure Web3 technologies. 

As the designer of RACE-32, we have the privilege of observing Web3 researchers and developers navigate complex security issues that mirror real-world vulnerabilities in Ethereum smart contracts. This allows us to witness firsthand and see how they apply their knowledge to devise creative and effective solutions.

As well as this, we see how researchers and developers grow in their ability to identify risks and exploit weaknesses, both of which are critical  for the security of the Web3 ecosystem.

Why the RACEs are important 

The Secureum RACE aims to create a community of researchers and developers who think critically about security. It’s an opportunity to expand their skills and immerse themselves in the world of Web3 security.

By addressing actual vulnerabilities in smart contracts, participants acquire necessary technical knowledge and develop the mindset to safeguard decentralized applications in real-world scenarios. 

“RACEs are hands-on, immersive, and, frankly, a bit relentless—just like the threats we’re up against.” Yannis Smaragdakis, Dedaub Co-funder 

Designing the RACE-32

We wanted much more than your standard easily graded competition, so we created the Secureum RACE 32 to be an educational challenge. Our main aim, therefore, was to encourage participants to delve deeply into complex smart contract security issues. With this in mind, The RACE is designed to create an experience that participants can refer to for a long time rather than single out the top performers based on scores.

Even though the time constraint made it challenging to understand the depth of the questions thoroughly, we stressed that the competition aims at learning and gaining insights. We urged participants not to feel disheartened if their scores hadn’t met their own high expectations. Instead, we praised some participants for putting together the solutions, pointing out that this would make the RACE a valuable educational resource beyond just the competition.

This focus on education shows Dedaub’s commitment to helping the smart contract developer community grow. This is the backbone of Dedaub’s mantra as our co-founders both have strong academic backgrounds and always value teaching and sharing knowledge. With this in mind, one of the company’s core values is to empower the next generation by educating and supporting future blockchain security experts and help them reach their full potential. 

With challenges like Secureum RACE 32, we create real-world learning opportunities that give researchers and developers practical skills and deeper understanding. Our aim is to help them succeed in the Web3 space.

What is Secureum?

Secureum is a portmanteau of “Security” and “Ethereum” and their focus is safeguarding the Ethereum ecosystem through expert training and challenges. It’s an extensive educational platform that focuses on Ethereum smart contract security, providing a variety of resources and training programs. These include:

Secureum RACEs: Interactive quizzes that assess participants’ understanding of smart contract vulnerabilities. These quizzes are part of Secureum’s efforts to enhance practical security skills.

Community and Events: Secureum hosts events like TrustX to advance the Ethereum security ecosystem.

In summary, Secureum is committed to educating and preparing individuals for roles in Ethereum security through structured learning and practical challenges. Learn more 

Security Researcher

About Dedaub

Dedaub helps secure some of the world’s leading blockchain protocols. Dedaub combines high-end security, blockchain, and program analysis research and a real-world attacker mentality to reduce risk and fortify code.

The Dedaub team has a strong research background and seeks to both understand existing blockchain protocols as well as to expand knowledge on program analysis and blockchain infrastructure. Our security research team is composed of experts in program analysis, compilers, cryptography, mathematics and finance with a keen eye for applying research and developing custom tools to enhance our capabilities. As an application security engineer, you will be part of a skilled team that reviews code running on programmable blockchains, most notably on Ethereum. 

Responsibilities:

– Reviewing complex, high-assurance smart contract code.
– Advise our clients to make informed decisions about risk to their systems. 
– Provide value to our clients through your expertise and experience to assist the team in helping then solve hard security problems.
– Apply your engineering skills to build custom tools to rapidly assess, explore, or secure the code that we work with.
– Continually enhance your skills by engaging in personal and professional development opportunities.

Skills Sought

– Experience with low-level software, either as an engineer or security researcher.
– Background in computer science or math to read relevant academic research.
– Background in or prior regular use of programming language theory a plus.
– Mathematical aptitude, able to understand mathematical models for financial instruments.
– Familiarity with lean development, Github, and modern software engineering practices.
– Proficiency in one or more programming languages (we use Solidity, Python, Datalog, C++ and Go).
– Strong debugging skills and/or experience with reverse engineering.
– Ability to communicate well, orally and in writing, and to participate in deep technical discussions.
– Self-motivation and ability to drive new projects.
– Motivation to learn new technologies.

Benefits

– Internationally competitive salary
– End-of-year bonuses based on company, team, and personal performance
– Remote & flexible working arrangements
– Research Opportunities
– Personal equipment of your choice

Audits

Dedaub’s Terms of Service (the “Agreement”) are a legal agreement between You as the Client and Dedaub Ltd. (“Dedaub”, “We”, “Us” and “Our”), a private limited liability company registered under the Laws of Malta with company number C99606, collectively referred to as Parties. By using our services, You agree to be bound by these Terms of Service and all terms incorporated by reference.

There are important terms provided below including your indemnification responsibilities, our limitation of liability and warranty disclaimers, and your agreement to arbitrate disputes. Please take the time to read these terms of service carefully. You can always contact us at legal@dedaub.com if you have any questions.

  1. Service Summary: An “Audit” is a careful inspection of your project’s code by expert human inspectors, aided by Dedaub’s proprietary analysis tools, off-the-shelf tools, and other techniques in accordance with state-of-the-art practices. The findings of this exercise will be detailed in an audit report. This report will rank issues as “Critical”, “High Severity”, “Medium Severity”, “Low Severity”, and “Advisory Suggestions”.

  2. Project Preparation: Prior to an audit you shall provide Dedaub with succinct, but sufficient, documentation about the project to be audited. You shall make sure that the project compiles and is operational by the time an audit begins, and maintain timely communication throughout the audit period.

  3. Access to Dedaub Security Suite: The project’s code will be uploaded to the Dedaub Security Suite to run initial vulnerability discovery, and Dedaub will grant 30-day free access to the platform up to 5 email addresses of the Client personnel involved in the audit negotiation and audit code review.
  4. Transparency: Dedaub reserves the right to publish the Audit report on Dedaub’s website or other repository. Likewise, you reserve the right to publish it, in full, without making any modifications to it. However, should you want us to not publish the report, let us know within 24 hours of delivering it to you and we will accommodate your request.

  5. Scope of an Audit: The scope of the auditing shall be specifically security considerations, not functional correctness. Therefore, the auditing will be aimed at detecting the potential for malicious use of the contracts, and on cryptoeconomic considerations (e.g., price manipulation or forced unprofitable exchanges), and not on ensuring functionality and correctness of business logic (e.g., numeric calculations specific to the business domain), unless specific properties of numerical correctness are specified up front as being required of Dedaub. Throughout the validity of this Agreement, the Parties shall be free to agree on the provision of additional services by Dedaub and on the relative terms and conditions.

  6. Assumption of Risk: You warrant to fully understand: (a) that there are inherent risks associated with blockchain-based software systems, and that (b) additional risks to the Services and blockchain-based technologies may be present as a result of advances in code-cracking or technical advances, such as novel flaws identified in cryptography. You acknowledge that these risks could result in the loss or theft of crypto tokens or property.

  7. Indemnification: You shall defend, indemnify, and hold harmless Dedaub (and each of our officers, directors, members, employees, agents and affiliates) from any claims, damages, proceedings, costs and expenses resulting from any breach of any representations, warranties, covenants or agreements of the Client in this Agreement or at law

  8. Limitations:
    1. Audits and other services provided by Dedaub are not a warranty on the security and/or functionality of the systems audited and you assume any and all risks and losses.

    2. Dedaub will not be liable to you (whether under the law of contact, the law of tort or otherwise) in relation to the service provided:
      1. for any direct, indirect, special or consequential loss; or

      2. for any business losses, loss of revenue, income, profits or anticipated savings, loss of contracts or business relationships, loss of reputation or goodwill, or loss of cryptocurrency/tokens/NFTs or data or any other loss, or any other damages in general.

      3. These limitations of liability apply even if you have been expressly advised of the potential loss.

    3. In any event, Dedaub’s total maximum aggregate liability under this Agreement, shall not exceed the audit fees.

  9. Use of Marks: Each Party agrees that the other Party and/or its affiliates are the sole owners of their respective Marks. “Marks” means the trade names, trademarks, service marks, logos or other commercial symbols of a Party hereto or any of its affiliates. Notwithstanding the aforementioned, both Parties are granted a non-exclusive, revocable, non-transferable, and limited right to use and display the other Party’s Marks for the specific purpose of marketing and promotion directly associated with the services and obligations outlined within this Agreement. Any use of the other Party’s Marks must be in accordance with the specifications and guidelines provided by the owning Party and must not harm or diminish the value of the Marks.

  10. Relationship of the Parties: Nothing contained in this Agreement shall be interpreted or construed to create a partnership, agency, single employer, joint employer or any other type of employment relationship between the parties hereto, or to impose liability attributable to such relationship upon either party. Neither party will have any right, power or authority to enter into any agreement on behalf of, to incur any obligation or liability of, or to otherwise bind the other party.

  11. Non-solicitation: During the entire term of service, and for a period of two years after termination of any relationship between the Parties, the Parties agree to not, either directly or indirectly, recruit, solicit, or induce, or attempt to recruit, solicit, or induce, any of the other Parties’ employees, partners, contractors or collaborators to work for or with the other party in any respect, or to in any manner render services to such other Party.

  12. Prices: Prices and fees include all taxes levied by Malta but exclude taxes levied in your jurisdiction. For cryptocurrency payments (if any), the value of any cryptocurrency for the purposes of payment fulfillment will be the value in USD at NYSE closing time (4 PM EST/EDT) on the day prior to the due date (as provided at https://messari.io/) on the issued invoice.

  13. Severability: If any of the provisions or portions thereof of this Agreement are found to be invalid under the applicable law, then, that provision notwithstanding, this Agreement shall remain in full force and effect and any such provision or portion thereof shall be deemed omitted.

  14. Survival: Rights and obligations under this Agreement which by their nature are intended to survive termination, including without limitation the indemnification and liability limitations provisions set forth in this Agreement, shall remain in full effect after termination or expiration of the Agreement.

  15. Governing Law and Arbitration: This Agreement is governed by and construed in accordance with the laws of Malta. Any dispute, controversy or claim arising out of or in relation to this Agreement, including the validity, invalidity, breach or termination thereof, shall be finally settled by arbitration in accordance with the provisions of Part IV (“Domestic Arbitration”) of the Arbitration Act (Chapter 387 of the Laws of Malta) and the Arbitration Rules made thereunder, as in force on the date of commencement of the relevant dispute.

Terms of Service – App

Dedaub’s Terms of Service (the “Agreement”) are a legal agreement between You as the Client and Dedaub Ltd. (“Dedaub”, “We”, “Us” and “Our”), a private limited liability company registered under the Laws of Malta with company number C99606. By using our services, you agree to be bound by these terms of service and all terms incorporated by reference.

Dedaub provides a subscription software (the “Service“) over supported EVM-based blockchain protocols. The Service combines static application security testing (SAST), theorem proving techniques, realtime blockchain monitoring, and fuzzing.

Prior to giving You access to some features of the Service, Dedaub may ask You for cryptographic proof that You are a member of a Protocol’s development team, and that your Protocol (the “Protocol”) is not an unmodified fork of another well-known Protocol.

The security analyses provided through the Service are designed to find security weaknesses in Smart Contracts. Some of these analyses may detect potential for malicious use of the contracts, for instance, potential cryptoeconomic weaknesses (e.g., price manipulation or forced unprofitable exchanges). The Service, however, does not ensure the correctness of the business logic.

There are important terms provided below including your indemnification responsibilities, our limitation of liability and warranty disclaimers, and your agreement to arbitrate disputes. Please take the time to read these terms of service carefully. You can always contact Us at legal@dedaub.com if you have any questions.

  1. Service:
    1. We agree to grant You an unlimited, worldwide and non-exclusive right to use the Service, subject to limitations of the pricing tier you have subscribed to.
    2. You agree to use the service solely and exclusively in terms of the present Agreement and shall ensure that such Service is not used by any other third party.

    3. You agree not to transfer, share or assign your right to use and access the Services and will not tolerate or permit any third party from accessing or using the Services.

    4. You agree to not share or distribute in any manner, in whole or in part, any content forming part of the Service.

    5. You agree not to alter or attempt to alter or do anything that may potentially alter the software which is in any manner related to the Service.

  2. Consideration:
    1. By way of consideration for the Service, You shall pay Dedaub the sum indicated within the relevant pricing plan at the applicable service tier. Such sum is exclusive of Taxes imposed by your jurisdiction if due, and this sum shall be settled on a quarterly basis and in advance, to be reckoned from the start of your service. Payments are due without the need of a request to be made by Dedaub.
    2. In the event that the present Agreement is renewed, the same terms shall apply, provided, however, that on a yearly basis, We shall have a right, saving any other Agreement as may be reached with Dedaub, to increase the price due for the service. In the event that We would be exercising this right to increase the price, then We shall give notice in writing of such increase thirty (30) days before the commencement of the billing period on which such increase would become first applicable.
    3. If you move to a higher tier of a paid plan, the change will take effect immediately and we will charge You for the additional fees associated with the new paid plan on a pro-rata basis. If You move to a lower tier of a paid plan, the fee change will take effect in the next billing cycle. You acknowledge that You will not receive a refund for the then-current billing cycle if You move to a lower tier of a paid plan, or to a non-payment subscription plan.
    4. In the event that You do not pay any amount due upon the day when the same falls due, automatically interest shall be chargeable, ipso jure, on any balance due from the relative payment at the highest rate permissible by law.
    5. You agree that in the event that You would need to carry out any works, upgrade any of your systems, alter your hardware, software or other infrastructure in order for You to be able to receive the Service, or to continue to receive the Service, any related costs shall be solely and exclusively incurred by You. You shall have no right to request and compensation, redress, reimbursement or discount from Dedaub, even in the event that the need for such expense is brought about by a change on our part.
  3. Continued Service:
    1. We shall use all reasonable efforts in order to ensure that availability of the Service in terms of this Agreement is maintained throughout the whole term of this Agreement, provided, however, that You recognize and accept that we are not in any manner promising or guaranteeing availability at all times. Among other things, service may be interrupted, directly or indirectly, due to the following and in such cases, interruption shall not be deemed to constitute a breach on our part:
      1. Any failure or fault on any system or infrastructure on which we rely on, in providing the Service;
      2. Any failure or fault of any system upon which You rely on in making use of the Service;
      3. Any breach of this Agreement, whether direct or indirect, on your part;
      4. Any event of force majeure;
      5. Any scheduled maintenance which may be necessary.
    2. Provided, however, that in the event that You are, at any point in default of payment of any amount due in terms of this Agreement to Dedaub, and we have also given You notice requesting payment to be effected within fifteen (15) days from such notice being given, then the we may, upon the lapse of such fifteen (15) day period suspend the provision of service without any right of recourse or any right to damages. Any such suspension shall be without prejudice to our right to collect any amounts due to it in terms of this Agreement.
    3. We shall have the right to interrupt services for the purpose of maintenance of our systems, provided that where practicable we shall give You reasonable prior notice thereof.
  4. Intellectual Property: Any intellectual property rights in any manner connected or related to the Service shall remain our sole and exclusive property and nothing in this Agreement shall be construed in any manner as assigning or transferring any such rights to You.
  5. Data Use and Processing:
    1. You are granting Dedaub the widest and broadest right to make use of any of your data as may be required in the provision of the Service, in the execution of the Our obligations and exercise of Our rights in terms of this Agreement and in terms of the law.
    2. You confirm and warrant that any data You make available to Dedaub does not infringe any rights of third parties, including intellectual property and other proprietary rights.
    3. You agree that such obligations shall survive any expiration or early termination of the present Agreement.
  6. Accuracy and Legality: It is your sole responsibility to ensure that all information or data provided to Dedaub is accurate, legitimate and conforms to all applicable legal requirements. Dedaub shall in no event assume any responsibility for any inaccuracies in the information or data provided by You if it infringes any laws and regulations, including but not limited to, intellectual property regulations. In this regard, you shall fully indemnify and hold the Dedaub harmless against all claims or demands (including legal and other professional fees and expenses) which We may suffer arising from or in connection with any inaccuracies or infringement in information or data provided.
  7. Data Protection: We shall comply with all Applicable Laws when carrying out this Agreement, in particular:
    1. We shall keep your personal data logically separated from personal data processed on behalf of any third party;
    2. We will entrust only persons (whether natural or legal) with the Processing under this Agreement who maintain confidentiality and have been informed of any special data protection requirements relevant to their work;
    3. We shall cooperate, on request, with the relevant data protection supervisory authority in the performance of its tasks;
    4. We shall undertake reasonable efforts to support you if you are subject to inspection by the supervisory authority, an administrative or summary offense or criminal procedure, a liability claim by a data subject or by a Third Party or any other claim in connection with this Agreement;
    5. We shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing of personal data is in accordance with the requirements of applicable law and the protection of the rights of the data subject.
  8. Authority to Enter Agreement: Each Party warrants and declares that it has the right and authority to enter into the present Agreement.
  9. Assumption of Risk: You fully understand: (a) that there are inherent risks associated with blockchain-based software systems, and that (b) additional risks to the Services and blockchain-based technologies may be present as a result of advances in code-cracking or technical advances, such as novel flaws identified in cryptography. You acknowledge that these risks could result in the loss or theft of crypto tokens or property.
  10. Acceptable Use: When accessing or using the Services, You agree that You will not violate any law, contract, intellectual property or other third-party right or commit a tort, and that You are solely responsible for your conduct while using our Services. Without limiting the generality of the foregoing, You agree that You will not:
    1. Use our Services to exploit or harm in any way third party protocols;

    2. Cause any damage to Dedaub, our infrastructure, our software or our other clients;

    3. Use any robot, spider, crawler, scraper or other automated means or interface not provided by us to access our Services or to extract data;

    4. Use or attempt to use another user’s account without authorization;

    5. Access or use the Services for the benefit of one of Our direct competitors or access the Services for the purpose of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes;

    6. Encourage or induce any third party to engage in any of the activities prohibited under this Section.

  11. Indemnification: You shall defend, indemnify, and hold Us harmless (and each of Our officers, directors, members, employees, agents and affiliates) from any claims, damages, proceedings, costs and expenses resulting from any of your breaches of any representations, warranties, covenants or Agreements with Us.

  12. Limitations:
    1. The Service does not provide a warranty on the security and/or functionality of the systems and You assume any risks and losses, and You declare not to hold Dedaub liable to any degree for any loss of whatever nature, irrespective of the services which may have been provided by Dedaub.

    2. Dedaub will not be liable to You (whether under the law of contact, the law of tort or otherwise) in relation to the service provided:
      1. for any direct, indirect, special or consequential loss; or

      2. for any business losses, loss of revenue, income, profits or anticipated savings, loss of contracts or business relationships, loss of reputation or goodwill, or loss of cryptocurrency/tokens/NFTs or data or any other loss, or any other damages in general.

      3. These limitations of liability apply even if You have been expressly advised of the potential loss.

    3. Dedaub and any of its directors, officers, employees and contractors, will not be liable to You except by reason of acts constituting bad faith of Dedaub or willful misconduct or reckless disregard of our duties. The Parties hereto recognize and accept that the effectiveness of the Services are not guaranteed or warranted by Dedaub in any respect whatsoever.

    4. In any event, Dedaub’s total maximum aggregate liability under this Agreement shall not exceed the fees You paid to Dedaub over the last 12 months.

  13. Relationship of the Parties: Nothing contained in this Agreement shall be interpreted or construed to create a partnership, agency, single employer, joint employer or any other type of employment relationship between the parties hereto, or to impose liability attributable to such relationship upon either party. Neither party will have any right, power or authority to enter into any agreement on behalf of, to incur any obligation or liability of, or to otherwise bind the other party.

  14. Updates to The Agreement: We periodically update the terms of this Agreement. If You have an active Dedaub account, we will notify You of updates via an email or a notification on the Dedaub platform. Unless the notice states otherwise, the updated terms of this Agreement will become effective and binding on the next business day after it is posted.

  15. Subcontracting: We may sub-contract, in whole or in part, any of our obligations in terms of this Agreement to third parties.

  16. Severability: If any of the provisions or portions thereof of this Agreement are found to be invalid under the applicable law, then, that provision notwithstanding, this Agreement shall remain in full force and effect and any such provision or portion thereof shall be deemed omitted.

  17. Survival: Rights and obligations under this Agreement which by their nature are intended to survive termination, including without limitation the indemnification and liability limitations provisions set forth in this Agreement, shall remain in full effect after termination or expiration of the Agreement.

  18. Governing Law and Arbitration: This Agreement is governed by and construed in accordance with the laws of Malta. The parties agree that any dispute or claim arising out of or in connection with this Agreement or its subject-matter shall be subject to the exclusive jurisdiction of the Malta Arbitration Center in accordance with the Arbitration Act (Cap. 387 of the Laws of Malta) and the arbitration rules of the Malta Arbitration Center in force at the time of the dispute. Dedaub shall retain the right, at its option and for its exclusive benefit, to institute proceedings regarding or relating to Your use of the Service in the courts of law of the country in which You reside.

  19. Waiver of Jury Trial: You and Dedaub waive their rights (if applicable) to a trial by jury relating to all claims and causes of action (including counterclaims) related to or arising out of this Agreement. This waiver shall also apply to any subsequent amendments or modifications to this Agreement.

  20. No Class Actions: All claims between the parties, including parent companies and subsidiaries, related to this Agreement will be litigated individually and You will not consolidate or seek class treatment for any claim with respect to the Services.

Non-Disclosure Agreement

Dedaub has a very balanced Mutual Non-Disclosure Agreement (MNDA). We sign MNDAs with potential and current users/customers and suppliers as needed free of charge. In doing so we commit to safeguarding their confidential information as laid down in the provisions of the MNDA. In return we seek the same commitment via this mutual agreement.

You can review and digitally sign a copy of our Mutual Non-Disclosure Agreement. Once you sign the agreement, you will receive a fully executed downloadable copy via email.

Sign Dedaub MNDA

Privacy Policy

We will NEVER sell Your Personal Data to Third Parties.

Dedaub will only share or disclose Personal Data as described in this Privacy Policy.

This Privacy Policy applies to Personal Data processed by Dedaub Ltd. (“Dedaub”, “We”, “Us” and “Our”) when You visit dedaub.com in addition to any sub-pages that are integrated within it (the “Site”); and/or make use of Dedaub’s Software.

This Privacy Policy explains what Personal Data We collect through Our Site and Software, how and why We collect it, how We use and disclose the Personal Data We collect and information on how to exercise privacy rights over this Personal Data.

We may revise this Privacy Policy from time to time but We will never do so in a manner that compromises Our commitment to respect the privacy of individuals. The most current version of this Privacy Policy governs Our practices for collecting, processing, and disclosing Personal Data. We will provide notice via email to Our Customers and on this page of any material modifications to this Privacy Policy. Continued use of Our Site and/or Software and/or Services following the effective date of any modifications will constitute acceptance of the modified Agreement (this includes Our Terms of Service and this Privacy Policy).

All capitalized terms in this Privacy Policy shall have the same meaning as defined in the Terms of Service and in the Applicable Law.

This rest of this policy applies to Personal Data Dedaub collects from visitors to Our Site (dedaub.com) or any of Our sub-sites, software, or sub-domains (e.g. app.dedaub.com, etc.).

Any Personal Data provided by a visitor to Our Site will be used only as described in this Privacy Policy

Usage Data

When someone visits the Dedaub Site, We may store the name of their internet service provider, the website they visited Us from, the parts of Our Site they visit, the date and duration of the visit, and information from the device (e.g. device type, operating system, screen resolution, language, country You are located in, and web browser type) used during their visit. We process this usage Data to facilitate access to Our Site (e.g. to adjust Our Site to the devices that are used).

We temporarily store IP addresses of visitors to Our Site for associated performance metrics (i.e. data related to how well Our Software performs on Our Site) and to monitor and track application errors. We will never access these IP addresses without any operational or security need. We automatically delete these IP addresses within thirty (30) calendar days. The legal basis for this data processing is Article 6(1)(f) GDPR.

We also process usage Data in an aggregated or de-identified form for statistical purposes and to improve Our Site.

Cookies

Cookies are small data files transferred onto computers or devices. Dedaub uses cookies to process information including standard internet log information and details of the visitor’s behavioral patterns upon visiting Our Site. This is done to:

  • operate Our Site;
  • provide visitors to Our Site with a better experience by providing Us with insights on how visitors use Our Site; and
  • for marketing purposes.

For more info about the cookies We make use of, please visit Our Cookie Information Page.

Contact with Us via email

Visitors to Our Site have the opportunity to contact Us to ask Us questions, for example via the contact form, where We ask for contact information (e.g. name, email address etc.). We use this data solely in connection with answering the queries We receive.

If a visitor to Our Site receives emails from Us, We may use certain analytics tools, to capture data such as when the email is opened or when any links or banners in the email have been clicked. This data helps Us to gauge the effectiveness of Our communications and marketing campaigns.

The legal basis for this processing is Article 6(1)(f) GDPR.

Access and Disclosure to Third Parties

We use a select number of trusted external service providers for certain technical data analysis, processing and/or storage offerings (e.g., IT and related services). These Third Party service providers are carefully selected and meet high data protection and security standards. We only share Data with them that is required for the services offered and We contractually bind them to keep any information We share with them as confidential and to process Personal Data only according to Our instructions. The legal basis for such processing would be Article 6(1)(f) GDPR.

In addition to services providers, other categories of Third Parties may include:

  • Vendors/public institutions. To the extent that this is necessary in order to make use of certain services requiring special expertise (such as legal, accounting or auditing services) We may share Personal Data with vendors of such services or public institutions that offer them (e.g. courts). The legal basis of this data processing is Article 6(1)(f) GDPR.
  • Disclosure in the Event of Merger, Sale, or Other Asset Transfers. If We are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then Data may be sold or transferred as part of such a transaction, as permitted by law and/or contract. The legal basis for such processing would be Article 6(1)(f) GDPR.

Other than the cases mentioned above, We will only transfer Personal Data to Third Parties without express consent in accordance with Article 6(1)(a) GDPR or if We are obliged to do so by statutory law or by instruction from a public authority or court as outlined in Our Terms of Service.

Communication Purposes

We may occasionally send notification emails about updates to Our product, legal documents, customer support or for marketing purposes. To the extent required by Applicable Law, We will only send such messages if We have obtained consent in accordance with Article 6(1)(a) GDPR. In all other cases, the legal basis of this data processing is Article 6(1)(f) GDPR.

Except for cases where We are required to do so by law (e.g. notification of a data breach), recipients of Our communication shall have the opportunity to unsubscribe from receiving these messages free of charge. We process requests to be placed on do-not-contact lists as required by Applicable Law.

Marketing Purposes

We occasionally use Personal Data given to Us by Dedaub’s Customers, Users and/or visitors to Our Site to target advertisements to potential new Customers that appear to have shared interests or similar demographics. The legal basis of this data processing is Article 6(1)(f) GDPR.

We do this by sharing Personal Data with Third Party marketing platforms that have high privacy and confidentiality standards and which have gone through a legal and security review by Dedaub. This ensures that these Third Parties cannot do anything with the Personal Data We provide them other than use it for the express purpose of providing Us with the marketing services We contract them for.

This Personal Data is only shared with these Third Parties through secure and encrypted means. If You wish to opt out of this processing activity, please contact Us at legal@dedaub.com with the subject line “Opt-Out of Marketing”.

Compliance and Protection

We may use Personal Data to (legal basis for the respective processing in parentheses):

  • protect Our, Our Customers’/Users’, visitors’ to Our Site or Third Parties’ rights, privacy, safety or property including by making and defending legal claims (Article 6(1)(b), (c) or (f) GDPR);
  • audit Our internal processes for compliance with legal and contractual requirements and internal policies (Article 6(1)(f) GDPR);
  • enforce Our Terms of Service (Article 6(1)(b) or (f) GDPR);
  • protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft (Article 6(1)(f) GDPR); and
  • comply with the Applicable Law, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities (Article 6(1)(c) or (f) GDPR).

Benchmarking

Dedaub reserves the right to use and retain Data in a de-identified and/or aggregated form to improve Our Site and/or Software and for statistical and benchmarking purposes, including enabling comparisons within the same industry to enhance the insights collected through Our Site and Software. Benchmarks look at all collected metrics and compare them to others of the same nature. These de-identified and/or aggregated benchmarks may be published and shared publicly within Our Software or in the form of other content We publish which may show a summary of results for a certain category or question type.

No Data which can individually identify Our Customers or their end-users will ever be shown in this statistical or benchmark data.

The legal basis for aggregating/anonymizing this Personal Data is Article 6(1)(f) GDPR.

Intra-group sharing of User and visitor Data

In the course of our normal operations, Dedaub may share Data (e.g. name and contact details) of Users of Dedaub accounts and visitors of Our Site (dedaub.com) with other entities in our group.

The purpose of sharing this Data is to pursue synergies in sales strategies. The legal basis of this Data processing is Article 6(1)(f) GDPR.

The use of any Personal Data for marketing purposes is subject to the prior consent of the data subject, i.e. the natural person to whom the communication shall be sent. You may withdraw Your consent at any time with future effect. The legal basis for this data processing is Your consent in accordance with Article 6(1)(a) GDPR.

If You would like more information in this regard or would like to exercise Your rights as described in this Privacy Policy, please contact Us through our Contact Details.

Other Purposes with Your Consent

In some cases, We may ask You for consent to collect, use or share Personal Data for other purposes. For example, We may ask You for consent to send marketing emails where required by law or to post testimonials or endorsements. In such cases, there will always be the ability to deny or revoke consent if desired. The legal basis for the data processing is under Article 6(1)(a) GDPR.

Duration of Processing

Unless a different timeframe has been specifically stated in this Privacy Policy or in Our Pricing Page, Personal Data will be retained for as long as is necessary for the purpose(s) for which We originally collected it or to provide Our Software, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, and enforce Our Agreement. We may also retain information as required by Applicable Law.

International Transfers of Personal Data

In most cases, Personal Data We collect is stored in the EU. However, in some limited cases, customer information may be accessed from, or other Personal Data (e.g., email) may be transferred, outside of the EU. These countries may have different data protection laws. Dedaub endeavors to ensure appropriate safeguards are in place requiring that Personal Data will remain protected. Dedaub has concluded Standard Contractual Clauses with entities who We share Personal Data with outside of the EU.

Children’s Information

Dedaub’s Software and Services are not directed to children under 13 (or other age as required by local law), and We do not knowingly collect Personal Data from children. If you learn that your child has provided Us with Personal Data without your consent, you may contact Us through Our Contact Details below. If We learn that We have collected a child’s Personal Data in violation of Applicable Law, We will promptly take steps to investigate this, delete such information and terminate the child’s account. We will also make sure to have preventive measures in place for this not to happen again in the future.

Rights over Personal Data

If You’re a visitor to Our Site or a Customer and/or User of Our Software and We have collected Personal Data about You, You have a right to access and to be informed about what Personal Data is processed by Dedaub, a right to rectification/correction, erasure/anonymization and restriction of processing (subject to certain exceptions and other requirements prescribed by law). You also have the right to receive from Dedaub a structured, common and machine-readable format of Personal Data You provided Us.

When You have provided consent, You may withdraw it at any time, without affecting the lawfulness of the processing that was carried out prior to withdrawing it. Whenever You withdraw consent, You acknowledge and accept that this may have a negative influence on the quality of Our Site and/or Software. Please be aware that when You withdraw consent, We may delete the Personal Data previously processed on the basis of Your consent and will not be allowed to keep it further which will mean that it cannot be accessed, downloaded or otherwise secured by You.

In addition, You have the right to lodge a complaint with Your respective data protection authority.

To protect Your privacy, We take steps to verify Your identity before fulfilling Your request. We can only identify You via Your email address and We can only adhere to Your request and provide information if We have Personal Data about You through You having made contact with Us directly and/or You are using Our Site and/or Software.

Sign-in using an external external identity provider

If you sign-in using external identity providers like Google, we will collect and store your email, user id as well as first and last name (if they are provided). This data is necessary for using our applications and is not shared with any third party unless specific consent is given by the user

If You are located in California…

This section only applies to Our processing of Personal Data as a “business” under the California Consumer Privacy Act (CCPA).

The CCPA provides California residents with the right to know what Categories of Personal Data Dedaub has collected about them and whether Dedaub disclosed that Personal Data for a business purpose (e.g. to a service provider) in the preceding 12 months.

If You are a California resident and would like to exercise any of Your rights under the CCPA, please contact Us at legal@dedaub.com. We will process Your request in accordance with the Applicable Laws.

Sales of Personal Information Under the CCPA. For purposes of the CCPA, Dedaub does not “sell” Personal Data, nor do We have actual knowledge of any “sale” of Personal Data of minors under 16 years of age.

Non-Discrimination. California residents will have the right to exercise the rights conferred to them by the CCPA.

Authorized Agent. Only You, or someone legally authorized to act on Your behalf, may make a verifiable consumer request under the CCPA. If applicable, You may also make a verifiable consumer request on behalf of Your minor child. To designate an authorized agent, please contact Us at legal@dedaub.com.

Verification. To protect Your privacy, We will take steps to verify Your identity before fulfilling any consumer request under the CCPA. When You make a request, We will ask You to provide sufficient information that allows Us to reasonably verify You are the person We collected Personal Data about or an authorized representative, which may include Your email address.

If You are located in Brazil…

This section only applies to Our processing of Personal Data under the Brazilian Lei Geral de Proteção de Dados (LGPD).

In addition to the rights described above, You also have the right to:

  • access Your Personal Data processed by Dedaub;
  • unless restricted by law, request information about the public and private entities with which We have shared Your Personal Data;
  • oppose to the processing carried out; and/or
  • receive information about the possibility of not providing Your consent and the consequences of such denial.

If You are a Brazilian resident or were in Brazil when Your Personal Data was collected and would like to exercise any of Your rights under the LGPD, please contact Us at legal@dedaub.com. We will process Your request in accordance with the Applicable Laws.

Information about Dedaub

Dedaub is a company headquartered in the European Union (EU) that provides security auditing services and software which keeps Our Customers’s projects safe from Hackers.

Contact Details

Dedaub Ltd., Malta Life Sciences Park, San Gwann, SGN3000, Malta

Other Forms

The W-8BEN-E form is a document provided by a foreign entity to the United States Internal Revenue Service (IRS) to confirm its status as a non-resident alien or foreign entity for purposes of U.S. income tax withholding and reporting.

W-8BEN-E for Dedaub Ltd

Terms of Service – API

Dedaub’s Terms of Service (the “Agreement”) form a legal agreement between you, the client (“You” or “Your”), and Dedaub Ltd. (“Dedaub”, “We”, “Us”, and “Our”), a private limited liability company registered under the laws of Malta with company number C99606. By using Our services, you agree to be bound by these terms of service and all terms incorporated by reference.

These terms contain important clauses including your indemnification responsibilities, our limitation of liability and warranty disclaimers, and your agreement to arbitrate disputes. Please read these terms of service carefully. Should you have any questions, you can always contact Us at legal@dedaub.com.

  1. Usage Terms
    1. Acceptance of Terms. By accessing or using Our API Services, You agree to be bound by these terms and conditions and all terms incorporated by reference. These terms apply to your access to and use of all Our websites, API Services, associated software, and any information or content appearing therein.

    2. Modification of Terms. We may modify these Terms at any time by posting updated Terms on Our website. It is your responsibility to review these Terms periodically for changes. By continuing to use the API Services after such changes are posted, You agree to be bound by the revised Terms. We will notify you of any material changes to these terms; continued use after such notice will constitute acceptance of the modified terms.

  2. License and Restrictions
    1. Grant of License. Dedaub grants You a limited, non-exclusive, non-transferable, and revocable license to use the API Services to develop, test, or support software applications, websites, or services for software integration with your applications. This license is contingent upon your adherence to these Terms.

    2. Restrictions. You agree not to:
      1. Copy, modify, or reverse engineer Our API Services or content.

      2. Use Our API Services for any illegal or unauthorized purpose.

      3. Transmit any worms, viruses, or any code of a destructive nature.

      4. Breach or attempt to breach any security measures We implement.

      5. Use our API Content to create any software service, product, or solution that directly competes with any of our services.

      6. Manipulate, sell, trade, rent, loan, lease, license, or otherwise provide our API Content or access to our service for commercial purposes unless expressly authorized by us.

      7. Send automated requests to the API in a manner that exceeds reasonable usage limits as determined by us, or which could disrupt service levels.

      8. Engage in any data mining, scraping, or similar data gathering or extraction methods from our website or API, without our prior written permission.

  3. Payments and Billing
    1. Fees. You agree to pay all fees associated with Your subscription and use of Our API Services. We may modify subscription fees with prior notice, and You have the option to terminate Your subscription if you do not agree with the changes.

    2. Billing. Payments are charged on a subscription basis and are non-refundable. You are responsible for all charges, taxes, and bank fees related to the transactions. Subscription cancellations must occur before the next billing cycle to avoid further charges.

  4. Intellectual Property
    1. Ownership. All rights, title, and interest in the API Services and all content provided through the API Services are and will remain the exclusive property of Dedaub and its licensors. No transfer of ownership or rights is implied by these Terms.

    2. Use of Content. Any use of Dedaub’s content other than as specifically authorized herein, without the prior written permission of Dedaub, is strictly prohibited and will terminate the license granted herein.

  5. Legal Compliance and Prohibited Activities.
    1. You agree to use the API Services in compliance with all applicable laws and regulations and not to use the API Services for any activities that could result in criminal or civil liability. Prohibited activities include, but are not limited to:
      1. Illegal activities, including but not limited to fraud, money laundering, or the promotion of illegal transactions.

      2. Actions that infringe on the intellectual property or other rights of others.

  6. Disclaimers and Limitation of Liability
    1. Dedaub provides the API Services on an “as is” and “as available” basis. We do not warrant that the API Services will be uninterrupted or error-free. In no event will Dedaub be liable for any indirect, punitive, or consequential damages arising out of or related to this agreement.

  7. Termination and Suspension. Dedaub may suspend or terminate your access to the API Services if you violate these Terms or engage in any activity that may cause legal liability or disrupt others’ use of the API Services.

  8. General Provisions
    1. Severability. If any provision of these Terms is deemed invalid or unenforceable, that provision will be enforced to the maximum extent permissible, and the other provisions of these Terms will remain in effect.

    2. Governing Law. These Terms are governed by the laws of Malta without regard to its conflict of law principles.

    3. Arbitration. The parties agree that any dispute or claim arising out of or in connection with this Agreement or its subject-matter shall be subject to the exclusive jurisdiction of the Malta Arbitration Center in accordance with the Arbitration Act (Cap. 387 of the Laws of Malta) and the arbitration rules of the Malta Arbitration Center in force at the time of the dispute.

    4. Waiver of Jury Trial. You agree to waive your rights (if applicable) to a trial by jury relating to all claims and causes of action (including counterclaims) related to or arising out of this Agreement. This waiver shall also apply to any subsequent amendments or modifications to this Agreement.

    5. No Class Actions. All claims between the parties, including parent companies and subsidiaries, related to this Agreement will be litigated individually and You will not consolidate or seek class treatment for any claim with respect to the Services.

Dedaub Security Suite Trial | How-to

Are you ready to explore the advanced tools of the Dedaub Security Suite? Whether you’re an individual developer, a team, or an enterprise, Dedaub offers tailored solutions to suit your needs. Here’s how to create an account and start your free trial today.

Step 1: Create Your Free Account

To get started, sign up for your free user account: Create Your Account Here

Simply enter your details or use the GitHub integration for a quick setup. Once registered, log in to explore the platform.

Dedaub Security Suite Trial

Step 2: Start Your Free Trial

Once logged in, follow these steps to activate your trial:

  1. Choose Your Plan:
    • Individual Trial: Ideal for single developers, free for 30 days, then $99/month.
    • Team Trial: Great for small teams, 30 days free, then $990/month.
    • Enterprise: Contact sales for a customized plan to access full monitoring capabilities.
  2. Activate Your Trial:
    Navigate to the pricing page and select your preferred plan.
    • For Individual or Team trials, provide your payment information on Stripe to initiate the trial.
    • Enterprise users can schedule a meeting to customize their solution.
Dedaub Security Suite Trial

Step 3: Dive Into the Dedaub Security Suite

Once your trial is live, unlock the full potential of the Dedaub Security Suite with these cutting-edge tools:

  • Decompilation
    Uncover the logic behind contracts without public source code or ABI, including high-value MEV bots. View contracts in a Solidity-like format, extract their ABI, explore functions, or perform bytecode decompilation on demand.
    Open Decompiler
  • Monitoring and Alerting
    Keep an eye on on-chain activity with customizable agents written in a powerful SQL-based language. These agents detect and react to blockchain events in real-time, leveraging time-series analysis and just-in-time data decoding for unmatched efficiency.
    Open Monitoring
  • Static Analysis and Formal Verification
    Secure your contracts by identifying vulnerabilities with advanced tools. From formal verification to statistical learning and static analysis, check every possible contract state and execution path to ensure robust security.
    Filter Contracts
  • Transaction Simulation
    Test the outcome of transactions using real Mainnet data before executing on-chain. Whether through write-contracts or MetaMask using the Dedaub Snap, simulate confidently to prevent costly mistakes.
  • Open Transaction 

Start Dedaub Security Suite Trial and Secure Your Blockchain Projects Today

Don’t wait—unlock the potential of Dedaub’s powerful tools. Create your free account and begin your trial today.