Common Solidity Security Vulnerabilities

Solidity Security Vulnerabilities

Understanding and Mitigating Solidity Security Vulnerabilities

Solidity Security Vulnerabilities are critical concerns for developers building smart contracts on the Ethereum blockchain and other EVM-compatible platforms. Solidity is the primary language for creating smart contracts on the Ethereum blockchain and other EVM-compatible platforms. It enables developers to build decentralized applications (DApps) that automate complex processes. However, blockchains’ immutability and decentralized nature make vulnerabilities in smart contracts especially critical. A single security flaw can result in the loss of millions of dollars in cryptocurrency, as demonstrated by numerous high-profile hacks.

This guide looks at the most common Solidity security vulnerabilities.

Access Control Failures

One of the most common Solidity security vulnerabilities is the failure to protect sensitive external functions with an access control modifier. Usually, a contract will have some privileged functionality that should only be called by the contract’s owner, for instance, to configure some of its parameters. Failing to protect this with an access control modifier such as onlyOwner can lead to disastrous consequences, as any attacker will be able to modify the core behavior of the smart contract.

Unchecked External Calls

Unchecked external calls can introduce significant Solidity security vulnerabilities.

Developers should control which contracts their application interacts with. Trusting arbitrary contracts and handing control to them means accepting malicious contracts could potentially interact with your application. This can lead to unintended behavior or even attacks.

In general, developers should interact only with trusted contracts. If these contracts are unknown, they should implement a system that allows the contract owner to whitelist contracts on demand.

Reentrancy Attacks

Reentrancy is a notorious Solidity security vulnerability where an external contract can hijack the control flow of the target contract. These can occur when one of the smart contract’s external functions temporarily transfers control to another contract before continuing to execute its own state-modifying code. 

If the other contract is malicious, it can call the external function again, making it re-execute the code before the transfer of control happens. This takes place without the external function having completed the execution of the original call beyond the transfer of the control point. The procedure is called a re-entry and can allow an attacker to change the state of the contract in an undesirable manner.

Developers can prevent this kind of attack by using the checks-effects-interactions pattern. This pattern ensures that all state changes occur before transferring control to an external contract. Any re-entry attempt produces a fresh call, avoiding interaction with partially executed computations.

Integer Overflow/Underflow

Solidity uses integer data types for various calculations. Exceeding these data types’ maximum or minimum values can result in overflows or underflows. Solidity versions equal to or above 0.8.0 will revert automatically if this happens, and this can lead to unexpected reverts in your smart contracts. On the other hand, integer variables will wrap around if they are part of unchecked code, although this can lead to unexpected behavior unless there is a particular reason why overflow and underflow cannot occur.

Out-of-Gas Situations

Ethereum sets gas limits on transactions to prevent infinite loops and resource exhaustion. Smart contract developers must know these limits and gracefully handle out-of-gas situations.

For example, a resource-intensive loop can cause a transaction to fail due to hitting the gas limit, which may result in a frustrating user experience.

Sometimes, this situation can also lead to denial of service (DoS) attacks, where an attacker arbitrarily extends the length of the loop, effectively causing the functionality to become disabled.

An example of this scenario would be a function that loops over all registered users and sends them some funds. An attacker could increase the length of this loop by registering many bogus accounts with this system. 

In general, it is preferable to avoid nested loops and adopt a pull system in which individual users request an operation rather than a push system that performs the operation for all users.

Oracle Staleness and Manipulation

Some contracts interact with oracles, which make off-chain data available on the blockchain, such as a Chainlink price feed. Developers should perform basic sanity checks on the provided data when interacting with oracles. It’s essential, therefore, to have a backup plan if the oracle fails.

For instance, contracts should always check that the data is not stale by checking the timestamp of the last data point is not further than a specified amount in the past. They should also check that the data is not an anomalous value such as zero or a negative number. In these cases, the contract should resort to a sensible default or pause the application until the feed starts reporting correct data again. 

Developers should use only high-quality oracles to avoid some of the issues mentioned above. Some oracles, such as pricing data from an automated market maker (AMM), cannot be relied upon because they may suffer from value manipulation. Such manipulations will then have a ripple effect on your application as well.

Conclusion: Solidity Security Vulnerabilities

Solidity is a powerful language, but it’s easy to make mistakes that lead to severe vulnerabilities. These are only a tiny sample of the many vulnerabilities that can have a damaging effect on a smart contract. Therefore, before going live on the mainnet, it’s essential to audit your code. 

You can also use tools like the Dedaub Security Suite to catch issues early. This tool helps you find and fix vulnerabilities in your smart contracts, giving you confidence in your code before deployment. Create your free account today at app.dedaub.com

SEAL 911: A Few Lessons from the Frontlines 

SEAL 911

Today, I’d like to share my personal experience as a member of SEAL 911, the emergency hotline that assists Web3 projects in protecting their assets in case of hacks or malicious attacks.

I’ve been part of SEAL 911 since October 2023 and I witnessed:

  • Numerous vulnerability disclosures.
  • War rooms were set up to prevent the exploitation of live vulnerabilities or help protocols that were actively being exploited.
  • Many cases where individuals’ funds were stolen either because of investment scams, phishing attacks, or even drainer malware.

I had the opportunity to see many of the industry’s top security experts in action and gain useful insights. 

Aside from addressing code vulnerabilities, SEAL 911 can also provide significant assistance in the area of on-chain forensics. Although this requires considerable time and effort, members of SEAL have been able to track the movement of stolen funds and provide victims with helpful information to report to law enforcement authorities. By effectively coordinating with authorities, the victim can often freeze stolen funds and even identify the perpetrators of the malicious activities.

With the increase in cryptocurrency capitalization, bad actors will continue attempting to steal funds from users by exploiting code vulnerabilities, stealing users’ wallet information, or even tricking users into sending the funds themselves.  This poses a threat to the security of De.FI. As we have seen repeatedly, the most vulnerable group is non-tech-savvy regular users, so it is important to spread good operational security (op-sec) practices and fundamental cryptocurrency knowledge to the public. 

What is Security Alliance (SEAL)

Security Alliance (SEAL), established with the support of blockchain innovators, has rapidly become a key asset of Web3 security. Before its public debut on February 14, 2024, SEAL connected users, developers, and experts to offer free Web3 simulation exercises.

Seal’s goal is to improve the security of the blockchain and cryptocurrency system by supporting security researchers and removing barriers that could prevent them from taking immediate action to safeguard protocols. The initial members include security teams at Paradigm, a16z crypto, and Dedaub, who have played a key role in significant recovery efforts. Seal’s programs include rapid response, legal assistance, and developer security training.

The Security Alliance (SEAL) offers several initiatives to enhance security. These include SEAL 911, a 24/7 emergency response hotline, and SEAL Wargames team exercises designed to identify and address vulnerabilities. Additionally, the Whitehat Safe Harbor Agreement provides legal protection for white-hat hackers participating in fund rescues, and the Legal Defense Fund supports researchers dealing with legal challenges. SEAL operates as a US 501(c)(3) nonprofit organization with the mission to protect the decentralized internet. For more information, please visit the Security Alliance.

What is SEAL 911?

SEAL 911 is a 24/7 emergency hotline for incident response, vulnerability disclosures, and other security issues in blockchain and crypto. It provides immediate assistance to address security threats quickly, ensuring expert help is available to mitigate risks and prevent damage.  

  • Collaborative Defense: Working quickly with platform teams to temporarily pause contracts that have been hacked, when applicable.
  • Evolving Threats: Growing sophistication in cyberattacks requiring advanced strategies.
  • Rapid Response: Speed and coordination prevent losses and restore confidence.

What Are the SEAL Wargames?

SEAL conducts SEAL Wargames and red team exercises to help developers prepare for security incidents. These simulated attacks help identify weaknesses and improve defense strategies. Many developers have never experienced the high-intensity environment of a security incident before. It can be challenging to stay focused and productive when every second could potentially mean millions of additional dollars lost to attackers. The SEAL Chaos Team provides projects with the resources and training to respond to the worst-case scenarios.

Each wargame consists of two phases:

1. A tabletop exercise in which the Chaos Team presents hypothetical attack scenarios to project developers and notes potential weaknesses.

2. A simulated attack in which the Chaos Team exploits a vulnerability on a test network and challenges the project developers to set up an incident war room, triage the exploit, and remediate the situation.

Yannis Smaragdakis and I from the Dedaub Security search team are currently active members of SEAL 911.

Conclusion

As a member of SEAL 911, I have seen firsthand how critical our role is in securing the Web3 ecosystem. The collaborative efforts and rapid response capabilities we’ve developed are essential in combating the evolving threats in the crypto space. Working with some of the brightest minds in the field has been invaluable, and I’m proud to contribute to a safer, more resilient blockchain community.

Key Updates and New Features in Dedaub Security Suite

Dedaub Security Suite is renowned for its powerful EVM bytecode decompiler, which users have hailed as the best in the industry. Just as a quick sample of how much it’s appreciated, one testimonial reads, “I love the Dedaub decompiler—No other tool even comes close to what Dedaub has created.” The Dedaub Security Suite is a collection of web3 security technology tools, with the decompiler being the most popular in the community. In this blog post, we share our suite’s latest milestones, new features, and platform improvements.

Enhanced EVM bytecode Decompiler Insights

Our decompiler now extracts additional information about high-level storage and memory structures, such as mappings, arrays, and structs. This enhancement provides deeper insights into your contract’s storage and memory, enabling a more thorough analysis and understanding of on-chain bytecode.

Expanding Our Chain Support

We’re proud to announce the recent addition of Binance (@BNBCHAIN), Blast (@blast-l2), and Polygon (@0xPolygon) to our Dedaub Security Suite, which now fully supports eight major EVM chains. 

Our ongoing expansion aims to provide a comprehensive security technology solution for all EVM-compatible ecosystems, ensuring your projects remain secure across multiple platforms.

Advanced Pre-Deployment Analysis

Our platform now includes enhanced analysis capabilities, particularly for pre-deployment “Projects.” This feature enables precise fuzzing of undeployed contracts, which significantly improves our static analysis engine. 

These improvements drastically reduce analysis timeouts without compromising precision and completeness, ensuring faster and more accurate results. Learn more.

EVM Bytecode Decompiler

On-Demand Analysis with GPT Integration

Dedaub Security Suite now offers on-demand analysis of project contracts using GPT technology. Leveraging advanced GPT prompts, our platform provides detailed insights that complement our traditional static analyses. This feature helps uncover hidden issues and suggests improvements, presenting findings succinctly with inline code snippets for easy inspection. Learn more.

Customizable On-Chain Transaction Monitoring

Our customizable blockchain monitoring solution utilizes an enhanced PostgreSQL database to detect on-chain activities, establish periodic executions, and create custom alerts. For instance, you can set up a monitoring agent to identify large fund transfers to or from a yield farming vault. Learn more.

EVM Bytecode Decompiler

Create Your Free Account and Access the Dedaub Decompiler

Sticking to our mission, “… to ensure the integrity of the blockchain ecosystem by transforming complex smart contracts into clear, secure, and reliable systems,” Dedaub is committed to contributing to web3 security by offering the entire community free access to our advanced technology. Create your free account today and access the powerful Dedaub decompiler. 

Security Researcher

About Dedaub

Dedaub helps secure some of the world’s leading blockchain protocols. Dedaub combines high-end security, blockchain, and program analysis research and a real-world attacker mentality to reduce risk and fortify code.

The Dedaub team has a strong research background and seeks to both understand existing blockchain protocols as well as to expand knowledge on program analysis and blockchain infrastructure. Our security research team is composed of experts in program analysis, compilers, cryptography, mathematics and finance with a keen eye for applying research and developing custom tools to enhance our capabilities. As an application security engineer, you will be part of a skilled team that reviews code running on programmable blockchains, most notably on Ethereum. 

Responsibilities:

– Reviewing complex, high-assurance smart contract code.
– Advise our clients to make informed decisions about risk to their systems. 
– Provide value to our clients through your expertise and experience to assist the team in helping then solve hard security problems.
– Apply your engineering skills to build custom tools to rapidly assess, explore, or secure the code that we work with.
– Continually enhance your skills by engaging in personal and professional development opportunities.

Skills Sought

– Experience with low-level software, either as an engineer or security researcher.
– Background in computer science or math to read relevant academic research.
– Background in or prior regular use of programming language theory a plus.
– Mathematical aptitude, able to understand mathematical models for financial instruments.
– Familiarity with lean development, Github, and modern software engineering practices.
– Proficiency in one or more programming languages (we use Solidity, Python, Datalog, C++ and Go).
– Strong debugging skills and/or experience with reverse engineering.
– Ability to communicate well, orally and in writing, and to participate in deep technical discussions.
– Self-motivation and ability to drive new projects.
– Motivation to learn new technologies.

Benefits

– Internationally competitive salary
– End-of-year bonuses based on company, team, and personal performance
– Remote & flexible working arrangements
– Research Opportunities
– Personal equipment of your choice

Audits

Dedaub’s Terms of Service (the “Agreement”) are a legal agreement between You as the Client and Dedaub Ltd. (“Dedaub”, “We”, “Us” and “Our”), a private limited liability company registered under the Laws of Malta with company number C99606, collectively referred to as Parties. By using our services, You agree to be bound by these Terms of Service and all terms incorporated by reference.

There are important terms provided below including your indemnification responsibilities, our limitation of liability and warranty disclaimers, and your agreement to arbitrate disputes. Please take the time to read these terms of service carefully. You can always contact us at legal@dedaub.com if you have any questions.

  1. Service Summary: An “Audit” is a careful inspection of your project’s code by expert human inspectors, aided by Dedaub’s proprietary analysis tools, off-the-shelf tools, and other techniques in accordance with state-of-the-art practices. The findings of this exercise will be detailed in an audit report. This report will rank issues as “Critical”, “High Severity”, “Medium Severity”, “Low Severity”, and “Advisory Suggestions”.

  2. Project Preparation: Prior to an audit you shall provide Dedaub with succinct, but sufficient, documentation about the project to be audited. You shall make sure that the project compiles and is operational by the time an audit begins, and maintain timely communication throughout the audit period.

  3. Access to Dedaub Security Suite: The project’s code will be uploaded to the Dedaub Security Suite to run initial vulnerability discovery, and Dedaub will grant 30-day free access to the platform up to 5 email addresses of the Client personnel involved in the audit negotiation and audit code review.
  4. Transparency: Dedaub reserves the right to publish the Audit report on Dedaub’s website or other repository. Likewise, you reserve the right to publish it, in full, without making any modifications to it. However, should you want us to not publish the report, let us know within 24 hours of delivering it to you and we will accommodate your request.

  5. Scope of an Audit: The scope of the auditing shall be specifically security considerations, not functional correctness. Therefore, the auditing will be aimed at detecting the potential for malicious use of the contracts, and on cryptoeconomic considerations (e.g., price manipulation or forced unprofitable exchanges), and not on ensuring functionality and correctness of business logic (e.g., numeric calculations specific to the business domain), unless specific properties of numerical correctness are specified up front as being required of Dedaub. Throughout the validity of this Agreement, the Parties shall be free to agree on the provision of additional services by Dedaub and on the relative terms and conditions.

  6. Assumption of Risk: You warrant to fully understand: (a) that there are inherent risks associated with blockchain-based software systems, and that (b) additional risks to the Services and blockchain-based technologies may be present as a result of advances in code-cracking or technical advances, such as novel flaws identified in cryptography. You acknowledge that these risks could result in the loss or theft of crypto tokens or property.

  7. Indemnification: You shall defend, indemnify, and hold harmless Dedaub (and each of our officers, directors, members, employees, agents and affiliates) from any claims, damages, proceedings, costs and expenses resulting from any breach of any representations, warranties, covenants or agreements of the Client in this Agreement or at law

  8. Limitations:
    1. Audits and other services provided by Dedaub are not a warranty on the security and/or functionality of the systems audited and you assume any and all risks and losses.

    2. Dedaub will not be liable to you (whether under the law of contact, the law of tort or otherwise) in relation to the service provided:
      1. for any direct, indirect, special or consequential loss; or

      2. for any business losses, loss of revenue, income, profits or anticipated savings, loss of contracts or business relationships, loss of reputation or goodwill, or loss of cryptocurrency/tokens/NFTs or data or any other loss, or any other damages in general.

      3. These limitations of liability apply even if you have been expressly advised of the potential loss.

    3. In any event, Dedaub’s total maximum aggregate liability under this Agreement, shall not exceed the audit fees.

  9. Use of Marks: Each Party agrees that the other Party and/or its affiliates are the sole owners of their respective Marks. “Marks” means the trade names, trademarks, service marks, logos or other commercial symbols of a Party hereto or any of its affiliates. Notwithstanding the aforementioned, both Parties are granted a non-exclusive, revocable, non-transferable, and limited right to use and display the other Party’s Marks for the specific purpose of marketing and promotion directly associated with the services and obligations outlined within this Agreement. Any use of the other Party’s Marks must be in accordance with the specifications and guidelines provided by the owning Party and must not harm or diminish the value of the Marks.

  10. Relationship of the Parties: Nothing contained in this Agreement shall be interpreted or construed to create a partnership, agency, single employer, joint employer or any other type of employment relationship between the parties hereto, or to impose liability attributable to such relationship upon either party. Neither party will have any right, power or authority to enter into any agreement on behalf of, to incur any obligation or liability of, or to otherwise bind the other party.

  11. Non-solicitation: During the entire term of service, and for a period of two years after termination of any relationship between the Parties, the Parties agree to not, either directly or indirectly, recruit, solicit, or induce, or attempt to recruit, solicit, or induce, any of the other Parties’ employees, partners, contractors or collaborators to work for or with the other party in any respect, or to in any manner render services to such other Party.

  12. Prices: Prices and fees include all taxes levied by Malta but exclude taxes levied in your jurisdiction. For cryptocurrency payments (if any), the value of any cryptocurrency for the purposes of payment fulfillment will be the value in USD at NYSE closing time (4 PM EST/EDT) on the day prior to the due date (as provided at https://messari.io/) on the issued invoice.

  13. Severability: If any of the provisions or portions thereof of this Agreement are found to be invalid under the applicable law, then, that provision notwithstanding, this Agreement shall remain in full force and effect and any such provision or portion thereof shall be deemed omitted.

  14. Survival: Rights and obligations under this Agreement which by their nature are intended to survive termination, including without limitation the indemnification and liability limitations provisions set forth in this Agreement, shall remain in full effect after termination or expiration of the Agreement.

  15. Governing Law and Arbitration: This Agreement is governed by and construed in accordance with the laws of Malta. Any dispute, controversy or claim arising out of or in relation to this Agreement, including the validity, invalidity, breach or termination thereof, shall be finally settled by arbitration in accordance with the provisions of Part IV (“Domestic Arbitration”) of the Arbitration Act (Chapter 387 of the Laws of Malta) and the Arbitration Rules made thereunder, as in force on the date of commencement of the relevant dispute.

Terms of Service – App

Dedaub’s Terms of Service (the “Agreement”) are a legal agreement between You as the Client and Dedaub Ltd. (“Dedaub”, “We”, “Us” and “Our”), a private limited liability company registered under the Laws of Malta with company number C99606. By using our services, you agree to be bound by these terms of service and all terms incorporated by reference.

Dedaub provides a subscription software (the “Service“) over supported EVM-based blockchain protocols. The Service combines static application security testing (SAST), theorem proving techniques, realtime blockchain monitoring, and fuzzing.

Prior to giving You access to some features of the Service, Dedaub may ask You for cryptographic proof that You are a member of a Protocol’s development team, and that your Protocol (the “Protocol”) is not an unmodified fork of another well-known Protocol.

The security analyses provided through the Service are designed to find security weaknesses in Smart Contracts. Some of these analyses may detect potential for malicious use of the contracts, for instance, potential cryptoeconomic weaknesses (e.g., price manipulation or forced unprofitable exchanges). The Service, however, does not ensure the correctness of the business logic.

There are important terms provided below including your indemnification responsibilities, our limitation of liability and warranty disclaimers, and your agreement to arbitrate disputes. Please take the time to read these terms of service carefully. You can always contact Us at legal@dedaub.com if you have any questions.

  1. Service:
    1. We agree to grant You an unlimited, worldwide and non-exclusive right to use the Service, subject to limitations of the pricing tier you have subscribed to.
    2. You agree to use the service solely and exclusively in terms of the present Agreement and shall ensure that such Service is not used by any other third party.

    3. You agree not to transfer, share or assign your right to use and access the Services and will not tolerate or permit any third party from accessing or using the Services.

    4. You agree to not share or distribute in any manner, in whole or in part, any content forming part of the Service.

    5. You agree not to alter or attempt to alter or do anything that may potentially alter the software which is in any manner related to the Service.

  2. Consideration:
    1. By way of consideration for the Service, You shall pay Dedaub the sum indicated within the relevant pricing plan at the applicable service tier. Such sum is exclusive of Taxes imposed by your jurisdiction if due, and this sum shall be settled on a quarterly basis and in advance, to be reckoned from the start of your service. Payments are due without the need of a request to be made by Dedaub.
    2. In the event that the present Agreement is renewed, the same terms shall apply, provided, however, that on a yearly basis, We shall have a right, saving any other Agreement as may be reached with Dedaub, to increase the price due for the service. In the event that We would be exercising this right to increase the price, then We shall give notice in writing of such increase thirty (30) days before the commencement of the billing period on which such increase would become first applicable.
    3. If you move to a higher tier of a paid plan, the change will take effect immediately and we will charge You for the additional fees associated with the new paid plan on a pro-rata basis. If You move to a lower tier of a paid plan, the fee change will take effect in the next billing cycle. You acknowledge that You will not receive a refund for the then-current billing cycle if You move to a lower tier of a paid plan, or to a non-payment subscription plan.
    4. In the event that You do not pay any amount due upon the day when the same falls due, automatically interest shall be chargeable, ipso jure, on any balance due from the relative payment at the highest rate permissible by law.
    5. You agree that in the event that You would need to carry out any works, upgrade any of your systems, alter your hardware, software or other infrastructure in order for You to be able to receive the Service, or to continue to receive the Service, any related costs shall be solely and exclusively incurred by You. You shall have no right to request and compensation, redress, reimbursement or discount from Dedaub, even in the event that the need for such expense is brought about by a change on our part.
  3. Continued Service:
    1. We shall use all reasonable efforts in order to ensure that availability of the Service in terms of this Agreement is maintained throughout the whole term of this Agreement, provided, however, that You recognize and accept that we are not in any manner promising or guaranteeing availability at all times. Among other things, service may be interrupted, directly or indirectly, due to the following and in such cases, interruption shall not be deemed to constitute a breach on our part:
      1. Any failure or fault on any system or infrastructure on which we rely on, in providing the Service;
      2. Any failure or fault of any system upon which You rely on in making use of the Service;
      3. Any breach of this Agreement, whether direct or indirect, on your part;
      4. Any event of force majeure;
      5. Any scheduled maintenance which may be necessary.
    2. Provided, however, that in the event that You are, at any point in default of payment of any amount due in terms of this Agreement to Dedaub, and we have also given You notice requesting payment to be effected within fifteen (15) days from such notice being given, then the we may, upon the lapse of such fifteen (15) day period suspend the provision of service without any right of recourse or any right to damages. Any such suspension shall be without prejudice to our right to collect any amounts due to it in terms of this Agreement.
    3. We shall have the right to interrupt services for the purpose of maintenance of our systems, provided that where practicable we shall give You reasonable prior notice thereof.
  4. Intellectual Property: Any intellectual property rights in any manner connected or related to the Service shall remain our sole and exclusive property and nothing in this Agreement shall be construed in any manner as assigning or transferring any such rights to You.
  5. Data Use and Processing:
    1. You are granting Dedaub the widest and broadest right to make use of any of your data as may be required in the provision of the Service, in the execution of the Our obligations and exercise of Our rights in terms of this Agreement and in terms of the law.
    2. You confirm and warrant that any data You make available to Dedaub does not infringe any rights of third parties, including intellectual property and other proprietary rights.
    3. You agree that such obligations shall survive any expiration or early termination of the present Agreement.
  6. Accuracy and Legality: It is your sole responsibility to ensure that all information or data provided to Dedaub is accurate, legitimate and conforms to all applicable legal requirements. Dedaub shall in no event assume any responsibility for any inaccuracies in the information or data provided by You if it infringes any laws and regulations, including but not limited to, intellectual property regulations. In this regard, you shall fully indemnify and hold the Dedaub harmless against all claims or demands (including legal and other professional fees and expenses) which We may suffer arising from or in connection with any inaccuracies or infringement in information or data provided.
  7. Data Protection: We shall comply with all Applicable Laws when carrying out this Agreement, in particular:
    1. We shall keep your personal data logically separated from personal data processed on behalf of any third party;
    2. We will entrust only persons (whether natural or legal) with the Processing under this Agreement who maintain confidentiality and have been informed of any special data protection requirements relevant to their work;
    3. We shall cooperate, on request, with the relevant data protection supervisory authority in the performance of its tasks;
    4. We shall undertake reasonable efforts to support you if you are subject to inspection by the supervisory authority, an administrative or summary offense or criminal procedure, a liability claim by a data subject or by a Third Party or any other claim in connection with this Agreement;
    5. We shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing of personal data is in accordance with the requirements of applicable law and the protection of the rights of the data subject.
  8. Authority to Enter Agreement: Each Party warrants and declares that it has the right and authority to enter into the present Agreement.
  9. Assumption of Risk: You fully understand: (a) that there are inherent risks associated with blockchain-based software systems, and that (b) additional risks to the Services and blockchain-based technologies may be present as a result of advances in code-cracking or technical advances, such as novel flaws identified in cryptography. You acknowledge that these risks could result in the loss or theft of crypto tokens or property.
  10. Acceptable Use: When accessing or using the Services, You agree that You will not violate any law, contract, intellectual property or other third-party right or commit a tort, and that You are solely responsible for your conduct while using our Services. Without limiting the generality of the foregoing, You agree that You will not:
    1. Use our Services to exploit or harm in any way third party protocols;

    2. Cause any damage to Dedaub, our infrastructure, our software or our other clients;

    3. Use any robot, spider, crawler, scraper or other automated means or interface not provided by us to access our Services or to extract data;

    4. Use or attempt to use another user’s account without authorization;

    5. Access or use the Services for the benefit of one of Our direct competitors or access the Services for the purpose of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes;

    6. Encourage or induce any third party to engage in any of the activities prohibited under this Section.

  11. Indemnification: You shall defend, indemnify, and hold Us harmless (and each of Our officers, directors, members, employees, agents and affiliates) from any claims, damages, proceedings, costs and expenses resulting from any of your breaches of any representations, warranties, covenants or Agreements with Us.

  12. Limitations:
    1. The Service does not provide a warranty on the security and/or functionality of the systems and You assume any risks and losses, and You declare not to hold Dedaub liable to any degree for any loss of whatever nature, irrespective of the services which may have been provided by Dedaub.

    2. Dedaub will not be liable to You (whether under the law of contact, the law of tort or otherwise) in relation to the service provided:
      1. for any direct, indirect, special or consequential loss; or

      2. for any business losses, loss of revenue, income, profits or anticipated savings, loss of contracts or business relationships, loss of reputation or goodwill, or loss of cryptocurrency/tokens/NFTs or data or any other loss, or any other damages in general.

      3. These limitations of liability apply even if You have been expressly advised of the potential loss.

    3. Dedaub and any of its directors, officers, employees and contractors, will not be liable to You except by reason of acts constituting bad faith of Dedaub or willful misconduct or reckless disregard of our duties. The Parties hereto recognize and accept that the effectiveness of the Services are not guaranteed or warranted by Dedaub in any respect whatsoever.

    4. In any event, Dedaub’s total maximum aggregate liability under this Agreement shall not exceed the fees You paid to Dedaub over the last 12 months.

  13. Relationship of the Parties: Nothing contained in this Agreement shall be interpreted or construed to create a partnership, agency, single employer, joint employer or any other type of employment relationship between the parties hereto, or to impose liability attributable to such relationship upon either party. Neither party will have any right, power or authority to enter into any agreement on behalf of, to incur any obligation or liability of, or to otherwise bind the other party.

  14. Updates to The Agreement: We periodically update the terms of this Agreement. If You have an active Dedaub account, we will notify You of updates via an email or a notification on the Dedaub platform. Unless the notice states otherwise, the updated terms of this Agreement will become effective and binding on the next business day after it is posted.

  15. Subcontracting: We may sub-contract, in whole or in part, any of our obligations in terms of this Agreement to third parties.

  16. Severability: If any of the provisions or portions thereof of this Agreement are found to be invalid under the applicable law, then, that provision notwithstanding, this Agreement shall remain in full force and effect and any such provision or portion thereof shall be deemed omitted.

  17. Survival: Rights and obligations under this Agreement which by their nature are intended to survive termination, including without limitation the indemnification and liability limitations provisions set forth in this Agreement, shall remain in full effect after termination or expiration of the Agreement.

  18. Governing Law and Arbitration: This Agreement is governed by and construed in accordance with the laws of Malta. The parties agree that any dispute or claim arising out of or in connection with this Agreement or its subject-matter shall be subject to the exclusive jurisdiction of the Malta Arbitration Center in accordance with the Arbitration Act (Cap. 387 of the Laws of Malta) and the arbitration rules of the Malta Arbitration Center in force at the time of the dispute. Dedaub shall retain the right, at its option and for its exclusive benefit, to institute proceedings regarding or relating to Your use of the Service in the courts of law of the country in which You reside.

  19. Waiver of Jury Trial: You and Dedaub waive their rights (if applicable) to a trial by jury relating to all claims and causes of action (including counterclaims) related to or arising out of this Agreement. This waiver shall also apply to any subsequent amendments or modifications to this Agreement.

  20. No Class Actions: All claims between the parties, including parent companies and subsidiaries, related to this Agreement will be litigated individually and You will not consolidate or seek class treatment for any claim with respect to the Services.

Non-Disclosure Agreement

Dedaub has a very balanced Mutual Non-Disclosure Agreement (MNDA). We sign MNDAs with potential and current users/customers and suppliers as needed free of charge. In doing so we commit to safeguarding their confidential information as laid down in the provisions of the MNDA. In return we seek the same commitment via this mutual agreement.

You can review and digitally sign a copy of our Mutual Non-Disclosure Agreement. Once you sign the agreement, you will receive a fully executed downloadable copy via email.

Sign Dedaub MNDA

Privacy Policy

We will NEVER sell Your Personal Data to Third Parties.

Dedaub will only share or disclose Personal Data as described in this Privacy Policy.

This Privacy Policy applies to Personal Data processed by Dedaub Ltd. (“Dedaub”, “We”, “Us” and “Our”) when You visit dedaub.com in addition to any sub-pages that are integrated within it (the “Site”); and/or make use of Dedaub’s Software.

This Privacy Policy explains what Personal Data We collect through Our Site and Software, how and why We collect it, how We use and disclose the Personal Data We collect and information on how to exercise privacy rights over this Personal Data.

We may revise this Privacy Policy from time to time but We will never do so in a manner that compromises Our commitment to respect the privacy of individuals. The most current version of this Privacy Policy governs Our practices for collecting, processing, and disclosing Personal Data. We will provide notice via email to Our Customers and on this page of any material modifications to this Privacy Policy. Continued use of Our Site and/or Software and/or Services following the effective date of any modifications will constitute acceptance of the modified Agreement (this includes Our Terms of Service and this Privacy Policy).

All capitalized terms in this Privacy Policy shall have the same meaning as defined in the Terms of Service and in the Applicable Law.

This rest of this policy applies to Personal Data Dedaub collects from visitors to Our Site (dedaub.com) or any of Our sub-sites, software, or sub-domains (e.g. app.dedaub.com, etc.).

Any Personal Data provided by a visitor to Our Site will be used only as described in this Privacy Policy

Usage Data

When someone visits the Dedaub Site, We may store the name of their internet service provider, the website they visited Us from, the parts of Our Site they visit, the date and duration of the visit, and information from the device (e.g. device type, operating system, screen resolution, language, country You are located in, and web browser type) used during their visit. We process this usage Data to facilitate access to Our Site (e.g. to adjust Our Site to the devices that are used).

We temporarily store IP addresses of visitors to Our Site for associated performance metrics (i.e. data related to how well Our Software performs on Our Site) and to monitor and track application errors. We will never access these IP addresses without any operational or security need. We automatically delete these IP addresses within thirty (30) calendar days. The legal basis for this data processing is Article 6(1)(f) GDPR.

We also process usage Data in an aggregated or de-identified form for statistical purposes and to improve Our Site.

Cookies

Cookies are small data files transferred onto computers or devices. Dedaub uses cookies to process information including standard internet log information and details of the visitor’s behavioral patterns upon visiting Our Site. This is done to:

  • operate Our Site;
  • provide visitors to Our Site with a better experience by providing Us with insights on how visitors use Our Site; and
  • for marketing purposes.

For more info about the cookies We make use of, please visit Our Cookie Information Page.

Contact with Us via email

Visitors to Our Site have the opportunity to contact Us to ask Us questions, for example via the contact form, where We ask for contact information (e.g. name, email address etc.). We use this data solely in connection with answering the queries We receive.

If a visitor to Our Site receives emails from Us, We may use certain analytics tools, to capture data such as when the email is opened or when any links or banners in the email have been clicked. This data helps Us to gauge the effectiveness of Our communications and marketing campaigns.

The legal basis for this processing is Article 6(1)(f) GDPR.

Access and Disclosure to Third Parties

We use a select number of trusted external service providers for certain technical data analysis, processing and/or storage offerings (e.g., IT and related services). These Third Party service providers are carefully selected and meet high data protection and security standards. We only share Data with them that is required for the services offered and We contractually bind them to keep any information We share with them as confidential and to process Personal Data only according to Our instructions. The legal basis for such processing would be Article 6(1)(f) GDPR.

In addition to services providers, other categories of Third Parties may include:

  • Vendors/public institutions. To the extent that this is necessary in order to make use of certain services requiring special expertise (such as legal, accounting or auditing services) We may share Personal Data with vendors of such services or public institutions that offer them (e.g. courts). The legal basis of this data processing is Article 6(1)(f) GDPR.
  • Disclosure in the Event of Merger, Sale, or Other Asset Transfers. If We are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then Data may be sold or transferred as part of such a transaction, as permitted by law and/or contract. The legal basis for such processing would be Article 6(1)(f) GDPR.

Other than the cases mentioned above, We will only transfer Personal Data to Third Parties without express consent in accordance with Article 6(1)(a) GDPR or if We are obliged to do so by statutory law or by instruction from a public authority or court as outlined in Our Terms of Service.

Communication Purposes

We may occasionally send notification emails about updates to Our product, legal documents, customer support or for marketing purposes. To the extent required by Applicable Law, We will only send such messages if We have obtained consent in accordance with Article 6(1)(a) GDPR. In all other cases, the legal basis of this data processing is Article 6(1)(f) GDPR.

Except for cases where We are required to do so by law (e.g. notification of a data breach), recipients of Our communication shall have the opportunity to unsubscribe from receiving these messages free of charge. We process requests to be placed on do-not-contact lists as required by Applicable Law.

Marketing Purposes

We occasionally use Personal Data given to Us by Dedaub’s Customers, Users and/or visitors to Our Site to target advertisements to potential new Customers that appear to have shared interests or similar demographics. The legal basis of this data processing is Article 6(1)(f) GDPR.

We do this by sharing Personal Data with Third Party marketing platforms that have high privacy and confidentiality standards and which have gone through a legal and security review by Dedaub. This ensures that these Third Parties cannot do anything with the Personal Data We provide them other than use it for the express purpose of providing Us with the marketing services We contract them for.

This Personal Data is only shared with these Third Parties through secure and encrypted means. If You wish to opt out of this processing activity, please contact Us at legal@dedaub.com with the subject line “Opt-Out of Marketing”.

Compliance and Protection

We may use Personal Data to (legal basis for the respective processing in parentheses):

  • protect Our, Our Customers’/Users’, visitors’ to Our Site or Third Parties’ rights, privacy, safety or property including by making and defending legal claims (Article 6(1)(b), (c) or (f) GDPR);
  • audit Our internal processes for compliance with legal and contractual requirements and internal policies (Article 6(1)(f) GDPR);
  • enforce Our Terms of Service (Article 6(1)(b) or (f) GDPR);
  • protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft (Article 6(1)(f) GDPR); and
  • comply with the Applicable Law, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities (Article 6(1)(c) or (f) GDPR).

Benchmarking

Dedaub reserves the right to use and retain Data in a de-identified and/or aggregated form to improve Our Site and/or Software and for statistical and benchmarking purposes, including enabling comparisons within the same industry to enhance the insights collected through Our Site and Software. Benchmarks look at all collected metrics and compare them to others of the same nature. These de-identified and/or aggregated benchmarks may be published and shared publicly within Our Software or in the form of other content We publish which may show a summary of results for a certain category or question type.

No Data which can individually identify Our Customers or their end-users will ever be shown in this statistical or benchmark data.

The legal basis for aggregating/anonymizing this Personal Data is Article 6(1)(f) GDPR.

Intra-group sharing of User and visitor Data

In the course of our normal operations, Dedaub may share Data (e.g. name and contact details) of Users of Dedaub accounts and visitors of Our Site (dedaub.com) with other entities in our group.

The purpose of sharing this Data is to pursue synergies in sales strategies. The legal basis of this Data processing is Article 6(1)(f) GDPR.

The use of any Personal Data for marketing purposes is subject to the prior consent of the data subject, i.e. the natural person to whom the communication shall be sent. You may withdraw Your consent at any time with future effect. The legal basis for this data processing is Your consent in accordance with Article 6(1)(a) GDPR.

If You would like more information in this regard or would like to exercise Your rights as described in this Privacy Policy, please contact Us through our Contact Details.

Other Purposes with Your Consent

In some cases, We may ask You for consent to collect, use or share Personal Data for other purposes. For example, We may ask You for consent to send marketing emails where required by law or to post testimonials or endorsements. In such cases, there will always be the ability to deny or revoke consent if desired. The legal basis for the data processing is under Article 6(1)(a) GDPR.

Duration of Processing

Unless a different timeframe has been specifically stated in this Privacy Policy or in Our Pricing Page, Personal Data will be retained for as long as is necessary for the purpose(s) for which We originally collected it or to provide Our Software, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, and enforce Our Agreement. We may also retain information as required by Applicable Law.

International Transfers of Personal Data

In most cases, Personal Data We collect is stored in the EU. However, in some limited cases, customer information may be accessed from, or other Personal Data (e.g., email) may be transferred, outside of the EU. These countries may have different data protection laws. Dedaub endeavors to ensure appropriate safeguards are in place requiring that Personal Data will remain protected. Dedaub has concluded Standard Contractual Clauses with entities who We share Personal Data with outside of the EU.

Children’s Information

Dedaub’s Software and Services are not directed to children under 13 (or other age as required by local law), and We do not knowingly collect Personal Data from children. If you learn that your child has provided Us with Personal Data without your consent, you may contact Us through Our Contact Details below. If We learn that We have collected a child’s Personal Data in violation of Applicable Law, We will promptly take steps to investigate this, delete such information and terminate the child’s account. We will also make sure to have preventive measures in place for this not to happen again in the future.

Rights over Personal Data

If You’re a visitor to Our Site or a Customer and/or User of Our Software and We have collected Personal Data about You, You have a right to access and to be informed about what Personal Data is processed by Dedaub, a right to rectification/correction, erasure/anonymization and restriction of processing (subject to certain exceptions and other requirements prescribed by law). You also have the right to receive from Dedaub a structured, common and machine-readable format of Personal Data You provided Us.

When You have provided consent, You may withdraw it at any time, without affecting the lawfulness of the processing that was carried out prior to withdrawing it. Whenever You withdraw consent, You acknowledge and accept that this may have a negative influence on the quality of Our Site and/or Software. Please be aware that when You withdraw consent, We may delete the Personal Data previously processed on the basis of Your consent and will not be allowed to keep it further which will mean that it cannot be accessed, downloaded or otherwise secured by You.

In addition, You have the right to lodge a complaint with Your respective data protection authority.

To protect Your privacy, We take steps to verify Your identity before fulfilling Your request. We can only identify You via Your email address and We can only adhere to Your request and provide information if We have Personal Data about You through You having made contact with Us directly and/or You are using Our Site and/or Software.

Sign-in using an external external identity provider

If you sign-in using external identity providers like Google, we will collect and store your email, user id as well as first and last name (if they are provided). This data is necessary for using our applications and is not shared with any third party unless specific consent is given by the user

If You are located in California…

This section only applies to Our processing of Personal Data as a “business” under the California Consumer Privacy Act (CCPA).

The CCPA provides California residents with the right to know what Categories of Personal Data Dedaub has collected about them and whether Dedaub disclosed that Personal Data for a business purpose (e.g. to a service provider) in the preceding 12 months.

If You are a California resident and would like to exercise any of Your rights under the CCPA, please contact Us at legal@dedaub.com. We will process Your request in accordance with the Applicable Laws.

Sales of Personal Information Under the CCPA. For purposes of the CCPA, Dedaub does not “sell” Personal Data, nor do We have actual knowledge of any “sale” of Personal Data of minors under 16 years of age.

Non-Discrimination. California residents will have the right to exercise the rights conferred to them by the CCPA.

Authorized Agent. Only You, or someone legally authorized to act on Your behalf, may make a verifiable consumer request under the CCPA. If applicable, You may also make a verifiable consumer request on behalf of Your minor child. To designate an authorized agent, please contact Us at legal@dedaub.com.

Verification. To protect Your privacy, We will take steps to verify Your identity before fulfilling any consumer request under the CCPA. When You make a request, We will ask You to provide sufficient information that allows Us to reasonably verify You are the person We collected Personal Data about or an authorized representative, which may include Your email address.

If You are located in Brazil…

This section only applies to Our processing of Personal Data under the Brazilian Lei Geral de Proteção de Dados (LGPD).

In addition to the rights described above, You also have the right to:

  • access Your Personal Data processed by Dedaub;
  • unless restricted by law, request information about the public and private entities with which We have shared Your Personal Data;
  • oppose to the processing carried out; and/or
  • receive information about the possibility of not providing Your consent and the consequences of such denial.

If You are a Brazilian resident or were in Brazil when Your Personal Data was collected and would like to exercise any of Your rights under the LGPD, please contact Us at legal@dedaub.com. We will process Your request in accordance with the Applicable Laws.

Information about Dedaub

Dedaub is a company headquartered in the European Union (EU) that provides security auditing services and software which keeps Our Customers’s projects safe from Hackers.

Contact Details

Dedaub Ltd., Malta Life Sciences Park, San Gwann, SGN3000, Malta

Other Forms

The W-8BEN-E form is a document provided by a foreign entity to the United States Internal Revenue Service (IRS) to confirm its status as a non-resident alien or foreign entity for purposes of U.S. income tax withholding and reporting.

W-8BEN-E for Dedaub Ltd

Terms of Service – API

Dedaub’s Terms of Service (the “Agreement”) form a legal agreement between you, the client (“You” or “Your”), and Dedaub Ltd. (“Dedaub”, “We”, “Us”, and “Our”), a private limited liability company registered under the laws of Malta with company number C99606. By using Our services, you agree to be bound by these terms of service and all terms incorporated by reference.

These terms contain important clauses including your indemnification responsibilities, our limitation of liability and warranty disclaimers, and your agreement to arbitrate disputes. Please read these terms of service carefully. Should you have any questions, you can always contact Us at legal@dedaub.com.

  1. Usage Terms
    1. Acceptance of Terms. By accessing or using Our API Services, You agree to be bound by these terms and conditions and all terms incorporated by reference. These terms apply to your access to and use of all Our websites, API Services, associated software, and any information or content appearing therein.

    2. Modification of Terms. We may modify these Terms at any time by posting updated Terms on Our website. It is your responsibility to review these Terms periodically for changes. By continuing to use the API Services after such changes are posted, You agree to be bound by the revised Terms. We will notify you of any material changes to these terms; continued use after such notice will constitute acceptance of the modified terms.

  2. License and Restrictions
    1. Grant of License. Dedaub grants You a limited, non-exclusive, non-transferable, and revocable license to use the API Services to develop, test, or support software applications, websites, or services for software integration with your applications. This license is contingent upon your adherence to these Terms.

    2. Restrictions. You agree not to:
      1. Copy, modify, or reverse engineer Our API Services or content.

      2. Use Our API Services for any illegal or unauthorized purpose.

      3. Transmit any worms, viruses, or any code of a destructive nature.

      4. Breach or attempt to breach any security measures We implement.

      5. Use our API Content to create any software service, product, or solution that directly competes with any of our services.

      6. Manipulate, sell, trade, rent, loan, lease, license, or otherwise provide our API Content or access to our service for commercial purposes unless expressly authorized by us.

      7. Send automated requests to the API in a manner that exceeds reasonable usage limits as determined by us, or which could disrupt service levels.

      8. Engage in any data mining, scraping, or similar data gathering or extraction methods from our website or API, without our prior written permission.

  3. Payments and Billing
    1. Fees. You agree to pay all fees associated with Your subscription and use of Our API Services. We may modify subscription fees with prior notice, and You have the option to terminate Your subscription if you do not agree with the changes.

    2. Billing. Payments are charged on a subscription basis and are non-refundable. You are responsible for all charges, taxes, and bank fees related to the transactions. Subscription cancellations must occur before the next billing cycle to avoid further charges.

  4. Intellectual Property
    1. Ownership. All rights, title, and interest in the API Services and all content provided through the API Services are and will remain the exclusive property of Dedaub and its licensors. No transfer of ownership or rights is implied by these Terms.

    2. Use of Content. Any use of Dedaub’s content other than as specifically authorized herein, without the prior written permission of Dedaub, is strictly prohibited and will terminate the license granted herein.

  5. Legal Compliance and Prohibited Activities.
    1. You agree to use the API Services in compliance with all applicable laws and regulations and not to use the API Services for any activities that could result in criminal or civil liability. Prohibited activities include, but are not limited to:
      1. Illegal activities, including but not limited to fraud, money laundering, or the promotion of illegal transactions.

      2. Actions that infringe on the intellectual property or other rights of others.

  6. Disclaimers and Limitation of Liability
    1. Dedaub provides the API Services on an “as is” and “as available” basis. We do not warrant that the API Services will be uninterrupted or error-free. In no event will Dedaub be liable for any indirect, punitive, or consequential damages arising out of or related to this agreement.

  7. Termination and Suspension. Dedaub may suspend or terminate your access to the API Services if you violate these Terms or engage in any activity that may cause legal liability or disrupt others’ use of the API Services.

  8. General Provisions
    1. Severability. If any provision of these Terms is deemed invalid or unenforceable, that provision will be enforced to the maximum extent permissible, and the other provisions of these Terms will remain in effect.

    2. Governing Law. These Terms are governed by the laws of Malta without regard to its conflict of law principles.

    3. Arbitration. The parties agree that any dispute or claim arising out of or in connection with this Agreement or its subject-matter shall be subject to the exclusive jurisdiction of the Malta Arbitration Center in accordance with the Arbitration Act (Cap. 387 of the Laws of Malta) and the arbitration rules of the Malta Arbitration Center in force at the time of the dispute.

    4. Waiver of Jury Trial. You agree to waive your rights (if applicable) to a trial by jury relating to all claims and causes of action (including counterclaims) related to or arising out of this Agreement. This waiver shall also apply to any subsequent amendments or modifications to this Agreement.

    5. No Class Actions. All claims between the parties, including parent companies and subsidiaries, related to this Agreement will be litigated individually and You will not consolidate or seek class treatment for any claim with respect to the Services.