Skip to main content
Sign in
Hegic(old contract)1 decision on this page

Audit log

Every state-changing event for Hegic(old contract): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-30 04:47:58Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,086,648
    sig
    67r97bHGWBKg…NdaYLQpSexplorer ↗
    hash
    CQYKWPf1agZ5…niJRcBNAsha256 → base58
    verifying row…full verify ↗
    canonical bytes (6338 B) ▸
    {"actor":"system:backfill","investigation_id":"3b227011-2bd9-49ce-9be5-460c4f785902","kind":"publish","page_slug":"hegicold-contract","published_at":"2026-05-30T04:47:58.841Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Hegic(old contract)","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://iq.wiki/wiki/hegic","type":"other","url":""},{"credibility":3,"name":"https://medium.com/hegic/announcing-hegic-token-liquidity-mining-utilization-rewards-and-staking-d1dd6605f2cd","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/35038/hegics-molly-wintermute-im-paying-a-high-price-for-the-mainnet-first-approach-to-building","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""},{"credibility":3,"name":"https://cryptobriefing.com/defi-bug-freezes-30000-ether-forever/","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.net/news/security/314071/","type":"other","url":""},{"credibility":3,"name":"https://davidgerard.co.uk/blockchain/2020/04/26/the-dforce-and-hegic-defi-exploits-and-why-smart-contracts-are-bad/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://kermankohli.substack.com/p/hegic-vs-trail-of-bits-and-the-issue","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""},{"credibility":3,"name":"https://www.publish0x.com/interestingcrypto/hegic-case-48-dollars-000-cents-typo-or-why-dofi-protocols-n-xejoomg","type":"other","url":""},{"credibility":3,"name":"https://davidgerard.co.uk/blockchain/2020/04/26/the-dforce-and-hegic-defi-exploits-and-why-smart-contracts-are-bad/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://blog.verichains.io/p/hegic-options-protocol-how-a-deprecated","type":"other","url":""},{"credibility":3,"name":"https://x.com/HegicOptions/status/1896933787923345470","type":"other","url":""},{"credibility":3,"name":"https://www.nominis.io/insights/crypto-security-incidents-march-2025","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://decrypt.co/35038/hegics-molly-wintermute-im-paying-a-high-price-for-the-mainnet-first-approach-to-building","type":"other","url":""},{"credibility":3,"name":"https://golden.com/wiki/Molly_Wintermute-REPY4D8","type":"other","url":""},{"credibility":3,"name":"https://github.com/hegic/old-contracts","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""},{"credibility":3,"name":"https://blog.verichains.io/p/hegic-options-protocol-how-a-deprecated","type":"other","url":""},{"credibility":3,"name":"https://cryptobriefing.com/defi-bug-freezes-30000-ether-forever/","type":"other","url":""},{"credibility":3,"name":"https://x.com/HegicOptions/status/1896933787923345470","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cryptobriefing.com/defi-bug-freezes-30000-ether-forever/","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""}]}],"sources_used":[],"summary":"Hegic is an anonymous-founded, Ethereum-based decentralized options trading protocol originally launched in April 2020. The original (v1) smart contract suffered a critical code defect within hours of mainnet deployment that permanently locked user funds, compounded by misrepresentation of the pre-launch security review. A separate deprecated contract from January 2022 was additionally exploited in February 2025, draining approximately $80,000 in WBTC. While affected users were reimbursed out of team funds in both incidents, the underlying contracts remain permanently compromised.","timeline":[{"date":"2020-02-20","event":"Hegic protocol announced on EthResearch forum by anonymous developer Molly Wintermute.","source":""},{"date":"2020-04-01","event":"Trail of Bits conducts a 3-day code review of Hegic, identifying 10 critical flaws and recommending delayed deployment.","source":""},{"date":"2020-04-23","event":"Hegic v1 deployed to Ethereum mainnet despite Trail of Bits warnings; only a subset of identified critical flaws were patched.","source":""},{"date":"2020-04-24","event":"Critical bug discovered: a missing 's' in the function identifier 'OptionIDs' (should be 'OptionsIDs') permanently locks approximately $28,000–$48,000 in user ETH and DAI. Protocol taken offline.","source":""},{"date":"2020-04-26","event":"Hegic issues public apology retracting the 'typo' characterization and acknowledging a bug. Trail of Bits CEO Dan Guido publicly states the error would have been caught by basic unit testing and that Hegic misrepresented their code review as an 'audit.'","source":""},{"date":"2020-05-01","event":"New corrected Hegic contract deployed to mainnet. Affected users reimbursed 100% from Wintermute's personal and contributor funds.","source":""},{"date":"2020-09-09","event":"HEGIC governance token launched on Ethereum via bonding curve.","source":""},{"date":"2020-10-01","event":"Hegic v888 beta mainnet launched, supporting ETH and WBTC call and put options with staking and liquidity mining.","source":""},{"date":"2022-01-04","event":"Hegic deploys a WBTC Puts Pool contract (later described as a test/staging contract). The deployer address sends 1.1 WBTC to the contract; the contract is never formally decommissioned.","source":""},{"date":"2022-10-01","event":"Hegic deploys its current architecture, superseding prior contract versions.","source":""},{"date":"2025-02-23","event":"Attacker exploits the deprecated January 2022 WBTC Puts Pool contract via the `withdrawWithoutHedge` function, draining 1.1 WBTC (~$80,000). Incident flagged by BlockSec.","source":""},{"date":"2025-02-28","event":"Hegic publishes security report via Discord; confirms current architecture unaffected; announces bug bounty program.","source":""}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 1ed27126-7117-47e1-a8ed-9e8f9eff5673
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.