Skip to main content
Sign in
← avoid.net

Verify a decision

Every moderation decision on AVOID.NET is anchored to the Solana blockchain. You don't have to trust us — you can verify cryptographically that we committed to a verdict at a specific moment and have not rewritten it.

How verification works

  1. We commit. When a moderator accepts/rejects a submission, we serialize the decision into deterministic UTF-8 bytes (payload_canonical_string), hash it with SHA-256, encode the digest as base58, and write it to Solana inside an SPL Memo v2 transaction.
  2. We store the bytes. The exact bytes we hashed are stored alongside the decision in our database. Anyone can read them and recompute the hash in any language.
  3. You compare three values. Database hash, your independently-recomputed hash, and the hash inside the on-chain memo. If all three match, the decision is authentic and timestamped.
The on-chain memo format is AVOID.NET|v1|h:<b58-sha256>|d:<id>|t:<iso>

Find a signature on any investigation page's decision log, or run python -m src.verify_decision --signature <sig> for a CLI check.

Decision
publish · Hegic(old contract)
View on Solana ↗
Sequence
#1
Score
Cluster
mainnet-beta
Slot
423086648
Off-chain at
2026-05-30T04:47:58.933Z
Anchored at
Block time

Independent verification

1. Database (off-chain)
CQYKWPf1agZ5pz59wg5LZAgYS5AgwMapWNmmniJRcBNA
2. Recomputed (your browser)
computing…
3. On-chain (Solana memo)
fetching…
Canonical bytes hashed (6338 chars)
{"actor":"system:backfill","investigation_id":"3b227011-2bd9-49ce-9be5-460c4f785902","kind":"publish","page_slug":"hegicold-contract","published_at":"2026-05-30T04:47:58.841Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Hegic(old contract)","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://iq.wiki/wiki/hegic","type":"other","url":""},{"credibility":3,"name":"https://medium.com/hegic/announcing-hegic-token-liquidity-mining-utilization-rewards-and-staking-d1dd6605f2cd","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/35038/hegics-molly-wintermute-im-paying-a-high-price-for-the-mainnet-first-approach-to-building","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""},{"credibility":3,"name":"https://cryptobriefing.com/defi-bug-freezes-30000-ether-forever/","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.net/news/security/314071/","type":"other","url":""},{"credibility":3,"name":"https://davidgerard.co.uk/blockchain/2020/04/26/the-dforce-and-hegic-defi-exploits-and-why-smart-contracts-are-bad/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://kermankohli.substack.com/p/hegic-vs-trail-of-bits-and-the-issue","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""},{"credibility":3,"name":"https://www.publish0x.com/interestingcrypto/hegic-case-48-dollars-000-cents-typo-or-why-dofi-protocols-n-xejoomg","type":"other","url":""},{"credibility":3,"name":"https://davidgerard.co.uk/blockchain/2020/04/26/the-dforce-and-hegic-defi-exploits-and-why-smart-contracts-are-bad/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://blog.verichains.io/p/hegic-options-protocol-how-a-deprecated","type":"other","url":""},{"credibility":3,"name":"https://x.com/HegicOptions/status/1896933787923345470","type":"other","url":""},{"credibility":3,"name":"https://www.nominis.io/insights/crypto-security-incidents-march-2025","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://decrypt.co/35038/hegics-molly-wintermute-im-paying-a-high-price-for-the-mainnet-first-approach-to-building","type":"other","url":""},{"credibility":3,"name":"https://golden.com/wiki/Molly_Wintermute-REPY4D8","type":"other","url":""},{"credibility":3,"name":"https://github.com/hegic/old-contracts","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""},{"credibility":3,"name":"https://blog.verichains.io/p/hegic-options-protocol-how-a-deprecated","type":"other","url":""},{"credibility":3,"name":"https://cryptobriefing.com/defi-bug-freezes-30000-ether-forever/","type":"other","url":""},{"credibility":3,"name":"https://x.com/HegicOptions/status/1896933787923345470","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cryptobriefing.com/defi-bug-freezes-30000-ether-forever/","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/26725/hegic-backpedals-on-typo-claim","type":"other","url":""}]}],"sources_used":[],"summary":"Hegic is an anonymous-founded, Ethereum-based decentralized options trading protocol originally launched in April 2020. The original (v1) smart contract suffered a critical code defect within hours of mainnet deployment that permanently locked user funds, compounded by misrepresentation of the pre-launch security review. A separate deprecated contract from January 2022 was additionally exploited in February 2025, draining approximately $80,000 in WBTC. While affected users were reimbursed out of team funds in both incidents, the underlying contracts remain permanently compromised.","timeline":[{"date":"2020-02-20","event":"Hegic protocol announced on EthResearch forum by anonymous developer Molly Wintermute.","source":""},{"date":"2020-04-01","event":"Trail of Bits conducts a 3-day code review of Hegic, identifying 10 critical flaws and recommending delayed deployment.","source":""},{"date":"2020-04-23","event":"Hegic v1 deployed to Ethereum mainnet despite Trail of Bits warnings; only a subset of identified critical flaws were patched.","source":""},{"date":"2020-04-24","event":"Critical bug discovered: a missing 's' in the function identifier 'OptionIDs' (should be 'OptionsIDs') permanently locks approximately $28,000–$48,000 in user ETH and DAI. Protocol taken offline.","source":""},{"date":"2020-04-26","event":"Hegic issues public apology retracting the 'typo' characterization and acknowledging a bug. Trail of Bits CEO Dan Guido publicly states the error would have been caught by basic unit testing and that Hegic misrepresented their code review as an 'audit.'","source":""},{"date":"2020-05-01","event":"New corrected Hegic contract deployed to mainnet. Affected users reimbursed 100% from Wintermute's personal and contributor funds.","source":""},{"date":"2020-09-09","event":"HEGIC governance token launched on Ethereum via bonding curve.","source":""},{"date":"2020-10-01","event":"Hegic v888 beta mainnet launched, supporting ETH and WBTC call and put options with staking and liquidity mining.","source":""},{"date":"2022-01-04","event":"Hegic deploys a WBTC Puts Pool contract (later described as a test/staging contract). The deployer address sends 1.1 WBTC to the contract; the contract is never formally decommissioned.","source":""},{"date":"2022-10-01","event":"Hegic deploys its current architecture, superseding prior contract versions.","source":""},{"date":"2025-02-23","event":"Attacker exploits the deprecated January 2022 WBTC Puts Pool contract via the `withdrawWithoutHedge` function, draining 1.1 WBTC (~$80,000). Incident flagged by BlockSec.","source":""},{"date":"2025-02-28","event":"Hegic publishes security report via Discord; confirms current architecture unaffected; announces bug bounty program.","source":""}]},"v":1}