Octane Security
@octane_security
Followers
5K
Following
774
Media
100
Statuses
308
Find critical bugs in your code on every PR. One-click install. Save time and money on security.
San Francisco
Joined July 2023
Arbitrum's $10M audit program is a big step in the right direction, but it leaves critical gaps unresolved. Our proposal tackles those issues and expands access to security coverage across the entire Arbitrum ecosystem, raising the baseline for everyone https://t.co/l6wQS7FSGO
forum.arbitrum.foundation
Protecting 100 Arbitrum Projects for the Cost of One Audit Call To Action Arbitrum’s groundbreaking $10M audit program represents the largest security initiative in DAO history, providing crucial...
3
11
48
Had a great chat with @wyatt_khos on @CastleIslandVC’s On the Brink podcast. Cybersecurity is at an inflection, and we go into detail here on the defensive use of AI, CICD-based checks, budgeting, and how nation-state adversaries are leveraging LLMs for exploits. Link below:
podcasts.apple.com
Podcast Episode · On The Brink with Castle Island · 11/03/2025 · 39m
0
9
26
Takeaways and final checklist: ✅ Admin: multisig plus timelock for every upgrade path ✅ Initialization: initialize on deploy, lock logic with `_disableInitializers()` ✅ Storage: append-only, never reorder or change existing variables ✅ Initializers: call all parents once,
0
0
3
That’s a lot of rules! Make CI enforce them. Your pipeline should block upgrades or deployments that violate these controls. Verify initializers are correctly set and then disabled, detect storage layout incompatibilities, and scan diffs for unsafe opcodes and patterns.
1
0
3
7️⃣Beacon shared risk. With a Beacon proxy, one upgrade affects every attached proxy. The Beacon admin effectively has root-level control. Protect it with a multisig plus timelock and treat it with the same care as a core contract.
1
0
3
6️⃣UUPS safety: Restrict `authorizeUpgrade`. Require the new impl to implement ERC-1822 correctly (`proxiableUUID`). Forbid arbitrary `delegatecall` and only allow immutable, audited targets.
1
0
3
5️⃣Selector collisions (transparent proxies): Avoid implementing `admin()`, `implementation()`, `changeAdmin()`, `upgradeTo()` in the logic. Collisions won’t let an attacker upgrade, but they stop the admin from calling same-named impl functions via the proxy.
1
0
3
4️⃣Initializer bugs. Pitfalls here include missing parent initializers in multiple inheritance, allowing the same initializer to run twice, and unsafe external calls during init. ☑️Use OpenZeppelin’s `initializer` and versioned `reinitializer(n)` to guarantee one-time execution
1
0
3
3️⃣Storage layout collisions. Reordering variables, changing types, or introducing new stateful base contracts shifts storage slots and corrupts state. Use an append-only storage pattern. Don’t reorder or change existing variables, only add new ones at the end. Verify layout
1
0
3
2️⃣Uninitialized implementation or proxy. If the proxy or logic contract isn’t initialized and locked, an attacker can initialize and take ownership. Always initialize on deploy and call `_disableInitializers()` on the logic. To avoid a Parity-style takeover, ensure all
openzeppelin.com
Today, we witnessed the second largest hack, in terms of ETH stolen, in the history of the Ethereum network. As of 12:19 pm UTC, the attacker’s account had drained 153,037 ETH from three high-profile...
1
0
3
1️⃣Admin key risk. If a single EOA can upgrade a critical contract, that key effectively controls your protocol. Treat upgrade authority like treasury keys. Use a multisig (e.g. @safe) for admin and a timelock so the community has time to react before upgrades execute.
1
0
4
What are the 7 biggest risks of upgradeable contracts that all developers should know? 🚨 Let’s break each of them down 👇
2
1
9
Congratulations to the second cohort of the $USDC Grant Program! The future of stablecoin innovation needs a strong foundation and @BuildOnCircle demonstrates that with their programs – reach out today for your free scan from Octane's automated security intelligence engine.
We’re thrilled to launch the second cohort of the USDC Grant Program in 2025! Here are the incredible projects that we’re excited to be a part of: @droplinked
@encifherio
@HurupayApp
@kantin_hq
@locker_money
@lympid_official
@orbitalpay
@paymonei
@perpflow
@SivoDefi
@mysorbetxyz
1
3
18
So, who won the bet? We’d like to think we’re all winners here. Covenant got the highest standard of security for their contracts, and we got a great new partner 🤝 Check out the full case study: https://t.co/ei3lLvS05u
octane.security
Covenant integrated Octane’s AI security to detect complex cross-contract vulnerabilities and accelerate secure development.
0
0
10
🛑 Unrestricted external calls via `multicall` (Severity: Critical) After a later manual audit, Covenant ran Octane again to review code changes before sending them back to the auditor. Octane uncovered a critical flaw in the way Covenant.sol custodies base tokens and accrued
2
3
18
🛑 Authorization gap on `onBehalfOf` in redeem/swap (Severity: Critical) It didn’t take long for Octane to deliver. On the very first scan, Octane flagged a critical vulnerability that could have led to direct user losses.
2
0
8
.@giovignone and @ahampt0n made a bet: If Octane could find a critical or high-severity vulnerability in previously-audited code, @covenantFi would choose us as their trusted pre-deployment security partner. Here's how it all played out…
6
3
27
Super impressed with the findings delivered by @octane_security. Octane's Al code analyzer caught many of the bugs our manual auditors did, and even flagged a couple they didn't. Built secure on @Plasma.
Octane found all the bugs @246_club’s manual auditors did, and a couple they didn't On-demand automated security intelligence is faster + an order of magnitude cheaper
3
5
26
Octane found all the bugs @246_club’s manual auditors did, and a couple they didn't On-demand automated security intelligence is faster + an order of magnitude cheaper
2
5
28
we weren't joking about redefining blockchain security Octane's automated intelligence now helps secure over $186B of onchain value join the industry leaders strengthening their operations with Octane's holistic security analysis
1
8
42