Themis is now a verified security vendor on @HackenProof Marketplace!
This means projects looking for smart contract audits and DeFi governance security can find us directly through one of Web3's most trusted platforms 🤝
🔗 Learn more: https://t.co/COq9igEv4x
Themis Scan gave Aztec Connect a control-plane score of 100. However, the protocol was drained for roughly 2.1 million dollars on June 14. Does that mean Themis got it wrong?
Spoiler alert: No. The score was right. Funds left through the proving layer, which on-chain analysis alone cannot see into.
Let's take a dive into the onchain analysis.
The contract had been immutable since the 2024 sunset. No upgrade key, authority renounced. This is confirmed on-chain.
We then traced how a contract with no live operator lost everything:
The attacker made 14 processRollup calls. Each carried a SNARK proof. The contract's original, never-modified verifier checked all 14 and returned valid, with the real precompiles running. No upgrade, no setVerifier, no admin call, no approval drain. Around 909 ETH and six tokens left through the rollup's own withdrawal path, gated by nothing but a valid proof. The contract did exactly what it was built to do, for the attacker.
The problem most likely sits in the proving system. Our onchain trace cannot prove why the proofs were forgeable. It needs the off-chain circuit and proving key analysis. Those are not public.
We are building a public index so users know how risky a protocol is before they interact with it.
91 is indexed, any protocol you scan (free) will be indexed too.
https://t.co/Ff7uyst5BF
Yesterday (June 9), We found another example of governance risk, the "elephant in the room".
The $TOP governance had direct mint authority, no timelock, and a token supply small enough for an attacker to take control.
Humanity Protocol says the incident involved compromised private keys.
But the harder question is: what could those keys do?
I ran the referenced BNB Chain $H proxy through our control-plane scanner.
It surfaced:
• upgradeable proxy
• proxy admin controlled by direct EOA
• no timelock detected
• upgrade path outside governance
• one upgrade executed by 0x6Aa2...53bB
This does not reconstruct the exploit or prove intent.
It shows the authority surface.
A key compromise is bad.
A key with proxy-admin power can become protocol compromise.
Contract logic is one layer. The authority graph is part of the attack surface.
Small update to the free Themis scanner.
You no longer need the exact contract address.
Search by protocol name, pick a candidate, and Themis traces the upgrade authority chain: proxy, admin, timelock, multisig, governance path, and bypass risks.
Who can change this protocol after it ships?
https://t.co/b7XpvraYKs
Most DeFi risk isn't code. It's governance.
The code passes the audit but the control plane is where funds walk out. That's why we built Themis 🛡️
Free. No signup. 5 chains.
30+ major DeFi protocols already mapped.
Try now 👇
https://t.co/COq9igEv4x