Investigation #3 17 RED FLAGS

Orbis EXPOSED

777 advertised, only 69 actually minted (8.9%). Total volume: 0.08 SOL. All unrevealed. Anonymous team. Whitelabel marketplace. Built by GOTM Labz. Promoted by Puffsterz insiders. Orbis wallet buying NFTs from Puffsterz wash traders. 2-second timing gap proves same operator.

@OrbisOnSOL Magic Eden orbisonsol.io GOTM Labz
0.08
SOL Total Volume
69/777
Actually Minted (8.9%)
2
Total Trades (both wash)
0.08
SOL Volume
69/777
Minted
43
Holders
2
Total Trades
0%
Verified (ME)
17
Red Flags
2s
Timing Gap
0
Team Disclosed
Active Investigation — Evolving & Updating Daily. Some details may not be fully 100% accurate as new evidence emerges. We provide links, proof, and sources for all claims made. We implore anyone to refute any findings with evidence — do your own analysis. This investigation is conducted for the protection of the Solana community.

The Smoking Gun

Orbis (@OrbisOnSOL) launched 777 PFP kittens on Solana on April 7, 2026. The collection uses a burn-to-evolve mechanic (burn 3 commons → rare, burn 3 rares → legendary). It was promoted as a legitimate project.
It's not. Orbis is a whitelabel marketplace template from GOTM Labz — the same infrastructure provider that powers Puffsterz, the Florida smoke shop running youth-targeted NFTs with 320 wash trading wallets and 92% fake volume.
The connection isn't speculation. It's proved through 2-second transaction timing between wallets, shared custom Solana programs, shared fee-paying wallets, coordinated insider promotion, and an inner circle of 3 people who cross-promote everything.
THE THREAD: Swiss (Puffsterz CTO) promoted Orbis as "ALPHA." Daze (25K followers, @puffsterznfts in bio) was the first account to shill Orbis — minutes after its first tweet. Rico (@moon_blaze_) built the infrastructure. GOTM DAO lists Puffsterz and VibeTribe as official partners. The same fee-paying wallets service both ecosystems. A rare custom program (LUCK57) is used exclusively by Puffsterz and Orbis wallets. It's all one operation.
THE BOTTOM LINE

You trust an anonymous team to build a marketplace and handle your wallet connections? Their paid Helius RPC API key is publicly exposed through an unauthenticated endpoint — anyone can call it and use their infrastructure for free. That is basic security negligence from a team asking you to connect your wallet.

Their wallet adapter is custom unaudited code — NOT the standard @solana/wallet-adapter that most dApps use. 2,091 lines shared across 130+ projects. We found no drain patterns in our review, but you are trusting unaudited code from anonymous developers every time you connect. Hardware wallet auth sends real transactions on-chain instead of just signing messages — an unusual pattern most legitimate projects avoid.

Their Terms of Service are governed by UAE law with disputes in Dubai courts. No legal entity named anywhere. No email. No physical address. Contact only through Discord. They can modify terms at any time with no notice. You have zero practical legal recourse if something goes wrong.

Some of their security gaps — report-only CSP, no SRI hashes — are common across Solana dApps. But when those gaps exist alongside anonymous developers, no audit, UAE jurisdiction, and a leaked API key, the picture is clear: this team does not take security seriously, which means they do not take your funds and safety seriously.

Note: All findings are from a passive audit of publicly accessible endpoints and source code. We have not exploited any of these findings and API keys are partially redacted — publishing full credentials is not our job or our goal here. Our goal is to expose the scams, the rugs, and the incompetence so you — the market, the users, the ecosystem — have the information you need to decide whether to support these projects with your wallets and your money. Do your own research. We just made it easier.

17 Red Flags

1Anonymous team — zero names, zero doxxed individuals, no company registration
2NOT verified on Magic Eden — legitimate projects always verify
3NO social links on Magic Eden listing — no Twitter, Discord, or website linked
4All 777 NFTs "Unrevealed" — holders received placeholder images, not actual art
5primarySaleHappened = false — NFTs bypassed normal public minting process
60.08 SOL total volume — from just 2 trades, both wash trades of the same NFT
7Dual-side walletHw9p21DZ... bought at 0.01 SOL, immediately resold at 0.07 SOL
8100% royalties to single wallet: 4fPCDZby... — all revenue to one address
9Whitelabel site — orbisonsol.io is a GOTM Labz marketplace template with zero project info
10Insider promotion — Daze is a GotmLabz website testimonial promoting Orbis without disclosure
11$ORBIS on Pump.fun — a token at 5sJvLj5P...pump exists on memecoin launcher
12Coinbase-funded — orbis.sol funded with 42 SOL traced back to Coinbase hot wallet
13@orbisonsol follows only 1 account — deliberately anonymous, 5 total tweets
14Listings at 38x floor — 5 SOL listings vs 0.13 SOL floor suggests manipulation
15No sitemap, no .well-known — rushed deployment, minimal infrastructure
16Burn mechanic on unrevealed art — promising evolution for NFTs that don't even have artwork yet
17Connected to proven fraud — same network as Puffsterz (320 wash wallets, 92% fake volume)

The Connection to Puffsterz

THE INNER CIRCLE — 3 People Connect Everything
Swiss @SWISS_SOL
C.T.O. of Puffsterz/VibeTribe
Promoted Orbis: "M.A.P. just got an update. @OrbisOnSOL is ALPHA"
Promoted GAINZ: "Where's the @GAINZNFTs fam at??" with $GOTM tag
Tagged Rico in GAINZ Spaces. Thanked Daze for NFT gifts.
Daze @dak_daze
25K followers / First Orbis shill
Bio includes @puffsterznfts AND @GAINZNFTs.
First to promote Orbis: "If only @OrbisOnSOL existed. Oh wait, it does."
BASC team leader (took over after rug pull). GotmLabz testimonial.
Rico @moon_blaze_
GOTM Labz founder
Bio: "Founder @GotmLabz web3 solutions & @GAINZNFTs"
Built burn2mint used by Orbis. Brands as "GOTM Labz Ltd" on products but NOT registered in UK Companies House. Actual legal entity unidentified.
Posted "Appreciation post for Puffsterz founder" (Feb 2025). Hosts BASC staking for Daze.
Team wallet: rPZHrBoqsLi6gcTJ7Z6Un4UBA24C3m4VvcBdYEhADn9 (gotm_team.sol)
EVIDENCE TWEETS — Click to Verify
1
Swiss (March 29, 2026): "M.A.P. just got an update. @OrbisOnSOL is ALPHA"
2
Daze (March 9, 2026): "If only @OrbisOnSOL existed. Oh wait, it does. See you there. Follow, Screenshot, Reply, Drop Wallet." — posted minutes after Orbis's first tweet
3
Daze (March 9, 2026): Quote-tweeted Orbis "Orb Initiating" video with eyes emojis
4
Savage (March 10, 2026): "Just another day holding @GAINZNFTs. R U following @OrbisOnSOL yet?"
5
Swiss (Dec 27, 2024): "S/O to @dak_daze for such a generous gift. Consider them off the market for good"
6
Swiss (Feb 1, 2025): "Where's the @GAINZNFTs fam at??" with $GOTM hashtag + mint link
7
Swiss (Feb 15, 2025): Tagged @moon_blaze_ (Rico) directly in GAINZ NFTs Spaces promotion
EVIDENCE IMAGES — Tweet Screenshots & NFT Data
Swiss promoting Orbis as ALPHA
Swiss: "M.A.P. just got an update. @OrbisOnSOL is ALPHA"
March 29, 2026 — Verify on X
Daze first Orbis shill with insider language
Daze: "If only @OrbisOnSOL existed. Oh wait, it does."
March 9, 2026 — Verify on X
Savage linking GAINZ NFTs to Orbis
Savage: "Just another day holding @GAINZNFTs. R U following @OrbisOnSOL yet?"
March 10, 2026 — Verify on X
Swiss thanks Daze for NFT gift
Swiss: "S/O to @dak_daze for such a generous gift"
Dec 27, 2024 — Verify on X
Swiss promotes GAINZ NFTs with GOTM hashtag
Swiss promotes GAINZ + $GOTM — same ecosystem
Feb 1, 2025 — Verify on X
Orbis NFT unrevealed placeholder - all 777 look like this
All 69 minted Orbis NFTs look like this — "Unrevealed" placeholder
From Irys gateway — View on Magic Eden
ON-CHAIN PROOF — Same Operator
2-SECOND TIMING GAP: On April 6, 2026 at ~19:20 UTC, puffsterz.sol transferred 5,000 P4L tokens while orbisonsol.sol simultaneously placed a bid on Magic Eden. Two seconds apart. Same person, two browser tabs.
LUCK57 CUSTOM PROGRAM: A deployed, upgradeable Solana program (LUCK57mxzZiRGF2PdHAY79P6tZ8Apsi381tKvBrTdqk) used by BOTH vibetribe.sol (8 times) and orbisonsol.sol (4 times). No other wallets use it. Upgrade authority: 9GWPeu3cBfkGSEit6HMaAFKswoirxqgMqykMh7RVH2Bb — whoever controls this wallet deployed the infrastructure connecting both ecosystems.
SHARED FEE PAYERS: Wallets 8HvfGdKrgy5i... and CCyYKtnsnkkk... pay transaction fees for vibetribe.sol AND are counterparties to orbisonsol.sol. The same infrastructure services both ecosystems.
MIHSO INTERMEDIARY: Wallet Mihso7kXXNPb7GUZ71H7MedYrpW88MTQFdLKrtAnDvj has 27 interactions with puffsterz.sol and 61 with orbisonsol.sol — a bridge wallet receiving SOL from the shared fee payers.
12 TIMING CORRELATIONS: Transactions within 60 seconds across ecosystems, in 3 distinct clusters (April 6, March 30, April 3). Consistent with one person switching between wallets.
26 SHARED COUNTERPARTIES: Addresses that interact with both Puffsterz and Orbis wallets.
32 SHARED NFT COLLECTIONS between ecosystems. 14 shared creator addresses. 25 shared update authorities (verified on-chain). Haxz collection: Cheeple holds 8, orbisonsol.sol holds 14.
MONEY FLOW — Traced On-Chain
COINBASE → orbis.sol: Coinbase hot wallet (H8sMJSCQ...) → CUWRztRZ... (105.97 SOL) → orbis.sol (42 SOL). Funded from a US-regulated exchange.
MONEY HUB (FCgCM7Gv...): This single wallet connects ALL key actors: sent 4.675 SOL to the creator funder (D8rzGfnv...), sent 0.07 SOL to the wash trader (Hw9p21DZ...), and paid royalties to the creator. One wallet touching the funder, the wash trader, and royalties.
CREATOR → COLLECTION PDA: The Orbis creator wallet (4fPCDZ...) directly sent SOL to the collection address (8PrkxMSK...) on March 26, 2026. Proves same-person control.
WASH TRADER LOOPS: Hw9p21DZ... has circular self-dealing with satellite wallets (HEvUQnEx..., 7TfstQKi...) — funds loop back to the wash trader. Classic Sybil pattern.
UNDERPRICING: Seller minted 3 Orbis at 0.1 SOL each, sold to wash trader at 0.01 SOL (90% loss). Wash trader resold to money hub at 0.07 SOL (7x markup). Artificial volume creation.

Collection Analysis

FieldValue
NameOrbis — 777 evolving kittens on Solana
Supply777
Actually Minted69 of 777 (8.9%) — collection largely abandoned
Holders43 unique (top 10 control 50.7%)
Floor Price0.13 SOL
All-Time Volume0.08 SOL (2 trades)
Listed13 NFTs (3 at 5 SOL each)
Launch DateApril 7, 2026
NFT StandardMetaplex Core (MplCoreCollection) — newer standard, no traditional creator arrays
StatusAll "Unrevealed" — placeholder images only
ME VerifiedNO
Social Links (ME)NONE
MechanicBurn 3 commons → rare. Burn 3 rares → legendary. 46 special 1/1s
Royalties5% — 100% to single creator wallet
KEY WALLET ADDRESSES
RoleAddress
Collection Address (PDA)8PrkxMSKeirfy3jXgw5nQnA2j4csrSvc2qmGFVN9BrJ5
Creator (100% royalties)4fPCDZbySsN25MNQdLw3zwzggUbXH7LT8BdnrUZxqWcM
orbis.sol (Coinbase funded)G4taLG9NHn46Wjiv9WhbtV9scdikh7qP2SFRU2RMwyeW
Money Hub (connects all)FCgCM7GvWCB7zHYn1hfoxPm2xRtbk4LezbBxe4LcH4ac
Creator FunderD8rzGfnvArVqoFoCDFCJH4r5PPoqBhSkxsGfiavynMfD
orbisonsol.solCWR6GCN2rWgsC23QKNqcWFaV2JarSNRtxHW29JSCyWX7
Wash Trade WalletHw9p21DZwj36iT9zVtD73Bp6NNxizQFnVBvYksWQFFL9
$ORBIS (Pump.fun)5sJvLj5PqacnuZZy43yRhLHDMWMJGwLTVo3NZ2SZpump
LUCK57 Program Upgrade Auth9GWPeu3cBfkGSEit6HMaAFKswoirxqgMqykMh7RVH2Bb

GOTM Labz — The Infrastructure

GOTM Labz (gotmlabz.io) is a Solana infrastructure provider founded by "Rico" (@moon_blaze_, Discord: rico4208). It provides NFT launchpads, staking, burn2mint, trait swaps, and airdrops for 130+ Solana projects.
UNREGISTERED ENTITY: GOTM Labz brands itself as "GOTM Labz Ltd" on nftlaunch.app, nftstake.app, and shift3.app — but "GOTM Labz Ltd" does NOT exist in UK Companies House. No matching registration found in any searched jurisdiction. Using "Ltd" without actual registration is deceptive. The pseudonymous founder "Rico" operates financial infrastructure for 130+ projects with no verifiable legal entity behind it.
GOTM DAO Partner Projects
Puffsterz VibeTribe THC Labz MOSC MOB SoDead DKV
CLOSED-LOOP TOKEN ECONOMY
$GOTM is paired with: $P4L (Puffsterz), $BASC, $Empire, $LDZ (Lunar Dollz), $GP (Graphite), $PbP, $Bonk, SOL, USDC — plus gotmSOL liquid staking token. 11 interlocking pairs. Total 24h volume: ~$750. Value circulates among affiliated projects without external market validation. $GOTM contract: AAqZ6CEC...eJU5

Persons of Interest

"Swiss" @SWISS_SOL
C.T.O. — Puffsterz / VibeTribe / Orbis Promoter
Bio: "C.T.O. || @VibeTribe_NFT > @puffsterznfts > @PuffsterzInk > @P4L_Puffsterz"
1,706 followers. DC area. Swiss heritage. Built Puffsterz staking UI.
Promoted Orbis as "ALPHA." Promoted GAINZ + $GOTM. Tagged Rico in Spaces. Thanked Daze for gifts.
Real name: unknown.
Daze (@dak_daze) — self-posted photo from Northern California redwoods, Sept 2023
"Daze" @dak_daze
CEO of BASC / 25K Followers / First Orbis Shill / Northern California
Photo: Self-posted on Sept 18, 2023 — "Grand Rising From The Redwoods" — Northern California redwood forests. Source tweet
Born: ~February 19, 1996 (turned 29 in 2025 — "Turn 29 Todaze. More Life.")
Location: Pacific Northwest / Northern California (redwoods area)
Self-describes as: "Entrepreneur" (X bio). "I derugged a derivative with 100 SOL. Don't compare me to other founders."
Bio includes @puffsterznfts AND @GAINZNFTs. 25,085 followers. 47,856 tweets.
Wallet (dakdaze.sol): 5Ym11... — holds 30+ Puffsterz, 15+ GAINZ, 10+ VibeTribe, 50+ XElementia, 100+ BASC. 1000+ total NFTs.
First to promote Orbis — insider language, minutes after first tweet.
CEO of BASC — took over after original team rug pulled (March 2022). BASC started as unauthorized BAYC derivative with stolen art. GotmLabz website testimonial. Runs 146+ giveaway follower farm.
BASC "Meet the Team" page is images-only — no searchable text. 3 of 6 listed team members (BeTheBender, Crypto Home Schooler, jameskobe) have zero documented contributions beyond the initial recovery. Possible padding or alt accounts.
Wife: @MRS_DAZE (Lei Daze) — Bio: "Artist | Energetic Healer | Wife". Calls @dak_daze "my love" in public tweet (Aug 18, 2024).
Name "Austin" reported by a former associate who worked directly with Daze on SolarDex (now @omega_netw0rk — also rugged). Not independently verified through public records.
"Rico" @moon_blaze_
GOTM Labz Founder / Built Orbis Infrastructure
Bio: "Founder @GotmLabz web3 solutions & @GAINZNFTs". 2,895 followers. Account since 2012.
Wallet (moonblaze.sol): w2ekw... — holds 100+ GAINZ, 30+ Puffsterz, 30+ VibeTribe, 15+ GOTM DAO (incl. GOTM #1). 1000+ total NFTs.
Built burn2mint for Orbis. "GOTM Labz Ltd" NOT in UK Companies House. Unconfirmed lead: G Labz LLC (TX) — similar name, unverified connection.
Real name: unknown. Discord: rico4208.
Karim M. Adhami (@SiNftGod)
Puffsterz LLC President / VibeTribe Co-Founder
@SiNftGod bio: "Founder of @puffsterznfts || CEO of @letzvape".
President, Puffsterz Smoke Shop LLC (FL). Former used car salesman (Winter Park Auto Mall).
Also: Blockchain Florida LLC. VibeTribe co-founder with Swiss.
The legal entity behind the network. CorporationWiki.

Wash Trading Evidence

ORBIS — Only 2 Trades Ever (Both Wash)
#NFTBuyerSellerPriceSource
19LbWK2K...Hw9p21DZ...9PWP3WVn...0.01 SOLTensor
29LbWK2K... (SAME)FCgCM7Gv...Hw9p21DZ...0.07 SOLTensor
Wallet Hw9p21DZ... appears on BOTH sides — bought at 0.01 SOL, immediately resold at 0.07 SOL (7x markup, ~40 minutes apart). Classic wash trade to inflate apparent volume.
The entire 0.08 SOL "all-time volume" comes from these two wash trades of the same NFT. 100% of all sales involved dual-side wallets.
MARKETPLACE LINK TO PUFFSTERZ WASH TRADER
orbisonsol.sol purchased an NFT listed by 2ZCQ18 (top Puffsterz wash trader) via marketplace escrow on March 30, 2026. Payment: 0.489 SOL through escrow → 0.457 SOL to 2ZCQ18QjibZZCPfcCesdZ1y2WMmZKd5rKZLyc2sjYGir. The Orbis wallet is buying from the same wash traders that operate in the Puffsterz ecosystem.
SYBIL MINTING + ABANDONED COLLECTION
Only 101 of 777 NFTs minted. Creator retains 38 (37.6%). 43 unique holders. Top 10 control 50.7%.
Sybil evidence: Common funder F7p3dFrj... funded at least 2 different buyer wallets. Seller 9PWP3WVn... both minted AND funded another holder — circular self-buying. Multiple buyer wallets hold ONLY Orbis NFTs (nothing else) — purpose-built sybil accounts to fake demand.
PUFFSTERZ ECOSYSTEM — For Comparison
The connected Puffsterz ecosystem has 320 dual-side wallets controlling 92% of all volume (6,865 SOL / 2,703 trades). SNS domain resolution proved team wallets ARE wash wallets: vibetribe.sol = #1, niftynick.sol = #2, puffsterz.sol = active trader. Full Puffsterz report →

All Sources & Verification

Every finding can be independently verified. Click any link.
On-Chain / Marketplace
GOTM Network
Evidence Tweets
Social Accounts
Connected Investigation
Full Puffsterz Investigation → (320 wash wallets, 92% fake volume, youth marketing violations)
12,000+ on-chain transactions analyzed. 7 evidence tweets verified. 6 wallet addresses traced. 17 red flags documented. All findings independently verifiable.

Security Audit — orbisonsol.io

TECH STACK & INFRASTRUCTURE
ComponentDetails
FrameworkVanilla JavaScript — no React, Vue, or Next.js. All hand-authored IIFEs. No bundler (no Webpack, Vite, Rollup).
CSSCustom design system with CSS custom properties. No Tailwind, Bootstrap, or framework.
HostingVercel — US-East (iad1, Ashburn VA). Static files + serverless API functions.
Solana Library@solana/web3.js v1.98.0 from unpkg.com CDN (no SRI hash)
Wallet AdapterCustom GOTM Labz Multi-Wallet Adapter v2.1 — NOT standard @solana/wallet-adapter. 2,091 lines. Unaudited.
BackendVercel serverless functions. Firebase backend (gotm-labz-4fe07). 10 API endpoints discovered.
RPC ProviderHelius (mainnet) — key leaked via unauthenticated endpoint
Auth SystemCustom HMAC token (not standard JWT). Challenge-response with signMessage. Stored in localStorage.
FontsGoogle Fonts — Inter (400-800)
AnalyticsNone — no Google Analytics, Mixpanel, Segment, Hotjar, Clarity, or any tracking
Cache StrategyManual query string versioning (?v=6.6) — no build pipeline, no content hashing
External CDNsunpkg.com (web3.js), esm.sh (Buffer polyfill), Google Fonts, plugin.jup.ag (Jupiter swap)
ExplorersOrb/Helius (default), Solscan, Solana Explorer, SolanaFM
DeFi IntegrationJupiter Aggregator (swap widget), GeckoTerminal (charts), Cloudflare Stream (video)
Domain ResolutionBonfida SNS for .sol domains
Domainorbisonsol.io → www.orbisonsol.io (307 redirect). Less than 2 weeks old at audit.
LegalToS governed by UAE/Dubai law. Entity: unnamed ("the Platform"). Copyright: "GOTM Labz Ltd."
Notable: No build pipeline — all JS is hand-authored with manual cache-busting version strings. No analytics at all (unusual for any business). Custom auth token format instead of industry-standard JWT. The entire frontend is vanilla JS without a framework — while not inherently insecure, it means no ecosystem of security patches, no automated dependency updates, and no community-audited code paths. Everything is bespoke, which means every vulnerability is their own.
API ENDPOINTS DISCOVERED (10 total)
EndpointAuth?Purpose
/api/get-rpc-urlNOReturns paid Helius RPC key to anyone
/api/sol-priceNOSOL/USD price + 24h change
/api/marketplaceNOFull collection database (44KB)
/api/mp-gate-publicNOMaintenance/beta status + whitelist check
/api/streamNOLive stream/viewer data
/api/marketplace-votesNOCommunity voting data
/api/authPartialWallet challenge-response auth (POST only, validates input)
/api/admin-settingsPartialAdmin ops need auth, beta wallet submission does not
/api/marketplace-submitPartialCollection submissions (weak validation)
/api/csp-reportNOCSP violation reports (POST)
6 of 10 endpoints require zero authentication. Method enforcement is properly implemented (405 on wrong HTTP method). No hidden endpoints found at common paths (/api/users, /api/wallets, /api/config all return 404). Admin getSettings properly returns 401.
SECURITY HEADERS
HeaderValueAssessment
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preloadGood
X-Frame-OptionsSAMEORIGINGood
X-Content-Type-OptionsnosniffGood
Referrer-Policystrict-origin-when-cross-originGood
Content-Security-Policyframe-ancestors 'self'; base-uri 'self'; object-src 'none'Partial
CSP-Report-Onlyscript-src unsafe-inline + 5 CDN domainsNot enforced
Permissions-Policycamera=(self), microphone=(self), geolocation=()Good
X-Powered-ByNot presentGood
Basic security headers are properly set. The main gap is the CSP — the enforced policy only covers framing and forms. Script protection is in report-only mode (monitoring but not blocking). This is common across Solana dApps but notable for a project handling wallet connections.
VERIFIED FINDINGS
Helius RPC API Key Publicly Exposed
/api/get-rpc-url returns a Helius mainnet RPC key (cc5a****-****-****-****-********33af) to any caller with no auth. Verified live April 9, 2026. Key partially redacted — we are not publishing the full key but anyone can call this endpoint right now and get it. This is a paid resource exposed to the public. Not a direct fund theft vector, but demonstrates basic security negligence from a team asking users to connect wallets. We have not exploited any of these findings. This is a passive audit of publicly accessible endpoints only.
VERIFIED: Custom Unaudited Wallet Adapter (Real Trust Issue)
GOTM Labz Multi-Wallet Adapter v2.1 — 2,091 lines of custom code, NOT the standard @solana/wallet-adapter used by most dApps. Shared across 130+ GOTM projects. Hardware wallet auth path sends real 0-lamport transactions on-chain (most auth flows only sign messages). No public audit. No drain patterns found in our review — but users are trusting unaudited custom code from an anonymous team with their wallet connections.
VERIFIED: UAE/Dubai Jurisdiction — No Named Entity
Terms of Service governed by UAE law, disputes in Dubai courts. No legal entity named anywhere — only "the Platform and its operators." Contact only through Discord. NFTs held in custodial escrow. Platform can modify terms unilaterally. International users have no practical legal recourse. This is the most significant trust issue for any user considering connecting a wallet.
NOTABLE: CSP Report-Only + No SRI Hashes
Content-Security-Policy is in report-only mode (monitoring, not enforcing). External scripts from unpkg.com and esm.sh loaded without subresource integrity hashes. For context: many Solana dApps have these same gaps — this is common across the ecosystem, not unique to Orbis. But for a project asking users to connect wallets to custom code from anonymous developers, every missing security layer matters more.
VERIFIED: Auth Challenge Nonce Reuse — Replay Risk
Three separate requestChallenge requests for the same wallet returned the identical nonce and timestamp every time. The server caches challenges instead of generating fresh single-use nonces. If a signed challenge is intercepted (network sniffing, compromised CDN, log exposure), it could be replayed to authenticate as the victim. Likely a serverless optimization for Vercel cold starts — but it weakens the challenge-response anti-replay protection that the well-structured challenge format was designed to provide.
VERIFIED: Weak Collection Submission Controls
The collection submission has several gaps: Twitter OAuth starts server-side (/api/oauth-twitter) but the final submission sends twitterVerified: true as a client-set boolean — if the server trusts this without re-validating, verification is bypassable. Submissions also accept verificationMethod: 'none' and wallets default to 'anonymous' if not connected. Legacy collections bypass address validation with a 'legacy:' prefix. Combined: the submission pipeline has multiple points where validation could be skipped.
NOTABLE: Admin Page Structure Visible
/admin returns "Admin Dashboard | GOTM Labz" HTML with login form (requires username + password + authenticator code). The admin functionality IS auth-protected — the login form is visible but actual admin actions require credentials. Sloppy (should redirect unauthenticated users) but not exploitable.
HONEST SEVERITY ASSESSMENT
FindingTypeSeverity
UAE jurisdiction, no legal entity, no recourseTrustHIGH
Custom unaudited wallet adapter (130+ projects)TrustHIGH
Helius RPC API key exposed publiclyNegligenceMEDIUM
No SRI on external scriptsBest practice gapMEDIUM
CSP report-only (not enforcing)Best practice gapMEDIUM
Hardware wallet auth sends real transactionsUnusual patternMEDIUM
Collection submission sends client-set twitterVerified booleanWeak validationMEDIUM
Anonymous/unverified submissions accepted + legacy bypassWeak validationMEDIUM
Auth challenge nonce reused (not single-use) — replay riskProtocol weaknessMEDIUM
Wallet session cache reusable across account switchesLogic bugLOW
Admin HTML served without redirectSloppyLOW
Console.log debug statements in productionCode qualityLOW
Passive audit only — no exploitation. All findings verified from publicly accessible endpoints and source code. April 9, 2026. No wallet drain patterns found in code review. Credentials partially redacted. Our goal is not to hack — its to inform the ecosystem so users can make educated decisions about who they trust with their wallets.