Investigation #3 17 RED FLAGS

Orbis EXPOSED

777 advertised, only 69 actually minted (8.9%). Total volume: 0.08 SOL. All unrevealed. Anonymous team. Whitelabel marketplace. Built by GOTM Labz. Promoted by Puffsterz insiders. Orbis wallet buying NFTs from Puffsterz wash traders. 2-second timing gap proves same operator.

@OrbisOnSOL Magic Eden orbisonsol.io GOTM Labz
0.08
SOL Total Volume
69/777
Actually Minted (8.9%)
2
Total Trades (both wash)
0.08
SOL Volume
69/777
Minted
43
Holders
2
Total Trades
0%
Verified (ME)
17
Red Flags
2s
Timing Gap
0
Team Disclosed
Active Investigation — Evolving & Updating Daily. Some details may not be fully 100% accurate as new evidence emerges. We provide links, proof, and sources for all claims made. We implore anyone to refute any findings with evidence — do your own analysis. This investigation is conducted for the protection of the Solana community.

The Smoking Gun

Orbis (@OrbisOnSOL) launched 777 PFP kittens on Solana on April 7, 2026. The collection uses a burn-to-evolve mechanic (burn 3 commons → rare, burn 3 rares → legendary). It was promoted as a legitimate project.
It's not. Orbis is a whitelabel marketplace template from GOTM Labz — the same infrastructure provider that powers Puffsterz, the Florida smoke shop running youth-targeted NFTs with 320 wash trading wallets and 92% fake volume.
The connection isn't speculation. It's proved through 2-second transaction timing between wallets, shared custom Solana programs, shared fee-paying wallets, coordinated insider promotion, and an inner circle of 3 people who cross-promote everything.
THE THREAD: Swiss (Puffsterz CTO) promoted Orbis as "ALPHA." Daze (25K followers, @puffsterznfts in bio) was the first account to shill Orbis — minutes after its first tweet. Rico (@moon_blaze_) built the infrastructure. GOTM DAO lists Puffsterz and VibeTribe as official partners. The same fee-paying wallets service both ecosystems. A rare custom program (LUCK57) is used exclusively by Puffsterz and Orbis wallets. It's all one operation.
ORBIS MARKETPLACE — WHAT'S ACTUALLY LISTED (Live API Pull, April 16, 2026)
We pulled Orbis's own /api/marketplace endpoint (action=getCollections) directly. The result: 63 collections listed — and every single one belongs to or is being used by the same network. Raw API response archived here. The split is:
  • 3 admin-sourced — pushed in manually by the Orbis/GOTM team: gotm-labz, gainz, puffsterz. The literal core of this investigation.
  • 30 "submission"-sourced — community submissions, but the community submitting is the same network amplifier pool (Fuddy Dogs, MidEvils, MNK3YS, ZMB3YS, Donk, Haxz, LP Dollz, MOB, Stoned Apes, Nuked Apes, Solnautz, VINCENIA, iconito, Goofy Giraffes, D1srupt0rs, B & H Club, Capolavoro Family DAO, Rilegato Family DAO, SOLdiers of the $OATH, SOLdier's of the $Empire, Don's of the $Empire, The Northlanders, Solarians, The Pandarianz, Blubbie Badges, Owltopia, and more). None of these submitted themselves to Magic Eden or Tensor first — they chose the network's whitelabel.
  • 30 "discovered"-sourced — a mix of deeper network projects (BASC, Abducted BASC, BASC OG PASS, BASC x Senshi, Vibe Tribe, sodead, Sensei, THC Labz, XElementia, Rafflors, MAGApixel, DEVILS, Geeks, Frens Factory, Cyber Frogs, Dead King Society, Dead King Society Nobles, Caporegime Del $Empire, Wegenettes, Planet Kaiju, ENCHANTED MINERS, Big Cats, Abducted BASC) plus a handful of blue-chip legitimate collections scraped in without consent (Okay Bears, DeGods, Galactic Geckos, SolPunks, Meegos, Blocksmith Labs, sharx by sharky.fi, Bored Ape Solana Club) used as decoys to give Orbis the optical weight of a real marketplace. The legitimate projects were never asked.
Read that again: zero collections on Orbis chose Orbis organically as an independent marketplace. Every listing is either (a) the network's own project, (b) a network buddy submitting from inside the GOTM DAO / raid pool, or (c) a well-known Solana collection pulled in by Orbis without permission to dress the shop window. There is no fourth category. There is no outside, independent project that found Orbis on its own merits and listed with it.
Only THREE collections are "admin"-sourced (manually pushed in by the Orbis/GOTM team): gotm-labz, gainz, puffsterz — the exact three collections at the core of this investigation. The marketplace operators promoted only their own network's projects; every other collection was either user-submitted or scraped from public data.
The homepage "Featured" slot is weaponized: Of 5 featured collections, 3 are network projectsBASC, MOB (only 15 lifetime sales / 4.02 SOL volume), ENCHANTED MINERS (13 sales / 1.42 SOL volume). No organic marketplace would feature collections with <5 SOL lifetime volume. Okay Bears and DeGods are the other two featured — blue-chip legitimacy props. BASC is flagged source=discovered but featured=true — a hand-picked elevation, not an organic ranking.
The network collections listed on Orbis (sample): BASC, BASC OG PASS, Abducted BASC, BASC x Senshi, Puffsterz, Vibe Tribe, GAINZ, GOTM Labz, THC Labz | The Growerz, MOB, sodead, Sensei, Donk, Haxz, MidEvils, XElementia, LP Dollz, Rafflors, ZMB3YS, MNK3YS, Nuked Apes, Stoned Apes, iconito, VINCENIA, Solnautz, D1srupt0rs, Fuddy Dogs, SOLdiers of the $OATH, SOLdier's of the $Empire, Don's of the $Empire, Caporegime Del $Empire, Capolavoro Family DAO, Rilegato Family DAO, Dead King Society, Dead King Society Nobles, The Northlanders, Goofy Giraffes, ENCHANTED MINERS, The Pandarianz, Wegenettes, B & H Club, Owltopia, Blubbie Badges. The same tagging, retweeting, and follow pattern runs through every one of these on X — same amplifier pool, same giveaway raiders, same GOTM DAO sponsorship language, same "Grand Rising" writing style. It's one network laundering volume across 40+ tickers.
The marketplace cannot actually trade. Every individual collection page (orbisonsol.io/marketplace/bascv2, /marketplace/puffsterz, /marketplace/okay-bears, /marketplace/degods — all of them) returns HTTP 503 "Pushing Updates — We're rolling out improvements. The marketplace will be back shortly." The index renders a list of 63 collections; the actual trading UI is permanently "maintenance." Users get directed here from GOTM Labz's site, see legitimate collections in the grid, and never get past the landing.
No collection pays for a premium "orbs" tier. All 63 collections sit on orbsTier: "default". The monetization mechanism Orbis advertises is functionally dead — zero paying customers.
100% GOTM Labz code under the hood: The wallet adapter is literally labeled "GOTM Labz - Multi-Wallet Adapter (v2.1 - iframe bridge)". Authentication uses gotm_auth_token. The wallet object is window.GOTMWallet. Images served from img.gotmlabz.io. CSS uses gotm-wallet-styles. This is not an independent marketplace — it's a GOTM Labz whitelabel with Orbis branding.
Misleading "Partners" section: The GOTM Labz website lists Orbis as a "Partner" alongside Jupiter, Phantom, Solana, Metaplex, Ledger, and Helius — major platforms with billions in TVL. GOTM's own whitelabel is presented as a peer to these legitimate entities with no evidence any of them consented to the association.
GO LOOK YOURSELF — SAME PFPS, SAME AMPLIFIERS, SAME NETWORK
Don't take our word. Take 5 minutes and click through these accounts.
Open any three of the network project accounts below and scroll their replies and quote-tweets. Then open @BoredApeSolClub and @puffsterznfts and scroll their replies. You will see the same handles, the same ape / smoking-skull / GM-emoji PFPs, the same "Grand Rising" and "Ape Strong Together" replies, and the same giveaway-raid shape on every single post. One pool of accounts services all 40+ collections.
Project accounts on Orbis you can compare side-by-side:
@OrbisOnSOL (Orbis marketplace)
@GotmLabz (GOTM Labz)
@BoredApeSolClub (BASC)
@puffsterznfts (Puffsterz)
@VibeTribe_NFT (Vibe Tribe)
@GAINZNFTs (GAINZ)
@XElementia (XElementia)
@dak_daze (operator)
@GooseTheBAYC (dak_daze alt)
@SWISS_SOL (Puffsterz CTO)
@moon_blaze_ (Rico — infra)
@BASC_SuitsDAO
@BASC_ZombieDAO
@RoboXDao
@SolDonkeyverse
Amplifier pool — these exact accounts appear under Orbis, Puffsterz, BASC, GAINZ, Vibe Tribe, and GOTM posts:
@Adammcg20 — GAINZ mod + GOTM DAO team + SolDonkeyverse co-founder (triple-role insider)
@Noba_Sol — paid raider (publicly said he got 3,000 $GOTM for raiding GAINZ holders)
@Omerta_SOL — GOTM partner, wallet controlling 55% of Puffsterz listings also trades Omerta
@SolanaSensei — $GOTM allocation recipient
@pArtySHIP1202 — holds BASC + GAINZ, shows up on every raid
@NikkoNikko_BZC — "Congrats Brother Dak" cheerleader
@lyyonss8 — confirmed coordinated amplifier
@DralcorSol — confirmed coordinated amplifier
@Solana_Pure — 95% giveaway tweets, professional raid service
@AGNI_X_TRIBE, @AKASHA_X_TRIBE, @APAS_X_TRIBE, @BHUMI_X_TRIBE, @VAYU_X_TRIBE — 5 tribal accounts ALL created within 53 minutes on Feb 24, 2025
Visual tells to look for: the same ape-in-a-helmet / ape-with-3D-glasses / smoke-skull / GM-palm-tree / pixel-ape PFPs keep recycling. When you see an account with <2,000 followers, a BASC or Puffsterz PFP, a bio full of project tickers ($GOTM, $GAINZ, $PUFF, $DAZE), and nothing but giveaway replies and "GM fam 💜💙" tweets — you're looking at the same amplifier pool hitting a different collection. Cross-check the handle: the odds it also replied under @BoredApeSolClub or @puffsterznfts within the last week are near 100%.
Paid-raid proof: @Noba_Sol posted — "JUST RAIDED A BUNCH OF @GAINZNFTs HOLDERS AND WOKE UP TO 3K $GOTM SITTING PRETTY IN MY WALLET. No farming, no grinding... literally just raiding the fam and the team blessed us." The "engagement" on every collection listed above is not organic — it is paid in $GOTM tokens.
Take the 5 minutes. Open two tabs. Compare the replies on any Orbis-listed collection's last five promotional tweets against BASC's and Puffsterz's. The handles overlap, the PFPs overlap, the copy-paste "Let's GOOO fam 🦍💜" replies overlap. It's one operation, 40+ fronts.
ON-CHAIN PROOF — SHARED UPDATE AUTHORITIES PROVE SAME OPERATOR (Helius getAssetBatch, April 16, 2026)
We ran the full 63 collection addresses through Helius's getAssetBatch API to read on-chain update authority and creator lists for each collection. Raw per-collection audit saved here. The results prove direct operator control, not coincidence.
Cluster #1 — One wallet controls the 5 "$Empire / Family DAO" collections
Update authority xbWUT2Z3DWUrc4f65keHjntdtXiD7ov8d4Wj11yuBh8 (Solscan) signs for all five:
  • Caporegime Del $EmpireBzJea2jNqDByBjg99ZaopGYKngK5DnnvuYM1NtkhXmw4 (source=discovered, 462 sales)
  • Capolavoro Family DAO7MVyhppK4z3ciuyNbdoMcDYv1pyX2tF3C2gUGtvbW8yX (source=submission)
  • Don's of the $Empire8YQ5o3H2V2wncJXdQhYquyeaHvFs6Y1kUuXdNVHaMnyc (source=submission)
  • SOLdier's of the $Empire4VJ9JV5Do8aF4p2SB76a2jQWqxfQwyMd3sttRjVNx3gT (source=submission)
  • Rilegato Family DAO2VdBsMiCP4uWKwKbjFGgTcrKyr3cKFBVgdq4iD6k6ec3 (source=submission)
Two additional creator wallets — 9sVBzX6K4sWVHveUpWQB1gCuynev33reuNu44b4bndHY and 7fbTFdE6LUN2jEGBsLhEZkdRi5bXiqPWLBUtTNwJW5fU — are listed as creators on all 5. The "community submissions" are the operator's own wallet, just wearing different project hats.
Cluster #2 — One wallet controls the 3 BASC-branded collections
Update authority BasC5At2AGkUi2ApemqAgmfPUUSRP76VjWi9Jek8uLrZ (Solscan) signs for:
  • Bored Ape Solana Club (the original, OG) — aLs8rXD8NoYwgnCFzBofsGdwaocePAkzT1UFX1WmwaR
  • Abducted BASCCSdUNzJQvRG8Lr5Xdx9ym79VQNfxPpQ54sMVvz4yRjs3
  • BASC x SenshiEXuwbsmQ39esUJGegGW2bDaPKd5EYs481yMCrchXSCzS
Cluster #3 — dak_daze's BASC V2 authority also signs BASC OG PASS
Update authority Fqg9mbiNAFD8jGzMztjJuSN2twoMUP8nvFmg1wCsCZWG (Solscan) signs for:
  • BASC (V2 — dak_daze's rebrand)8kYjcqW5kd77RS6twFKMXbP59bGUfC1sC3uvGkBRS6T9 — also featured on Orbis homepage
  • BASC OG PASSCXDsaxc7yqUbwb6zKb9vGScFVZA89DLBsG7pK9JHTD9c — 1,414 sales, 3,639 SOL cycled
Cluster #4 — MNK3YS and ZMB3YS share a creator
Creator AvJh8APTTpDKhWprQ8Y2dbcoxT9RmSwchvQroajZNmyt (Solscan) is listed on both MNK3YS and ZMB3YS — both use the identical numeric-E stylization in their name. Submitted separately, same operator.
The pattern is consistent: collections labeled "submission" (user-submitted) and "discovered" (scraped) share update authorities on-chain. Under Solana's metadata program (Metaplex Token Metadata), the update authority is the wallet that signed to create the collection and remains the sole party that can mutate its metadata. That wallet signing for five different "community DAOs" is not community — it is one operator running five fronts.
Plain-English summary: The Orbis operator (GOTM Labz) submitted their own five-collection cluster as "community submissions," then listed them on the marketplace they built. The five "$Empire" collections were never independent projects — they are one wallet's product line laundered through the Orbis submission form.
ON-CHAIN EVIDENCE VAULT — IDENTITY, HOLDINGS, AND WASH-TRADE BURSTS
Stoned Apes authority starts with "PUFFgn" — literal vanity-prefix link to Puffsterz
The Stoned Apes collection update authority is PUFFgnKKhQ23vp8uSPwdzrUhEr7WpLmjM85NB1FQgpb (Solscan) — the wallet is a "PUFF" vanity address (addresses starting with "PUFFgn" are hand-generated by brute force, costing hours of compute — nobody does this by accident). The same wallet holds an "Anyside stonedapes" NFT confirming direct operation. It also heavily holds the AlphaLabs collection (6 of first 15 assets) — another linked project. This is the on-chain signature that ties Stoned Apes directly to the Puffsterz operator.
GAINZ authority holds BASC x Senshi NFTs
The GAINZ update-and-creator wallet BZeN8afPfZNt33FiLmyVvzYm9xhzHtgXjaEJzZ2A8tru (Solscan) holds only 11 NFTs total — but two of them are BASC x Senshi #1111 and BASC x Senshi #725. An operator's tiny operational wallet holding BASC x Senshi proves GAINZ and BASC x Senshi share the same hand.
$Empire cluster wallet holds "$Empire Bonds Series GOTM1" — direct GOTM linkage
The Empire authority xbWUT2Z3DWUrc4f65keHjntdtXiD7ov8d4Wj11yuBh8 (Solscan) holds 33 assets. Among them: "$Empire Bonds Series GOTM1", "$Empire Bonds Series BA2," "$Empire Bonds Series LDZ2," "MFI.EXPERT PASS," plus "Caporegime Del $Empire" itself (self-holding the collection it controls). The "GOTM1" bond series is a direct naming tie to GOTM Labz. It is not a coincidence — the same wallet that runs 5 "independent" Empire DAOs issues bonds explicitly branded as GOTM.
Second Empire creator wallet holds Capolavoro + Northlanders + Empire Bonds — cluster extends beyond 5 collections
Creator 7fbTFdE6LUN2jEGBsLhEZkdRi5bXiqPWLBUtTNwJW5fU (Solscan — 10.09 SOL, 1,023 NFTs) holds Capolavoro #121, NORTHLAND #661 (The Northlanders, also on Orbis), $Empire City Bond Series AC #278 & AD #236, Drifter #1090, Pixel GMers #14151. The Empire creator wallet also holds one of the Orbis-listed "independent" collections — The Northlanders is also in the Empire cluster, bringing it to at least 6 collections under one operator.
DEVILS authority self-holds 18% of DEVILS supply (487/2666)
DEVILS update authority HvzG2L2tsDebzw4mUiUaajLsioo9T8LAw97gNV1z4Fta (Solscan) holds 487 assets, almost every one a "DEVIL #XXX" NFT — that is 487 of 2,666 total supply (18.3% held by the operator). Legitimate collections don't have the project owner hoarding nearly a fifth of supply — it's wash-trade ammunition.
DEVILS counterparty wallet holds MidEvil #2036 — links DEVILS to MidEvils
DEVILS authority's second-largest counterparty Fc6PmKWH8rt8fcJMxFmjP5WFZcuv9ZnwSymxVvLJo6b1 (Solscan) holds 936 NFTs — mostly DEVIL #XXX along with MidEvil #2036. DEVILS and MidEvils are on the same network; MidEvils' $13,708 SOL "volumeAll" on Orbis is Magic Eden historical bleed-through, not organic Orbis activity.
dakdaze.sol holds NFTs from at least 7 Orbis-listed collections
Wallet 5Ym11hxchmmCLrzE6SUCed2X524EStXbAysnzenR2yGP (Solscan, a.k.a. dakdaze.sol / goosethebayc.sol) holds 1,804 NFTs, including: Bored Ape Solana Club #2236, Haxz #2533, GAINZ #1943, BASC #7655, Vibe Tribe #302, The Vincenia #2393, BASC #2537, Okay Bear #2319, Okay Bear #7425, Degen Trash Panda, Hermans, Portal Beast. Dak_daze himself holds pieces of every major network collection — and of one of the "independent submission" ones (The Vincenia).
Blubbie Badges is a fake "collection" — 1 wallet holds 100% of supply
Blubbie Badges has 44 total supply and ONE wallet owns all 448BFhY6tqrDT8u6nJwnEZsznjkmP9PWENuugYHBvpKHN (Solscan). It was listed on Orbis as a "community submission." It has zero sales, zero traders. It's a placeholder pushed onto the marketplace to pad the collection count.
Caught red-handed: SOLdier's of the $Empire — 10 wash trades in 178 seconds (2026-04-14 22:24-22:27 UTC)
The Empire authority xbWUT2Z3... executed 10 consecutive CoreExecuteSaleV2 / BuyV2 transactions through Magic Eden v2 into the SOLdier's of the $Empire collection over 178 seconds. Three sample signatures:
SOLdier's of the $Empire has salesAll=14 total — meaning ~71% of its lifetime sales are this 178-second self-buying burst.
Caught red-handed: MNK3YS / ZMB3YS — 11 ME MMM pool fills in 11 minutes (2026-04-16 08:05-08:16 UTC)
Creator AvJh8APTTpDKhWprQ8Y2dbcoxT9RmSwchvQroajZNmyt (Solscan) ran 11 rapid SolMplCoreFulfillBuy ME MMM operations today (April 16, 2026) between 08:05 and 08:16 UTC — a pre-market-open wash burst to spike the day's volume numbers. Both MNK3YS and ZMB3YS had previousFloorPrice7d=0 meaning they were both newly activated within the last week.
Single wallet top-holds both Rilegato AND Capolavoro
Wallet GpLGmd7Hy7o2mvrXXnNXjV8jBGfCTLLVPYdrENYakiCG (Solscan) owns 105/888 (11.82%) of Rilegato Family DAO AND 34/444 (7.66%) of Capolavoro Family DAO — same wallet, two different "Family DAO" collections, both in the Empire cluster. The "community" is one wallet.
Severe holder consolidation on multiple collections
  • Geeks: top holder DTc5gaAs... owns 267/1000 (26.7%)
  • Mutants On Sol Crew: top holder Ekv3uGPg... owns 223/1000 (22.3%)
  • Loud Lords: top holder EAScdS5d... owns 210/1000 (21.0%) — AND 34 of the collection's 35 lifetime sales occurred in the last 24 hours (pump in progress)
  • SOLdier's of the $Empire: top holder 4Fo8qRnC... owns 106/1000 (10.6%)
Orbis has no on-chain sale program — verified April 16, 2026 across 8 sample collections
We pulled recent transaction signatures via Helius DAS for sample NFTs in 8 Orbis-listed collections (BASC, BASC OG PASS, Puffsterz, GAINZ, GOTM LABZ, MidEvils, sodead, MNK3YS), then decoded each transaction to read the actual on-chain program IDs called. Result: 100% of sale transactions routed through Magic Eden or Tensor — zero through any Orbis-owned program.
Per-collection sample (recent ME-routed sales counted):
Programs detected: M2mx93ekt1fmXSVkTrUL9xVFHkmME8HTUi5Cyc5aF7K (Magic Eden v2), mmm3XBJg5gk8XJxEKBvdgptZz6SgK4tXvn36sodowMc (Magic Eden MMM Pool), CMZYPASGWeTz7RNGHaRJfCq2XQ5pYK6nDvVQxzkH51zb (Magic Eden v1 legacy), TSWAPaqyCSx2KABk68Shruf4rp7CxcNi8hAsbdwmHbN (Tensor). Zero Orbis-owned programs called in any sample tx.
Raw verification data: orbis-uses-magic-eden-verified.json. Re-runnable by anyone with a Helius / public RPC key.
Implication: the “volumeAll” / “salesAll” stats shown on orbisonsol.io are Magic Eden's historical numbers, scraped and re-displayed as if Orbis were the venue. Example: MidEvils reports 13,708 SOL volumeAll on Orbis — but its top holder is the ME escrow 1BWutmTv... with 50 parked listings, and every actual MidEvils sale this week routed through Magic Eden. Orbis is a display layer over Magic Eden's data.
GOTM Labz publishes its own customer list — naming the "independent" collections as its own
The GOTM Labz documentation site at wp.gotmlabz.io/llms-full.txt explicitly lists these projects as GOTM customers: GAINZ, MOB, XELEMENTIA, BASC, PUFFSTERZ, RAFFLORS, THC LABZ, VIBE TRIBE, KUPS, VTOPIA, FRENS. Not a rumor or a third-party allegation — this is GOTM's own published doc naming the collections they staff. Every one of those is listed on Orbis. Several are submitted as "community" projects. The marketplace operator pretends its customers are independent.
52% of Orbis collection logos are hosted on GOTM Labz's own Firebase Storage bucket
Of the 63 Orbis collections, 33 serve their marketplace logo from storage.googleapis.com/gotm-labz-4fe07.firebasestorage.app/marketplace/... — GOTM Labz's private Firebase project. Including BASC, BASC OG PASS, Abducted BASC, BASC x Senshi, Puffsterz, GAINZ, GOTM LABZ, MNK3YS, ZMB3YS, Rafflors, sodead, Stoned Apes, Nuked Apes, MOB, Caporegime Del $Empire, Don's of the $Empire, Dead King Society, Dead King Society Nobles, XElementia, Cyber Frogs, Vibe Tribe, Donk, DeGods, Okay Bears, and more. A marketplace that's genuinely independent pulls asset URLs from the project's own CDN — not from its own private storage. This proves GOTM Labz hand-uploaded the artwork for over half its "marketplace" collections.
Cluster #5 — One creator wallet (GLDEt...) controls the entire BASC brand
Creator wallet GLDEtDiEmpPGBksEbxsu8Ljr9UaDgC3QUk5xnkN7N7WA (Solscan) is the 100%-share creator on Bored Ape Solana Club, BASC OG PASS, and Abducted BASC — and a 50%-share creator on BASC x Senshi. One wallet, the entire BASC-branded product line. "Abducted BASC" and "BASC x Senshi" were pitched as independent partnership collections — they are in-house.
Vibe Tribe's own bio admits it's under Puffsterz
@VibeTribe_NFT's X bio literally reads "under the @puffsterznfts umbrella". Not implied — stated outright. Vibe Tribe is pitched on Orbis as an independent project under source=discovered. Its own bio says it is a Puffsterz sub-project.
14 Orbis collections are direct BAYC-template derivatives with ≥4 shared trait categories
Sampled via Helius DAS (1 asset per collection): BASC, BASC x Senshi, Abducted BASC, MNK3YS, ZMB3YS, Owltopia, Stoned Apes, DEVILS, GAINZ, THC Labz, sodead, Wegenettes, The Pandarianz, Fuddy Dogs all use the same BAYC trait template (Background / Fur / Eyes / Mouth / Clothes / Hat / Earring) and the same shoulders-up portrait composition. MNK3YS and ZMB3YS are visibly the same generator with reskinned layers. Stoned Apes and Nuked Apes re-use the same ape body template with different skins. It's one art pipeline fanning out into 14 "different" projects.
Empire cluster visual identity matches authority cluster
The 5 Empire/Family DAO collections that share on-chain authority xbWUT2Z3... also share a single art pipeline: Caporegime, Capolavoro, Don's, SOLdier's, Rilegato all use the trait template Skins / Family / Outfit / Head / Eyes / Mouth / Background with identical line weights, identical shirt/collar drawing, and identical eye geometry. Many sampled images share Last-Modified: 2026-04-16 21:03-21:04 UTC — produced in the same batch.
Notable: one Binance hot wallet keeps appearing in the intermediate funder chains
Four-hop funder traces on the 18 suspect collection authorities surfaced the same Binance hot wallet — 2ojv9BAiHUrvsm9gxDe7fJSzbNZSJcxZvf8dqmWGHG8S — as an intermediate funder in multiple traces, including: Dead King Society auth (hop 5), DKS Nobles auth (hop 5), Okay Bears creator (hop 3), Cyber Frogs auth (hop 5), Planet Kaiju creator (hop 3). The same wallet was the destination of the ~999.99 SOL laundering chain from the 2022 BASC rug (documented separately: BoredDragon rug wallet HzfMfjCce... → intermediary C1YXc9hw... → this Binance deposit).
Important caveat: Binance hot wallets serve millions of users. One hot wallet appearing across unrelated traces is consistent with "lots of people cash out via Binance" and does not by itself prove these projects share an operator. It does narrow the KYC-subpoena target: the 2022 BASC rug exit deposit of ~1,000 SOL to this wallet on March 23, 2022 is a specific, identifiable transaction that would be unambiguous to trace with exchange records.
Orbis lists legitimate Solana collections without their consent
Orbis's source=discovered flag is marketplace code for "scraped via data aggregator, not submitted by the project." The discovered set includes blue-chip Solana collections — Okay Bears, DeGods, GGSG: Galactic Geckos, SolPunks, Cyber Frogs, Meegos, Blocksmith Labs, sharx by sharky.fi, Planet Kaiju, Bored Ape Solana Club (original), Frens Factory, MidEvils, sodead, Dead King Society, Rafflors — alongside the network's own product line. A fair marketplace lets projects opt in. Orbis's "inventory" is padded with real collections that never agreed to be there, to make the marketplace look full while the operator's own cluster runs the wash trades in the adjacent rows.
Raw on-chain data files (JSON, fetched via Helius getAssetBatch / getSignaturesForAddress / getAssetsByOwner):
THE BOTTOM LINE

You trust an anonymous team to build a marketplace and handle your wallet connections? Their paid Helius RPC API key is publicly exposed through an unauthenticated endpoint — anyone can call it and use their infrastructure for free. That is basic security negligence from a team asking you to connect your wallet.

Their wallet adapter is custom unaudited code — NOT the standard @solana/wallet-adapter that most dApps use. 2,091 lines shared across 130+ projects. We found no drain patterns in our review, but you are trusting unaudited code from anonymous developers every time you connect. Hardware wallet auth sends real transactions on-chain instead of just signing messages — an unusual pattern most legitimate projects avoid.

Their Terms of Service are governed by UAE law with disputes in Dubai courts. No legal entity named anywhere. No email. No physical address. Contact only through Discord. They can modify terms at any time with no notice. You have zero practical legal recourse if something goes wrong.

Some of their security gaps — report-only CSP, no SRI hashes — are common across Solana dApps. But when those gaps exist alongside anonymous developers, no audit, UAE jurisdiction, and a leaked API key, the picture is clear: this team does not take security seriously, which means they do not take your funds and safety seriously.

Note: All findings are from a passive audit of publicly accessible endpoints and source code. We have not exploited any of these findings and API keys are partially redacted — publishing full credentials is not our job or our goal here. Our goal is to expose the scams, the rugs, and the incompetence so you — the market, the users, the ecosystem — have the information you need to decide whether to support these projects with your wallets and your money. Do your own research. We just made it easier.

17 Red Flags

1Anonymous team — zero names, zero doxxed individuals, no company registration
2NOT verified on Magic Eden — legitimate projects always verify
3NO social links on Magic Eden listing — no Twitter, Discord, or website linked
4All 777 NFTs "Unrevealed" — holders received placeholder images, not actual art
5primarySaleHappened = false — NFTs bypassed normal public minting process
60.08 SOL total volume — from just 2 trades, both wash trades of the same NFT
7Dual-side walletHw9p21DZ... bought at 0.01 SOL, immediately resold at 0.07 SOL
8100% royalties to single wallet: 4fPCDZby... — all revenue to one address
9Whitelabel site — orbisonsol.io is a GOTM Labz marketplace template with zero project info
10Insider promotion — Daze is a GotmLabz website testimonial promoting Orbis without disclosure
11$ORBIS on Pump.fun — a token at 5sJvLj5P...pump exists on memecoin launcher
12Coinbase-funded — orbis.sol funded with 42 SOL traced back to Coinbase hot wallet
13@orbisonsol follows only 1 account — deliberately anonymous, 5 total tweets
14Listings at 38x floor — 5 SOL listings vs 0.13 SOL floor suggests manipulation
15No sitemap, no .well-known — rushed deployment, minimal infrastructure
16Burn mechanic on unrevealed art — promising evolution for NFTs that don't even have artwork yet
17Connected to proven fraud — same network as Puffsterz (320 wash wallets, 92% fake volume)

The Connection to Puffsterz

THE INNER CIRCLE — 3 People Connect Everything
Swiss @SWISS_SOL
C.T.O. of Puffsterz/VibeTribe
Promoted Orbis: "M.A.P. just got an update. @OrbisOnSOL is ALPHA"
Promoted GAINZ: "Where's the @GAINZNFTs fam at??" with $GOTM tag
Tagged Rico in GAINZ Spaces. Thanked Daze for NFT gifts.
Daze @dak_daze
25K followers / First Orbis shill
Bio includes @puffsterznfts AND @GAINZNFTs.
First to promote Orbis: "If only @OrbisOnSOL existed. Oh wait, it does."
BASC team leader (took over after rug pull). GotmLabz testimonial.
Rico @moon_blaze_
GOTM Labz founder
Bio: "Founder @GotmLabz web3 solutions & @GAINZNFTs"
Built burn2mint used by Orbis. Brands as "GOTM Labz Ltd" on products but NOT registered in UK Companies House. Actual legal entity unidentified.
Posted "Appreciation post for Puffsterz founder" (Feb 2025). Hosts BASC staking for Daze.
Team wallet: rPZHrBoqsLi6gcTJ7Z6Un4UBA24C3m4VvcBdYEhADn9 (gotm_team.sol)
EVIDENCE TWEETS — Click to Verify
1
Swiss (March 29, 2026): "M.A.P. just got an update. @OrbisOnSOL is ALPHA"
2
Daze (March 9, 2026): "If only @OrbisOnSOL existed. Oh wait, it does. See you there. Follow, Screenshot, Reply, Drop Wallet." — posted minutes after Orbis's first tweet
3
Daze (March 9, 2026): Quote-tweeted Orbis "Orb Initiating" video with eyes emojis
4
Savage (March 10, 2026): "Just another day holding @GAINZNFTs. R U following @OrbisOnSOL yet?"
5
Swiss (Dec 27, 2024): "S/O to @dak_daze for such a generous gift. Consider them off the market for good"
6
Swiss (Feb 1, 2025): "Where's the @GAINZNFTs fam at??" with $GOTM hashtag + mint link
7
Swiss (Feb 15, 2025): Tagged @moon_blaze_ (Rico) directly in GAINZ NFTs Spaces promotion
EVIDENCE IMAGES — Tweet Screenshots & NFT Data
Swiss promoting Orbis as ALPHA
Swiss: "M.A.P. just got an update. @OrbisOnSOL is ALPHA"
March 29, 2026 — Verify on X
Daze first Orbis shill with insider language
Daze: "If only @OrbisOnSOL existed. Oh wait, it does."
March 9, 2026 — Verify on X
Savage linking GAINZ NFTs to Orbis
Savage: "Just another day holding @GAINZNFTs. R U following @OrbisOnSOL yet?"
March 10, 2026 — Verify on X
Swiss thanks Daze for NFT gift
Swiss: "S/O to @dak_daze for such a generous gift"
Dec 27, 2024 — Verify on X
Swiss promotes GAINZ NFTs with GOTM hashtag
Swiss promotes GAINZ + $GOTM — same ecosystem
Feb 1, 2025 — Verify on X
Orbis NFT unrevealed placeholder - all 777 look like this
All 69 minted Orbis NFTs look like this — "Unrevealed" placeholder
From Irys gateway — View on Magic Eden
ON-CHAIN PROOF — Same Operator
2-SECOND TIMING GAP: On April 6, 2026 at ~19:20 UTC, puffsterz.sol transferred 5,000 P4L tokens while orbisonsol.sol simultaneously placed a bid on Magic Eden. Two seconds apart. Same person, two browser tabs.
LUCK57 CUSTOM PROGRAM: A deployed, upgradeable Solana program (LUCK57mxzZiRGF2PdHAY79P6tZ8Apsi381tKvBrTdqk) used by BOTH vibetribe.sol (8 times) and orbisonsol.sol (4 times). No other wallets use it. Upgrade authority: 9GWPeu3cBfkGSEit6HMaAFKswoirxqgMqykMh7RVH2Bb — whoever controls this wallet deployed the infrastructure connecting both ecosystems.
SHARED FEE PAYERS: Wallets 8HvfGdKrgy5i... and CCyYKtnsnkkk... pay transaction fees for vibetribe.sol AND are counterparties to orbisonsol.sol. The same infrastructure services both ecosystems.
MIHSO INTERMEDIARY: Wallet Mihso7kXXNPb7GUZ71H7MedYrpW88MTQFdLKrtAnDvj has 27 interactions with puffsterz.sol and 61 with orbisonsol.sol — a bridge wallet receiving SOL from the shared fee payers.
12 TIMING CORRELATIONS: Transactions within 60 seconds across ecosystems, in 3 distinct clusters (April 6, March 30, April 3). Consistent with one person switching between wallets.
26 SHARED COUNTERPARTIES: Addresses that interact with both Puffsterz and Orbis wallets.
32 SHARED NFT COLLECTIONS between ecosystems. 14 shared creator addresses. 25 shared update authorities (verified on-chain). Haxz collection: Cheeple holds 8, orbisonsol.sol holds 14.
MONEY FLOW — Traced On-Chain
COINBASE → orbis.sol: Coinbase hot wallet (H8sMJSCQ...) → CUWRztRZ... (105.97 SOL) → orbis.sol (42 SOL). Funded from a US-regulated exchange.
MONEY HUB (FCgCM7Gv...): This single wallet connects ALL key actors: sent 4.675 SOL to the creator funder (D8rzGfnv...), sent 0.07 SOL to the wash trader (Hw9p21DZ...), and paid royalties to the creator. One wallet touching the funder, the wash trader, and royalties.
CREATOR → COLLECTION PDA: The Orbis creator wallet (4fPCDZ...) directly sent SOL to the collection address (8PrkxMSK...) on March 26, 2026. Proves same-person control.
WASH TRADER LOOPS: Hw9p21DZ... has circular self-dealing with satellite wallets (HEvUQnEx..., 7TfstQKi...) — funds loop back to the wash trader. Classic Sybil pattern.
UNDERPRICING: Seller minted 3 Orbis at 0.1 SOL each, sold to wash trader at 0.01 SOL (90% loss). Wash trader resold to money hub at 0.07 SOL (7x markup). Artificial volume creation.

Collection Analysis

FieldValue
NameOrbis — 777 evolving kittens on Solana
Supply777
Actually Minted69 of 777 (8.9%) — collection largely abandoned
Holders43 unique (top 10 control 50.7%)
Floor Price0.13 SOL
All-Time Volume0.08 SOL (2 trades)
Listed13 NFTs (3 at 5 SOL each)
Launch DateApril 7, 2026
NFT StandardMetaplex Core (MplCoreCollection) — newer standard, no traditional creator arrays
StatusAll "Unrevealed" — placeholder images only
ME VerifiedNO
Social Links (ME)NONE
MechanicBurn 3 commons → rare. Burn 3 rares → legendary. 46 special 1/1s
Royalties5% — 100% to single creator wallet
KEY WALLET ADDRESSES
RoleAddress
Collection Address (PDA)8PrkxMSKeirfy3jXgw5nQnA2j4csrSvc2qmGFVN9BrJ5
Creator (100% royalties)4fPCDZbySsN25MNQdLw3zwzggUbXH7LT8BdnrUZxqWcM
orbis.sol (Coinbase funded)G4taLG9NHn46Wjiv9WhbtV9scdikh7qP2SFRU2RMwyeW
Money Hub (connects all)FCgCM7GvWCB7zHYn1hfoxPm2xRtbk4LezbBxe4LcH4ac
Creator FunderD8rzGfnvArVqoFoCDFCJH4r5PPoqBhSkxsGfiavynMfD
orbisonsol.solCWR6GCN2rWgsC23QKNqcWFaV2JarSNRtxHW29JSCyWX7
Wash Trade WalletHw9p21DZwj36iT9zVtD73Bp6NNxizQFnVBvYksWQFFL9
$ORBIS (Pump.fun)5sJvLj5PqacnuZZy43yRhLHDMWMJGwLTVo3NZ2SZpump
LUCK57 Program Upgrade Auth9GWPeu3cBfkGSEit6HMaAFKswoirxqgMqykMh7RVH2Bb

GOTM Labz — The Infrastructure

GOTM Labz (gotmlabz.io) is a Solana infrastructure provider founded by "Rico" (@moon_blaze_, Discord: rico4208). It provides NFT launchpads, staking, burn2mint, trait swaps, and airdrops for 130+ Solana projects.
UNREGISTERED ENTITY: GOTM Labz brands itself as "GOTM Labz Ltd" on nftlaunch.app, nftstake.app, and shift3.app — but "GOTM Labz Ltd" does NOT exist in UK Companies House. No matching registration found in any searched jurisdiction. Using "Ltd" without actual registration is deceptive. The pseudonymous founder "Rico" operates financial infrastructure for 130+ projects with no verifiable legal entity behind it.
GOTM DAO Partner Projects
Puffsterz VibeTribe THC Labz MOSC MOB SoDead DKV
CLOSED-LOOP TOKEN ECONOMY
$GOTM is paired with: $P4L (Puffsterz), $BASC, $Empire, $LDZ (Lunar Dollz), $GP (Graphite), $PbP, $Bonk, SOL, USDC — plus gotmSOL liquid staking token. 11 interlocking pairs. Total 24h volume: ~$750. Value circulates among affiliated projects without external market validation. $GOTM contract: AAqZ6CEC...eJU5

Persons of Interest

"Swiss" @SWISS_SOL
C.T.O. — Puffsterz / VibeTribe / Orbis Promoter
Bio: "C.T.O. || @VibeTribe_NFT > @puffsterznfts > @PuffsterzInk > @P4L_Puffsterz"
1,706 followers. DC area. Swiss heritage. Built Puffsterz staking UI.
Promoted Orbis as "ALPHA." Promoted GAINZ + $GOTM. Tagged Rico in Spaces. Thanked Daze for gifts.
Real name: unknown.
Daze (@dak_daze) — self-posted photo from Northern California redwoods, Sept 2023
"Daze" @dak_daze
CEO of BASC / 25K Followers / First Orbis Shill / Northern California
Photo: Self-posted on Sept 18, 2023 — "Grand Rising From The Redwoods" — Northern California redwood forests. Source tweet
Born: ~February 19, 1996 (turned 29 in 2025 — "Turn 29 Todaze. More Life.")
Location: Pacific Northwest / Northern California (redwoods area)
Self-describes as: "Entrepreneur" (X bio). "I derugged a derivative with 100 SOL. Don't compare me to other founders."
Bio includes @puffsterznfts AND @GAINZNFTs. 25,085 followers. 47,856 tweets.
Wallet (dakdaze.sol): 5Ym11... — holds 30+ Puffsterz, 15+ GAINZ, 10+ VibeTribe, 50+ XElementia, 100+ BASC. 1000+ total NFTs.
First to promote Orbis — insider language, minutes after first tweet.
CEO of BASC — took over after original team rug pulled (March 2022). BASC started as unauthorized BAYC derivative with stolen art. GotmLabz website testimonial. Runs 146+ giveaway follower farm.
BASC "Meet the Team" page is images-only — no searchable text. 3 of 6 listed team members (BeTheBender, Crypto Home Schooler, jameskobe) have zero documented contributions beyond the initial recovery. Possible padding or alt accounts.
Wife: @MRS_DAZE (Lei Daze) — Bio: "Artist | Energetic Healer | Wife". Calls @dak_daze "my love" in public tweet (Aug 18, 2024).
Name "Austin" reported by a former associate who worked directly with Daze on SolarDex (now @omega_netw0rk — also rugged). Not independently verified through public records.
"Rico" @moon_blaze_
GOTM Labz Founder / Built Orbis Infrastructure
Bio: "Founder @GotmLabz web3 solutions & @GAINZNFTs". 2,895 followers. Account since 2012.
Wallet (moonblaze.sol): w2ekw... — holds 100+ GAINZ, 30+ Puffsterz, 30+ VibeTribe, 15+ GOTM DAO (incl. GOTM #1). 1000+ total NFTs.
Built burn2mint for Orbis. "GOTM Labz Ltd" NOT in UK Companies House. Unconfirmed lead: G Labz LLC (TX) — similar name, unverified connection.
Real name: unknown. Discord: rico4208.
Karim M. Adhami (@SiNftGod)
Puffsterz LLC President / VibeTribe Co-Founder
@SiNftGod bio: "Founder of @puffsterznfts || CEO of @letzvape".
President, Puffsterz Smoke Shop LLC (FL). Former used car salesman (Winter Park Auto Mall).
Also: Blockchain Florida LLC. VibeTribe co-founder with Swiss.
The legal entity behind the network. CorporationWiki.

Wash Trading Evidence

ORBIS — Only 2 Trades Ever (Both Wash)
#NFTBuyerSellerPriceSource
19LbWK2K...Hw9p21DZ...9PWP3WVn...0.01 SOLTensor
29LbWK2K... (SAME)FCgCM7Gv...Hw9p21DZ...0.07 SOLTensor
Wallet Hw9p21DZ... appears on BOTH sides — bought at 0.01 SOL, immediately resold at 0.07 SOL (7x markup, ~40 minutes apart). Classic wash trade to inflate apparent volume.
The entire 0.08 SOL "all-time volume" comes from these two wash trades of the same NFT. 100% of all sales involved dual-side wallets.
MARKETPLACE LINK TO PUFFSTERZ WASH TRADER
orbisonsol.sol purchased an NFT listed by 2ZCQ18 (top Puffsterz wash trader) via marketplace escrow on March 30, 2026. Payment: 0.489 SOL through escrow → 0.457 SOL to 2ZCQ18QjibZZCPfcCesdZ1y2WMmZKd5rKZLyc2sjYGir. The Orbis wallet is buying from the same wash traders that operate in the Puffsterz ecosystem.
SYBIL MINTING + ABANDONED COLLECTION
Only 101 of 777 NFTs minted. Creator retains 38 (37.6%). 43 unique holders. Top 10 control 50.7%.
Sybil evidence: Common funder F7p3dFrj... funded at least 2 different buyer wallets. Seller 9PWP3WVn... both minted AND funded another holder — circular self-buying. Multiple buyer wallets hold ONLY Orbis NFTs (nothing else) — purpose-built sybil accounts to fake demand.
PUFFSTERZ ECOSYSTEM — For Comparison
The connected Puffsterz ecosystem has 320 dual-side wallets controlling 92% of all volume (6,865 SOL / 2,703 trades). SNS domain resolution proved team wallets ARE wash wallets: vibetribe.sol = #1, niftynick.sol = #2, puffsterz.sol = active trader. Full Puffsterz report →

All Sources & Verification

Every finding can be independently verified. Click any link.
On-Chain / Marketplace
GOTM Network
Evidence Tweets
Social Accounts
Connected Investigation
Full Puffsterz Investigation → (320 wash wallets, 92% fake volume, youth marketing violations)
12,000+ on-chain transactions analyzed. 7 evidence tweets verified. 6 wallet addresses traced. 17 red flags documented. All findings independently verifiable.

Security Audit — orbisonsol.io

TECH STACK & INFRASTRUCTURE
ComponentDetails
FrameworkVanilla JavaScript — no React, Vue, or Next.js. All hand-authored IIFEs. No bundler (no Webpack, Vite, Rollup).
CSSCustom design system with CSS custom properties. No Tailwind, Bootstrap, or framework.
HostingVercel — US-East (iad1, Ashburn VA). Static files + serverless API functions.
Solana Library@solana/web3.js v1.98.0 from unpkg.com CDN (no SRI hash)
Wallet AdapterCustom GOTM Labz Multi-Wallet Adapter v2.1 — NOT standard @solana/wallet-adapter. 2,091 lines. Unaudited.
BackendVercel serverless functions. Firebase backend (gotm-labz-4fe07). 10 API endpoints discovered.
RPC ProviderHelius (mainnet) — key leaked via unauthenticated endpoint
Auth SystemCustom HMAC token (not standard JWT). Challenge-response with signMessage. Stored in localStorage.
FontsGoogle Fonts — Inter (400-800)
AnalyticsNone — no Google Analytics, Mixpanel, Segment, Hotjar, Clarity, or any tracking
Cache StrategyManual query string versioning (?v=6.6) — no build pipeline, no content hashing
External CDNsunpkg.com (web3.js), esm.sh (Buffer polyfill), Google Fonts, plugin.jup.ag (Jupiter swap)
ExplorersOrb/Helius (default), Solscan, Solana Explorer, SolanaFM
DeFi IntegrationJupiter Aggregator (swap widget), GeckoTerminal (charts), Cloudflare Stream (video)
Domain ResolutionBonfida SNS for .sol domains
Domainorbisonsol.io → www.orbisonsol.io (307 redirect). Less than 2 weeks old at audit.
LegalToS governed by UAE/Dubai law. Entity: unnamed ("the Platform"). Copyright: "GOTM Labz Ltd."
Notable: No build pipeline — all JS is hand-authored with manual cache-busting version strings. No analytics at all (unusual for any business). Custom auth token format instead of industry-standard JWT. The entire frontend is vanilla JS without a framework — while not inherently insecure, it means no ecosystem of security patches, no automated dependency updates, and no community-audited code paths. Everything is bespoke, which means every vulnerability is their own.
API ENDPOINTS DISCOVERED (10 total)
EndpointAuth?Purpose
/api/get-rpc-urlNOReturns paid Helius RPC key to anyone
/api/sol-priceNOSOL/USD price + 24h change
/api/marketplaceNOFull collection database (44KB)
/api/mp-gate-publicNOMaintenance/beta status + whitelist check
/api/streamNOLive stream/viewer data
/api/marketplace-votesNOCommunity voting data
/api/authPartialWallet challenge-response auth (POST only, validates input)
/api/admin-settingsPartialAdmin ops need auth, beta wallet submission does not
/api/marketplace-submitPartialCollection submissions (weak validation)
/api/csp-reportNOCSP violation reports (POST)
6 of 10 endpoints require zero authentication. Method enforcement is properly implemented (405 on wrong HTTP method). No hidden endpoints found at common paths (/api/users, /api/wallets, /api/config all return 404). Admin getSettings properly returns 401.
SECURITY HEADERS
HeaderValueAssessment
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preloadGood
X-Frame-OptionsSAMEORIGINGood
X-Content-Type-OptionsnosniffGood
Referrer-Policystrict-origin-when-cross-originGood
Content-Security-Policyframe-ancestors 'self'; base-uri 'self'; object-src 'none'Partial
CSP-Report-Onlyscript-src unsafe-inline + 5 CDN domainsNot enforced
Permissions-Policycamera=(self), microphone=(self), geolocation=()Good
X-Powered-ByNot presentGood
Basic security headers are properly set. The main gap is the CSP — the enforced policy only covers framing and forms. Script protection is in report-only mode (monitoring but not blocking). This is common across Solana dApps but notable for a project handling wallet connections.
VERIFIED FINDINGS
Helius RPC API Key Publicly Exposed
/api/get-rpc-url returns a Helius mainnet RPC key (cc5a****-****-****-****-********33af) to any caller with no auth. Verified live April 9, 2026. Key partially redacted — we are not publishing the full key but anyone can call this endpoint right now and get it. This is a paid resource exposed to the public. Not a direct fund theft vector, but demonstrates basic security negligence from a team asking users to connect wallets. We have not exploited any of these findings. This is a passive audit of publicly accessible endpoints only.
VERIFIED: Custom Unaudited Wallet Adapter (Real Trust Issue)
GOTM Labz Multi-Wallet Adapter v2.1 — 2,091 lines of custom code, NOT the standard @solana/wallet-adapter used by most dApps. Shared across 130+ GOTM projects. Hardware wallet auth path sends real 0-lamport transactions on-chain (most auth flows only sign messages). No public audit. No drain patterns found in our review — but users are trusting unaudited custom code from an anonymous team with their wallet connections.
VERIFIED: UAE/Dubai Jurisdiction — No Named Entity
Terms of Service governed by UAE law, disputes in Dubai courts. No legal entity named anywhere — only "the Platform and its operators." Contact only through Discord. NFTs held in custodial escrow. Platform can modify terms unilaterally. International users have no practical legal recourse. This is the most significant trust issue for any user considering connecting a wallet.
NOTABLE: CSP Report-Only + No SRI Hashes
Content-Security-Policy is in report-only mode (monitoring, not enforcing). External scripts from unpkg.com and esm.sh loaded without subresource integrity hashes. For context: many Solana dApps have these same gaps — this is common across the ecosystem, not unique to Orbis. But for a project asking users to connect wallets to custom code from anonymous developers, every missing security layer matters more.
VERIFIED: Auth Challenge Nonce Reuse — Replay Risk
Three separate requestChallenge requests for the same wallet returned the identical nonce and timestamp every time. The server caches challenges instead of generating fresh single-use nonces. If a signed challenge is intercepted (network sniffing, compromised CDN, log exposure), it could be replayed to authenticate as the victim. Likely a serverless optimization for Vercel cold starts — but it weakens the challenge-response anti-replay protection that the well-structured challenge format was designed to provide.
VERIFIED: Weak Collection Submission Controls
The collection submission has several gaps: Twitter OAuth starts server-side (/api/oauth-twitter) but the final submission sends twitterVerified: true as a client-set boolean — if the server trusts this without re-validating, verification is bypassable. Submissions also accept verificationMethod: 'none' and wallets default to 'anonymous' if not connected. Legacy collections bypass address validation with a 'legacy:' prefix. Combined: the submission pipeline has multiple points where validation could be skipped.
NOTABLE: Admin Page Structure Visible
/admin returns "Admin Dashboard | GOTM Labz" HTML with login form (requires username + password + authenticator code). The admin functionality IS auth-protected — the login form is visible but actual admin actions require credentials. Sloppy (should redirect unauthenticated users) but not exploitable.
HONEST SEVERITY ASSESSMENT
FindingTypeSeverity
UAE jurisdiction, no legal entity, no recourseTrustHIGH
Custom unaudited wallet adapter (130+ projects)TrustHIGH
Helius RPC API key exposed publiclyNegligenceMEDIUM
No SRI on external scriptsBest practice gapMEDIUM
CSP report-only (not enforcing)Best practice gapMEDIUM
Hardware wallet auth sends real transactionsUnusual patternMEDIUM
Collection submission sends client-set twitterVerified booleanWeak validationMEDIUM
Anonymous/unverified submissions accepted + legacy bypassWeak validationMEDIUM
Auth challenge nonce reused (not single-use) — replay riskProtocol weaknessMEDIUM
Wallet session cache reusable across account switchesLogic bugLOW
Admin HTML served without redirectSloppyLOW
Console.log debug statements in productionCode qualityLOW
Passive audit only — no exploitation. All findings verified from publicly accessible endpoints and source code. April 9, 2026. No wallet drain patterns found in code review. Credentials partially redacted. Our goal is not to hack — its to inform the ecosystem so users can make educated decisions about who they trust with their wallets.