A modern DeFi protocol is more than its source code. It's the code plus the deployed configuration, the governance path, and the live on-chain state — and depositors trust all four to match what the team's public materials say. Dual Condition measures the gap.
Parallax is our framework for catching promise-vs-deployment gaps systematically — across code, configuration, governance, and live on-chain state.
An audit confirms the source code behaves the way its comments and specification say it should. We test the next layer: whether the deployed system — code plus configuration plus governance plus live on-chain state — actually behaves the way depositors, integrators, and the team's public materials assume it does. Four substrates, all read live against the deployed system at the verification block.
The source compiled and audited under the protocol's name is what's running at the deployed address.
Deployed bytecode diverges from the audited source. Forked architectures inherit the parent's code but not its operating assumptions. The audit scoped a parent contract and a downstream consumer integration was left out of scope. Custom modifications to a forked codebase weren't re-reviewed.
The deployed parameters — thresholds, delays, role assignments, oracle wiring — match what the protocol's public materials describe.
Multisig thresholds drift across chains at the same nominal address. Governance Timelocks run shorter delays than the documentation states. Oracle feeds wired without staleness validation on a composite component. Fallback feeds built into the code but never activated on production deployment.
The path from proposal to parameter change matches the trust model the team has described to depositors.
Curator-controlled vaults marketed as having a 3–7 day timelock that on-chain run at 0 seconds. EOAs holding upgrade authority over contracts described as 'governance-controlled'. Cross-chain governance topologies where one chain's signer set is materially weaker than the others. Hypernative or guardian pauses asymmetric across chains.
The deployed system's current state — balances, role holders, queued proposals, validator sets — reflects the operating posture the team describes.
Withdrawer roles held by EOAs the docs don't mention. Custody addresses moving funds against the documented flow. Proxy admins controlled by single keys the documentation says are timelocked. Validator quorums sized below the upstream architecture's documented operating baseline.
When deployment matches promise, that's the engagement's outcome — a structural-soundness verdict the team can hand to depositors and investors. When deployment drifts, the gap is described, reproduced against deployed state at a recorded block height, and triage-classified so the team's response can be targeted: a code patch, a configuration change, or a governance hardening.
PhD in geography from Technical University of Dresden, 2012, with research focus on land-use planning algorithms — systematic detection of structural conflicts in multi-stakeholder spatial configurations. Applies the same analytic discipline to deployed smart-contract systems: identifying structural deficits where deployed configuration drifts from documented design intent. Parallax's cross-protocol pattern catalogue is a direct intellectual descendant of that earlier algorithm work — the same pattern-recognition methodology applied to a different substrate.
Bring us in when any of these match your protocol's stage:
Before your token launch, before your investor narrative locks. We verify that what you'll claim at TGE matches what's actually deployed — code, configuration, governance, on-chain state. The window between mainnet and TGE is when the gap is widest and the discovery cost is lowest.
Same Safe / signer set / governance contract deployed across chains, where a single-key compromise translates one-to-one into multi-chain blast radius.
Audits prove the source code; we verify the deployed configuration matches what depositors and integrators have been told to assume.
Multi-component price feeds where a single component lacks staleness validation, deviation bounds, or freshness checks.
Forks inherit the architecture but not always the operating assumptions. We verify the deployed parameters against the upstream's load-bearing baseline.
Confirm a finding's structural soundness before submitting to a competitive bounty program. Reduces wasted submissions; sharpens the disclosure brief.
The ledger format is intentional. Findings that are still under coordinated-disclosure are listed at the surface and class level; specific target identities and reproduction details are withheld until resolution, explicit permission, or independent public remediation.
| Band | Surface | Finding | Status |
|---|---|---|---|
| High | Lending vault family | Composite-oracle freshness validation gap on rate-provider component. | Submitted through official channel. Public details withheld pending resolution. |
| High | DeFi lending market | Recurrent Chainlink-staleness misconfiguration pattern across multiple lending markets. | Escalated to project under coordinated disclosure. Bounty tier assigned. |
| Medium | Cross-chain bridge | Admin-control concentration on the upgrade path at multi-million TVL. | Bilateral disclosure. Public target details withheld. |
| Medium | L1-style lock-and-mint bridge | Validator quorum sized below the upstream architecture's documented operating assumption; configuration not surfaced to depositors. | Reframed and disclosed as configuration transparency. Withheld pending team response. |
| Config | Multichain DeFi vault | Signer-set or threshold drift across chains at the same nominal address. | Disclosed as configuration transparency issue. |
| Config | Cross-chain credit protocol | Identical multisig keysets deployed across three chains; single-key compromise translates one-to-one into multi-chain blast radius. | Disclosed as configuration transparency issue. |
| Config | Lending and bridge protocols (multiple) | No execution timelock between governance approval and parameter change; below depositor-facing baseline. | Cross-protocol pattern under coordinated disclosure. |
| Clean | RWA infrastructure | Deep review against the established framework; all four candidate HIGH-severity findings debunked at verification. | Retained as calibration counter-example. |
| Clean | Yield-token derivatives | Cross-protocol pattern check identified protective design (max-with-prior bound) that materially changed impact analysis. | Retained as calibration counter-example. |
Three anonymized worked examples from the active corpus. Protocol identities, contract addresses, and bilateral conversation specifics are withheld; finding shape, verification approach, and outcome class are described in enough detail that the reader can evaluate the substance.
An emergency-recovery admin function protected one accounted balance with a strict guard but applied no analogous check to a parallel balance handled in the same path. The asymmetry meant the unprotected balance could be moved out under admin authority, leaving a phantom accounting state that would inflate the vault's reported total assets and break NAV integrity. Small-scope architectural oversight — common in vault families where multiple accounted balances accumulate over deployment history without coordinated review.
Reproduction via a Foundry test on a mainnet fork at the verification block. Independent on-chain reads of the role assignment and the protected vs unprotected balance accounting confirmed the asymmetry was live deployed state, not a source-level artifact.
Bilateral disclosure direct to the team's leadership. Engagement initiated; pending team-side verification through their internal review path before final settlement.
Source-level audits routinely miss findings of this shape because the asymmetry is in the deployed function's local logic between two storage variables that both look protected at a glance. Cross-protocol pattern attention surfaces it in one read.
A governance Timelock contract was deployed at the same CREATE2 address across multiple chains, presenting one identity to depositors. The protocol's public materials described the Timelock as providing a uniform depositor-protection delay across the full deployment. On a subset of chains, the deployed delay was materially shorter than on the others. The drift was undocumented across the protocol's depositor-facing surfaces. Depositors on the affected chains had a fraction of the assumed exit window before a governance change could take effect.
Per-chain on-chain reads of the Timelock's minimum-delay configuration, anchored to a specific verification block. Public-narrative cross-check across multiple depositor-facing surfaces confirmed the documentation gap.
Bilateral disclosure to the security team. Team confirmed the configuration mismatch is real and expanded the data point we had originally surfaced. Out-of-scope by their bug-bounty program rules (centralization-class excluded from paid scope). Anonymized methodology case study published as corpus contribution; team aware of the publication path through the bilateral exchange.
Formal audits scope source code, not deployed per-chain configuration. Bug-bounty programs routinely exclude centralization-class findings from paid scope. Cross-chain configuration drift falls into the exact gap between those two — undisclosed to depositors who assume a uniform governance posture because the contract address is the same on every chain.
Across the working pattern catalogue, the same Safe contract deployed at the same CREATE2 address on multiple chains is one of the highest-recurrence structural shapes. Two failure modes recur: identical-signer-set key reuse (a single threshold-passing event compromises every chain in one operation) and per-chain threshold or signer-set drift (the depositor-facing identity is the same but the actual security posture diverges between chains). The pattern is independent of protocol category — it surfaces in lending, bridges, vault families, and curator surfaces alike.
Per-chain `getOwners()` and `getThreshold()` reads, cross-chain diffing for parity. Signer-set classification independent of role-assignment claims in deployment-record files (live `hasRole` against the deployed contract is canonical; deployment-record JSON is treated as historical only).
Multiple bilateral disclosures across the corpus; case-study patterns published anonymized once each thread closes. Direct industry feedback that the live-state cross-chain probe surfaces real, previously-undocumented findings that source-level audit did not scope.
The methodology's per-chain live-state discipline is the load-bearing piece. Reading from deployment-record artifacts or single-chain documentation produces a false sense of uniformity. Treating each chain as an independent deployed-configuration surface surfaces drift that the depositor-facing narrative hides.
Reports follow a consistent structure designed to be read by an engineering lead and acted on the same day. Below is the section layout. Full samples available under NDA on request.
One paragraph: scope, findings count by severity, single-line top recommendation.
In-scope contracts and exclusions; deployed addresses; chain IDs; block heights at verification.
One row per finding — severity, surface, finding class (exploit / config / admin-discipline), disclosure status.
Description, reproduction (cast / foundry / on-chain trace), impact analysis, recommended mitigation, file:line citations.
What was checked, how — including the live-state probes and the cross-protocol catalogue checks each finding ran through.
Per Parallax tiered window — coordinated disclosure timeline per finding class, channel selection rationale, public-publication trigger date.
Full sample reports under NDA — request via info@dualcondition.com.
Trust is the deliverable.
Engagement reports stay with the team that commissioned them. Under NDA on request, not published, not shared with competitors.
When we surface a finding independently of an engagement, we route through the protocol's official bug-bounty program where one exists, bilaterally otherwise. Public material on this site never includes unresolved exploit detail.
Each engagement verifies that what's deployed matches what depositors are told. Five engagement types, quoted per scope — pre-audit recon through full structural review and post-incident reconstruction. Monthly retainer available for ongoing coverage.
Pre-audit recon or post-deploy sanity check on a single protocol. Deliverable: 1-page verdict letter (PASS / PASS-WITH-NOTES / STRUCTURAL-DEFICIT-FOUND), governance topology map, entry-points classification by access level, invariant inventory, and triage-classified observations. Designed for teams pre-audit or post-deploy who want a focused structural read without the full audit-firm overhead.
Live on-chain probe across all deployed instances plus cross-chain Safe / signer / threshold parity verification. Adds a multi-chain configuration map, drift report, and depositor-narrative reconciliation. Especially relevant for multichain deployments and protocols forking an upstream architecture.
Full structural review combining code-level vulnerability hunt (parallel specialist agents), configuration audit, governance topology, audit-scope verification, and live on-chain reproduction. Includes Foundry PoC for every Critical / High finding, file:line-cited remediation guide, and a post-fix re-scan within 30 days at no additional fee. Designed for protocols pre-mainnet, post-significant-upgrade, or pre-major-TVL milestone.
Foundry PoC and remediation recommendation for a specific finding the team needs validated before disclosure or bounty submission. Includes deterministic fork-based reproduction, severity classification on the Immunefi v2.3 scale, and an optional bounty-submission package.
Independent reconstruction separating the load-bearing claim from incidental contributing factors. For protocols whose internal incident-response writeup needs an outside read or whose public post-mortem needs adversarial review before publication.
Ongoing coverage: rotating monthly scans on focus areas your team selects, priority routing on cross-protocol findings affecting your architecture, emergency disclosure routing, and verification of every team-claimed fix.
Each engagement is quoted per scope. Inquiries: info@dualcondition.com.
We focus on discrete research engagements rather than continuous monitoring or runtime-defense products. Reports prioritize verified, actionable findings over volume, and separate exploit-class vulnerabilities from configuration concerns and admin-discipline observations.
Engagements, disclosure, or general inquiries:
We reply to substantive inquiries within two business days.