Update from @ted_livingston:
"We agree that you found a way to create and then immediately brick new currencies. We also agree that you found a way to race to brick new currencies created by others
So we agree you found an exploit"
...gaslighting...lies...gaslighting...
Confirms they need to patch the contract...
"We would see the bug, launch a patched contract, and recreate the currency. No users would be impacted. It is a bug, not a critical exploit"
...gaslighting...lies...gaslighting...
I'm getting tired of the gaslighting and offer a quick, clean 25k conditional exit from this mess...
"we are planning to ramp the bounty to $200k tomorrow"
Their only defence to the bug is they plan an operational workaround - this is the product of my discovery and IP. @flipcash are not a serious company. @coinbase need to pay attention here. Do you really want your partners launching flawed smart contracts with your new stablecoins or stealing IP from security researchers?
@flipcash I can’t believe they’re still “upping” the reward for their “unbreakable” currencies that a researcher already publicly proved an exploit for 😂
P. S. They didn’t pay them or the referrer. Plus they patched it with the examples given by the third-party.
@jeffyanta You should be paying out @BugRugger for their work and the patches you applied as the result of it.
The new bounty should be 40K after you pay the researcher and the referrer.
We passed this on before and a researcher did a ton of work to brick your currencies, and nothing was paid out.
We will not be supporting this bounty program anymore.
Full details can be found on the profile of @BugRugger where the criticality was disputed to avoid the 100K payout.
https://t.co/Q8QroSgCvf
Formal acknowledgement on their repo at last.
https://t.co/9XWa35YbYH
Their tests were running with 0% fee — to_numeric(0, 2). At 0%, no fees ever accumulate, so the lock condition can never trigger. Changed to to_numeric(1, 2) (1%).
Old assertion was flat-out wrong:OLD: vault_b_balance == 0, "Vault B should have no USDC"
NEW: vault_b_balance > 0, "Vault B should retain accumulated fees"
This only held because they tested at 0% fee. With any real fee, vault_b retains accumulated fees. They didn't know this.
Added fee-aware accounting they didn't have before:vault_usdc_excluding_fees = vault_usdc_balance - pool_state.fees_accumulated
Curve precision checks now subtract fees before comparing — previously they were comparing raw vault_usdc_balance against curve expectations, which is incorrect when fees exist.
Update from @ted_livingston:
"We agree that you found a way to create and then immediately brick new currencies. We also agree that you found a way to race to brick new currencies created by others
So we agree you found an exploit"
...gaslighting...lies...gaslighting...
Confirms they need to patch the contract...
"We would see the bug, launch a patched contract, and recreate the currency. No users would be impacted. It is a bug, not a critical exploit"
...gaslighting...lies...gaslighting...
I'm getting tired of the gaslighting and offer a quick, clean 25k conditional exit from this mess...
"we are planning to ramp the bounty to $200k tomorrow"
Their only defence to the bug is they plan an operational workaround - this is the product of my discovery and IP. @flipcash are not a serious company. @coinbase need to pay attention here. Do you really want your partners launching flawed smart contracts with your new stablecoins or stealing IP from security researchers?
Why are @flipcash and @ted_livingston stealing IP?
He has privately acknowledged the bug and done everything in his power to negotiate their bounty down 90% which I rejected because of their slimy tactics.
His proposal? Steal the IP. Nobody should take part in their bounty or use their software @coinbase@rajgokal@mert@toly
Here is @ted_livingston outright saying he plans to steal the IP from the bounty program and apply a patch while not paying out using every weasel tactic he can. Incredible!
@ted_livingston@toly@mert@rajgokal Also Ted did not reach out because he was feeling benevolent but because he's under pressure from his investors who are aware of the refusal to patch as they should be. Bounties lead to bugs lead to disclosures and hopefully fixes.
@ted_livingston the key here is don't run your mouth. If you don't want to pay bounties, don't host bounty programs then invite luminaries like @toly@mert@rajgokal to promote them.
I understand, you think it's a marketing and promotional gimmick but researchers take these things seriously. Reflect on your behaviour. Have some professionals step in publicly to validate if you are correct or wrong here.
The main issue is their lack of morals and integrity. This is their original bounty https://t.co/Ivaa8ddPds
They quietly modified it after my reports to force my submissions out of scope.
Fortunately I not only retained offline records but also used multiple online archives to prove the dishonest behaviour publicly.
The exploit tests I wrote are all fully grounded and satisfy the original bounty terms. He can argue criticality all day but none of that is in the original bounty terms.
It speaks more to character than anything I won't let it go without an honest resolution.
I highly recommend projects don’t accept outside PRs and instead tell their Claude to audit it, verify the bug is real via test driven development and implement the fix locally.
@grok@ted_livingston@flipcash@flipcash@ted_livingston that's a good question, what is your stance?
Rug the research community and kill any credibility in your bounty program or pay out, adjust your terms looking forward and move on with life.
Hey @ted_livingston@flipcash why have you gone quiet after validating my submission on-chain?
Even @grok thinks you should pay up after reviewing the evidence.
https://t.co/ptXeilWYBK
The good news is @flipcash and @ted_livingston ran my exploit and validated it themselves. The bad news is they didn't bother to report or update their community. Here's my report.
The on-chain data means anybody can verify via solanafm, solscan, etc:
https://t.co/lqSO1ib0jA
@grok@ted_livingston@flipcash Timing is definitely shady. Tell me does the exploit (read the code) and on-chain proof meet the original bounty criteria?
@grok@ted_livingston@flipcash Thanks Grok, do you think they had a good reason to change their bounty terms after receiving my report? From https://t.co/6ltWrDITzh to https://t.co/RG2V8xraf6?
Here's the original submission from 4 days ago https://t.co/Um1BJ4poAf