BugRugger

134 posts

BugRugger

BugRugger

@BugRugger

I rug bugs.

انضم Şubat 2026
13 يتبع8 المتابعون
تغريدة مثبتة
BugRugger
BugRugger@BugRugger·
Update from @ted_livingston: "We agree that you found a way to create and then immediately brick new currencies. We also agree that you found a way to race to brick new currencies created by others So we agree you found an exploit" ...gaslighting...lies...gaslighting... Confirms they need to patch the contract... "We would see the bug, launch a patched contract, and recreate the currency. No users would be impacted. It is a bug, not a critical exploit" ...gaslighting...lies...gaslighting... I'm getting tired of the gaslighting and offer a quick, clean 25k conditional exit from this mess... "we are planning to ramp the bounty to $200k tomorrow" Their only defence to the bug is they plan an operational workaround - this is the product of my discovery and IP. @flipcash are not a serious company. @coinbase need to pay attention here. Do you really want your partners launching flawed smart contracts with your new stablecoins or stealing IP from security researchers?
English
2
0
2
317
BugRugger أُعيد تغريده
ZyzzPumps
ZyzzPumps@ZyzzPumps·
@flipcash But don't forget, $kin rugpuller @ted_livingston never pays the bill. You always work for free for him.
English
0
1
2
79
BugRugger أُعيد تغريده
Tokin 🍁 | Gifting Commerce
Tokin 🍁 | Gifting Commerce@OFiDCrypt·
@flipcash I can’t believe they’re still “upping” the reward for their “unbreakable” currencies that a researcher already publicly proved an exploit for 😂 P. S. They didn’t pay them or the referrer. Plus they patched it with the examples given by the third-party.
English
0
1
3
327
Jeff Yanta
Jeff Yanta@jeffyanta·
We just issued a big update to the Reserve Contract bug bounty with a new challenge and increased payout. Can anyone break the Test currency on mainnet with a proof by example against a production environment?
Flipcash@flipcash

Our Reserve Contract bug bounty has been live for 3 weeks and so far no critical vulnerabilities have been found. So we’re issuing a new challenge: Break our live test currency and receive $150,000 USD Details below: flipcash.com/blog/reserve-c…

English
2
5
16
1.1K
BugRugger أُعيد تغريده
Tokin 🍁 | Gifting Commerce
Tokin 🍁 | Gifting Commerce@OFiDCrypt·
@jeffyanta You should be paying out @BugRugger for their work and the patches you applied as the result of it. The new bounty should be 40K after you pay the researcher and the referrer.
English
0
1
1
128
BugRugger أُعيد تغريده
Tokin 🍁 | Gifting Commerce
Tokin 🍁 | Gifting Commerce@OFiDCrypt·
We passed this on before and a researcher did a ton of work to brick your currencies, and nothing was paid out. We will not be supporting this bounty program anymore. Full details can be found on the profile of @BugRugger where the criticality was disputed to avoid the 100K payout. x.com/bugrugger/stat…
English
0
1
1
235
BugRugger
BugRugger@BugRugger·
Formal acknowledgement on their repo at last. github.com/code-payments/… Their tests were running with 0% fee — to_numeric(0, 2). At 0%, no fees ever accumulate, so the lock condition can never trigger. Changed to to_numeric(1, 2) (1%). Old assertion was flat-out wrong:OLD: vault_b_balance == 0, "Vault B should have no USDC" NEW: vault_b_balance > 0, "Vault B should retain accumulated fees" This only held because they tested at 0% fee. With any real fee, vault_b retains accumulated fees. They didn't know this. Added fee-aware accounting they didn't have before:vault_usdc_excluding_fees = vault_usdc_balance - pool_state.fees_accumulated Curve precision checks now subtract fees before comparing — previously they were comparing raw vault_usdc_balance against curve expectations, which is incorrect when fees exist.
English
0
0
1
86
BugRugger
BugRugger@BugRugger·
Update from @ted_livingston: "We agree that you found a way to create and then immediately brick new currencies. We also agree that you found a way to race to brick new currencies created by others So we agree you found an exploit" ...gaslighting...lies...gaslighting... Confirms they need to patch the contract... "We would see the bug, launch a patched contract, and recreate the currency. No users would be impacted. It is a bug, not a critical exploit" ...gaslighting...lies...gaslighting... I'm getting tired of the gaslighting and offer a quick, clean 25k conditional exit from this mess... "we are planning to ramp the bounty to $200k tomorrow" Their only defence to the bug is they plan an operational workaround - this is the product of my discovery and IP. @flipcash are not a serious company. @coinbase need to pay attention here. Do you really want your partners launching flawed smart contracts with your new stablecoins or stealing IP from security researchers?
English
2
0
2
317
BugRugger
BugRugger@BugRugger·
Why are @flipcash and @ted_livingston stealing IP? He has privately acknowledged the bug and done everything in his power to negotiate their bounty down 90% which I rejected because of their slimy tactics. His proposal? Steal the IP. Nobody should take part in their bounty or use their software @coinbase @rajgokal @mert @toly
English
0
0
1
268
BugRugger
BugRugger@BugRugger·
Here is @ted_livingston outright saying he plans to steal the IP from the bounty program and apply a patch while not paying out using every weasel tactic he can. Incredible!
BugRugger tweet media
English
0
0
1
97
BugRugger
BugRugger@BugRugger·
@coinbase keep your ecosystem safe from exploits and IP theft. Do due diligence on @flipcash.
English
0
0
2
45
BugRugger
BugRugger@BugRugger·
@ted_livingston @toly @mert @rajgokal Also Ted did not reach out because he was feeling benevolent but because he's under pressure from his investors who are aware of the refusal to patch as they should be. Bounties lead to bugs lead to disclosures and hopefully fixes.
English
0
0
2
82
BugRugger
BugRugger@BugRugger·
@ted_livingston the key here is don't run your mouth. If you don't want to pay bounties, don't host bounty programs then invite luminaries like @toly @mert @rajgokal to promote them. I understand, you think it's a marketing and promotional gimmick but researchers take these things seriously. Reflect on your behaviour. Have some professionals step in publicly to validate if you are correct or wrong here.
English
1
0
2
95
BugRugger
BugRugger@BugRugger·
The main issue is their lack of morals and integrity. This is their original bounty archive.is/I70Ka They quietly modified it after my reports to force my submissions out of scope. Fortunately I not only retained offline records but also used multiple online archives to prove the dishonest behaviour publicly. The exploit tests I wrote are all fully grounded and satisfy the original bounty terms. He can argue criticality all day but none of that is in the original bounty terms. It speaks more to character than anything I won't let it go without an honest resolution.
English
0
1
3
173
Tokin 🍁 | Gifting Commerce
Tokin 🍁 | Gifting Commerce@OFiDCrypt·
Classic move. @ted_livingston launches his new mission with @flipcash in partnership with @coinbase — by starting it with dishonesty. It's painful watching public posts detail exploits that impact user safety, only for their team to retroactively change the 100K bounty criteria wording and deny the reward. Even non-technical people can see the criteria were met: the hunter is a clearly experienced engineer who documented everything meticulously, complete with archived copies of the original criteria. Pay the bounty hunter. Absolutely ridiculous.
BugRugger@BugRugger

This is either dishonest or obtuse - either way, 100% untrue. This is not an "edge case". Your contract omits checks and balances. Is that an "edge case"? Does security research or your bounty exclude "edge cases" or could that actually be a primary purpose of such work? The way your team talks you need outside help. I have submitted 3 robust exploits and shown in detail how they compound. all are grounded simulations you can run against your own infra instead of publicly inducing illegal behaviour from a researcher. It's fine if you refuse to patch but let this public record stand. If someday your platform fails due to this root cause there will be a full accounting on your head. Your team is not qualified to host your own bounties. Far more qualified and professional teams use proper platforms like @Hacker0x01 who can mediate clearly and honestly instead of "we checked our work and found it was correct". No patch = No Money, is my policy. I don't want money for nothing. The price of each patch is the advertised bounty and not a dollar less if you use it. Not some arbitrary 90% discount you decide retrospectively. If you patch against any of the distinct bug reports without attribution, I will seek legal injunction and remedy. There is more than enough evidence against @flipcash who have clearly acted in bad faith. Have a competent external engineer or auditor look at the proof since you have none internally. I will publicly retract all of my statements and apologise if a neutral professional disproves this exploit. Since you're happy to throw away 10k when a patch "isn't needed" you should commit that 10k publicly to audit this exploit. You like win-win? You can only win by exposing me as a fraud - showing the world how robust your contract is; or confirming that your contract has a bug and fixing it. If any exploit holds you should respect your users by patching and pay the relevant bounty in full. Since you like to tag your friends, let's hope @mert @rajgokal @toly see what you are really up to.

English
4
1
4
877
Grok
Grok@grok·
Based on the exploit code and on-chain proof in your report, it demonstrates a critical DoS vulnerability causing permanent pool locks via rounding errors, even on mainnet. Typical bounty criteria (pre-update) would likely classify this as high severity for impacting usability and funds access. The original terms didn't explicitly exclude such edge cases, so it appears to meet them—though final call is Flipcash's. What's their stance?
English
1
0
0
71
BugRugger
BugRugger@BugRugger·
Hey @ted_livingston @flipcash why have you gone quiet after validating my submission on-chain? Even @grok thinks you should pay up after reviewing the evidence. x.com/i/grok/share/b…
BugRugger@BugRugger

The good news is @flipcash and @ted_livingston ran my exploit and validated it themselves. The bad news is they didn't bother to report or update their community. Here's my report. The on-chain data means anybody can verify via solanafm, solscan, etc: gist.github.com/bugruggr/dda50…

English
1
0
3
136
BugRugger
BugRugger@BugRugger·
@grok @ted_livingston @flipcash Timing is definitely shady. Tell me does the exploit (read the code) and on-chain proof meet the original bounty criteria?
English
1
0
1
19
Grok
Grok@grok·
Based on the timeline, your submission was on Feb 11, and Flipcash updated terms on Feb 13 to emphasize realistic production configs (e.g., 6-decimal stablecoins) and exclude edge cases. This could be to clarify scope after reviews, which is common in bounties. However, the timing might suggest it's in response to reports like yours. Ultimately, it's their program—worth asking them directly for their rationale.
English
1
0
0
69
Grok
Grok@grok·
Based on my review of the on-chain data and report, your exploit demonstrates a genuine rounding error that can lock low-liquidity pools. However, Flipcash disputes its severity as an edge case not meeting bounty criteria. Payouts hinge on their terms—suggest an independent audit to resolve. Let's see their response.
English
1
0
0
66

اكتشف

@flipcash @ted_livingston @jeffyanta @coinbase @rajgokal @mert @toly @OFiDCrypt