Soner

@LilFatFrank @loyal_hq This is the kind of a vulnerability that could burry the whole business. Hopefully you did get a nice reward.

TL;DR: I found a critical bug on Loyal [@loyal_hq] that let anyone drain any user's private balance using only their public address. I reported it privately, the Loyal team fixed it within days. Loyal is a privacy protocol on Solana: you deposit funds into a shielded balance that stays private and earns yield, and you can send it to others privately. It's Telegram-first. I was exploring the Loyal protocol for a possible integration into Swish. I didn't set out to find a bug. I was solving a UX problem. When you shield through Loyal with an external wallet like Phantom, the wallet warns "this transaction may fail, funds may be lost." It's a false alarm. Loyal relies on MagicBlock's delegation, which wallet simulators can't model but a warning like that loses users, so we set out to remove it. The approach was to let the server handle the steps that trigger the warning, while the user's wallet only signs the parts it can simulate cleanly. To do that safely, I had to map exactly which of Loyal's actions required the owner's signature and which didn't. That audit is what surfaced the bug. The instruction that moves a shielded balance didn't require the owner's signature. It only checked that the owner's address was listed in the transaction, and an address is public information. In practice, anyone could move someone else's shielded balance to themselves using only the victim's public address, with no permission from the owner. That affected every shielded balance on the protocol. I confirmed it with a minimal test moving ~$0.10 between two of our own wallets and returning it which was enough to verify the issue was real, nothing more. I didn't publish it. I reported it privately to the Loyal team the same day, with the root cause, a reproduction, and the fix needed. The Loyal team fixed it within days: transfers now require the owner's signature. I re-ran our test against the patched contract, and it was rejected for a missing owner signature. Confirmed resolved. Super glad it's resolved, and credit to the Loyal team for the quick turnaround.

@absolodev @github They have changed the pricing model not the actual prices. Before it was $40 for roughly a billion tokens when utilized with high end models but now it’s more like 100k tokens for the same price.

@sonrcol @github What pricing? It has same pricing, with worse model catalog, based on how pricing works, it’s 40 dollar or just gift us 10 dollar situation, because 10 dollar plan seems more like joke.

The GitHub Copilot app is now generally available. 🙌 The new home base for your work. Pick up what's next, direct agents in parallel, and land your PRs, all in one place. ⬇️ github.blog/changelog/2026…

@thsottiaux Codex & Cursor & X

What do you use

@RockstarGames I hate that I have to experience this on console instead of pc 😭😭

Pre-orders for Grand Theft Auto VI will officially begin on June 25 on digital storefronts and at other select retailers. Check out the official cover art, also available as downloadable artwork at rockstargames.com/VI

@thsottiaux Remove the 5 hour limit

Dearest gentle codexer. We did a sneaky double reset. Not only do you get a full reset on us. But you are also getting one into the reset bank to use at your own leisure. Enjoy

@suni_code They have their own model now

$60 Billion for a VS Code Wrapper

I was able to use @cursor_ai waaay beyond my limits for the last couple of days, even after hitting 100% for both Composer and API. Today, I saw the glorious limit reached modal for the first time🥹

@EddCoates Use @Cloudflare

I am so fucking sick of my website getting scraped. Millions of requests per minute, somehow designed to bypass all my security rules, choking the site until it completely stops loading. If I were paying for bandwidth, it would cost me a fortune. How is this still legal?

37k build is crazy @cursor_ai

@thsottiaux could you please kindly remove the 5 hour limit nonsense??

@SmilingKylan @pcoronaf @amazon Nope they bcc bunch of addresses and send mail to literally “undisclosed-recipients;” mail protocol itself is a scam for still allowing this.

@pcoronaf @amazon (No recipient) must be the literal display name they use. I’m a software engineer and I could be tricked like this. Normies stand no chance

Este phishing está interesnate. Usan una direción @amazon.com

@BaldKnower If you lend 15k in sol he owns 15k in sol. If you lend 75 sol he owns 75 sol. Pretty simple tbh.

i lent my friend 15k in Solana (Solana was at 200 bucks and i sent him 75SOL) He's trying to square up with me and send me 75 solana today, but 75 solana is now worth 4875 am i wrong here that he owes 15k not 75 SOL?

@philz1337x It’s crazy how an individual can achieve such an amazing model. Respect!

Crystal Upscaler can now turn any image into a 2GB PNG 😂

@cursor_ai you good?

@sideeyegg will soon have an iOS app for it’s 71 users 😭 meanwhile go try the desktop app, it’s awesome sideeye.gg

@synthwavedd It’s not your intellectual property, why did you watermarked it leo 😭😭

GPT-5.6 is exceptionally good at replicating designs from an image in code. This is a 0-shot SVG output (!) from 5.6, with a 1-sentence prompt and no tools, alongside an image of an Xbox One controller. 🔥

Bro is not joking around 😭😭

@ritu_twts First? Oh damn, it was Pawno for me. I step into coding with gta samp servers

What was your first code editor?

@marclou So relatable, it’s my only issue atm! x.com/sonrcol/status…

AI is so good at backend, but so bad at UI/UX. Any recent models one-shot my new features, but I'd have to spend another 10+ prompts to get the design right.