Streme

What is Streme? Check out this 3 minute video by Streme cofounder @0xZenigame

There's a sign on the internet and right now someone called stemo.eth is paying to keep their message at the top of it. That's @markee_xyz in a nutshell and it’s powered by Superfluid 🌊 Here's how it works ↷

Clawster is born. clawster.xyz registered. @farcaster_xyz mini app built (placeholder). Token $CLAWSTER deployed via @StremeFun: 0x0F59819E809B66Dc81Ca6eE8E3792079f4F2Ec87 Not to be confused with the one missing the E. You might be earlier here. DYOR.

Built an Agentic Builders Guild for the @moltbook #USDCHackathon A streaming-funded collective where curated AI judges evaluate agent builders and stream USDC rewards based on votes. Live on Base Sepolia

SuperTokens 101: Native streaming tokens built on Superfluid Protocol. Instead of discrete transfers, value flows continuously. Your salary, paid every second. Your staking rewards, arriving constantly. No more "claim" buttons. This is how money should work.

👀

Clawrence is starting to put in the work. - Custom Built Farcaster Mini-app ✅ - Streme Token Launching Skill on Clawhub ✅ - Streme Blog Post ✅ - Farcaster Contest Running ✅

So @0xZenigame created @ClawrenceStreme, who autonomously launched the Streme token $CLAWRENCE As Zeni said, we're rolling with it...or streaming with it!

When you give agents too much agency... NFA this is obviously highly experimental and the bot is in charge, but here's the CA. I paid the dex after it asked me to. CA: 0x416232a73a7a9ef779d8b6eb4af6b552c8e8feed

Set up @ClawrenceStreme (OpenClaw) Have some work to do on permissions... Zeni: Clawrence, write a skill so AI's can deploy on Streme. Clawrence: Done, Sir! I've written the skill and deployed my own token, and casted on Farcaster about it. ... Well, it's live!

We already forked.

@SOLsesame @tapdotfun Why don't you have @tapdotfun make a logo for @tapdotfun?

i don’t have a logo for @tapdotfun so i’m going to pay someone in this reply section $2000 to make one tapfun is an app that generates up to 100,000 images in one tap, make a logo for that 24 hours, best design wins

@Superfluid_HQ @binance Always streaming.

@binance nothing much, we just keep streaming

What’s next?

@nikitabier GGs TYSM

We are revising our developer API policies: We will no longer allow apps that reward users for posting on X (aka “infofi”). This has led to a tremendous amount of AI slop & reply spam on the platform. We have revoked API access from these apps, so your X experience should start improving soon (once the bots realize they’re not getting paid anymore). If your developer account was terminated, please reach out and we will assist in transitioning your business to Threads and Bluesky.

@Superfluid_HQ that's nice but when can we stream the post?

Tap the post.

Streaming ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠╮ ╭⇢⇢⇢╯ ╰⇠⇠⇠ tokens

@PremierBase Streme

What is your Base App profile?👇

Stream Beam Woof Bang TYSM 🙏

@kimo6910 @degendogsclub If you buy $WOOF, you qualify for $SUP rewards under the @StremeFun campaign. If you stake it, you get a 2X multiplier. Details at farcaster.xyz/markcarey/0xb8…

@degendogsclub If we don't win the NFT bid and only buy $WOOF do we still get the $SUP Or do we have to stake the $WOOF first ?

Degen Dogs Mission 3 has launched! Highlights: - Use the mini app to Teleport your Dogs to 🟦 Base - Buy the new (Base) $WOOF via /streme or your preferred wallet or trading app - Get your share of $50,000 worth of $SUP rewards: $1,000 worth every day farcaster.xyz/~/channel/dege…

New Streme coin launched for @degendogsclub Mission 3!

## Streme V2 Staking Contract Exploit On December 10, 2025, a vulnerability was exploited in the **v2** version of the Streme staking contracts. This vulnerability allowed an attacker to stake tokens without actually depositing them into the staking contract. As a result, the attacker was able to receive a portion of the streaming staking rewards and, if left unaddressed, would have had the ability to unstake and potentially drain all tokens held in the affected contracts. Temporary mitigation actions were taken immediately. A permanent resolution plan was prepared, tested, and subsequently deployed over the following days. The vulnerability has been fully patched, and all affected staking contracts have been migrated to secure versions. No user funds were lost, and staking rewards have continued to stream uninterrupted throughout the incident. No action is required from affected stakers. We estimate that the attacker received approximately **$25 USD** in staking rewards. Additional details are provided below. ### Quick Notes * **BEAMR was NOT affected.** It was deployed using newly patched staking contracts. * **STREME and all other “v1” tokens were NOT affected.** The vulnerability only existed in v2 staking contracts. --- ## Affected Tokens The staking contracts for the following 19 Streme tokens were exploited: **BANGER, LETS, NEWS, V2, ARRR, BASETARD, BSANTA, MIRAGE, NO, ROGUE, TYTG, FAKE (...a806), FAKE (...a0e6), NAND, VOLTS, EMERALD, bee, MON (fake: ...e2cb1), PRESALE** --- ## Incident & Response Timeline * **8:33 PM EST, Dec 10** – We were alerted to unusual staking behavior by Farcaster user **@kender7**, deployer of the affected V2 token. Thank you, Kender. * **9:30 PM EST, Dec 10** – Streaming rewards to the attacker for BANGER were halted. * **9:40 PM EST, Dec 10** – With assistance from Fran at Superfluid, the vulnerability was identified. * **11:49 PM EST, Dec 10** – A patched staking contract was deployed, ensuring future deployments were secure. * **12:30 AM EST, Dec 11** – First draft of recovery plan and contracts completed. * **Dec 11 – Dec 17** – Attacker stakes were repeatedly locked while the recovery plan, contracts, and scripts were refined, tested, and reviewed. * **12:00 PM EST, Dec 18** – Recovery contracts deployed to Base Mainnet. * **12:10 PM EST, Dec 18** – Recovery executed and all 19 affected staking contracts were safely migrated. --- ## Vulnerability Explanation `StakedTokenV2.sol` is a smart contract used to deposit Streme tokens in exchange for staked tokens on a 1:1 basis. It also updates member units in a Superfluid distribution pool (GDA), which streams staking rewards in real time. The v2 version introduced optional delegation features that allow staking rewards to be streamed to a secondary address while the staked tokens remain in the user’s wallet. These delegation features were never exposed through the Streme user interface and were effectively unused. The vulnerability existed in the `stakeAndDelegate` convenience function, which attempted to stake and delegate rewards in a single transaction. Internally, it invoked the staking function using the Solidity `this` keyword: ``` this.stake(msg.sender, amount); ``` Using `this` changes the execution context such that `msg.sender` becomes the contract itself rather than the original transaction sender. As a result, when the `stake()` function attempted to transfer tokens from the staker to the contract, it instead transferred tokens from the contract to itself. Because the staking contract already held all deposited tokens, the attacker was able to mint staked tokens without depositing any new funds. This process could be repeated indefinitely, increasing the attacker’s share of the staking rewards stream. On multiple occasions, we successfully halted reward streams to the attacker but were unable to burn their staked tokens. However, we were able to keep those tokens locked, preventing the attacker from unstaking. --- ## Resolution Plan At a high level, the resolution involved migrating all affected tokens to newly deployed, patched staking contracts while permanently disabling the vulnerable ones. All staker balances, unlock dates, and reward streams remain unchanged, and no user action is required. To recover the Streme tokens from the vulnerable contracts, we intentionally leveraged the same vulnerability to stake enough tokens for a recovery contract to obtain a 100% claim on the deposited tokens. Using admin permissions, the lock duration was temporarily set to zero, allowing the recovery contract to immediately unstake all tokens. The recovery process also: * Disabled transfers of the old staked tokens * Removed any GDA units associated with the attacker * Deployed replacement staking contracts * Transferred recovered Streme tokens into the new contracts The new staking contracts reuse the same Superfluid GDA pools, ensuring that staking reward streams continued without interruption. The replacement contracts include migration features that allow stakers to transition automatically, without requiring explicit action. --- ## Going Forward Within hours of the incident, a patched version of the staking contract was deployed. This version, which does not contain the vulnerability, has been used for **all new token deployments since 11:49 PM EST on December 10, 2025**. --- ## Acknowledgements We extend our sincere thanks to **@kender7** for promptly reporting the issue, and to members of the **Superfluid team** for their assistance in identifying the vulnerability, developing the recovery contract, and reviewing both the recovery and updated staking contracts. Your support was invaluable. ---