jango.eth@me_jango
Last week, @ESultanik from @trailofbits reported to me an exploit in @revnets found by @AnthropicAI. All Revnet V5 funds were at risk.
Sunday i attempted a whitehat rescue of the funds. I successfully pulled $140k of funds belonging to the @Artizen ART revnet and @markee_xyz MARKEE revnet. In the process, I lost ~25 mainnet ETH from the NANA @juiceboxETH, REV @revnets, and BAN @bannynet revnets... due to my negligence in executing the script. MEV got the best of my urgency in the heat of the moment, despite thinking I did all I could to be ready to go. All other non-revnet Juicebox projects are unaffected.
For the past three months, I have been working on an "AI hardened" version of Juicebox – a fork of V5 that has gone through the ringer of any and all AI, harness, any novel auditing concept I could get my hands on. This weekend's exploit took advantage of a nuance in the revnet loans code that I had caught and fixed at the beginning of this process, but I had not realized it put funds at risk until reported by TOB and Anthropic.
I'm grateful we managed to keep customers' funds safe, and regretful we'll have to start our own businesses over. I'm frustrated at myself for having left the exploit in the original code, and for failing to recover all of it despite the opportunity. I'm encouraged knowing I've already been working on the solution and won't be starting this AI risk assessment from 0... the downtime will be relatively short.
But most of all I'm relieved that this AI security moment has come now, when funds at risk were relatively modest. I do not envy those with centi-million dollar protocols in production going into 2026. Despite doing all we could to get the Juicebox and Revnet V4/5 protocols audited over the past three years before deploy, the obsessive manual reviews and tests from ourselves and from top pros still missed what the latest AI crawlers have caught.
The other side of this diligence storm is sunny. This turbulence is a blessed precondition for open finance, one that will level up the quality of open source, enable anyone to run audits, and allow those of us who take responsibility over the integrity of these public tools to sleep better at night. We must get to the other side.
As usual, I will continue running my businesses using my own tools that I do everything to derisk, and I will continue telling others that they probably shouldn't follow my lead – the tradeoffs are real and borne by users of the open source. But I've found there are folks like me who stubbornly prefer assuming this risk if the reward is the freedom, agency, and strong guarantees the tools offer in their ideal form, unlike the corporate landscape of law-fare, capture, and executive discretion.
Reaching the ideal form is inevitable if we keep going at it. It is the holy grail. Open source, open accounting, and the open internet can and will outcompete everything, but damn the journey ain't easy.
On a practical note: V5 NANA, REV, and BAN holders will receive their V6 tokens as soon as the protocol is deployed, and we will restart revenue aggregation from there. MARKEE and ART holder will also receive their V6 tokens, and have their whitehat rescued funds added to their revnets to back the value of the tokens.
These next few weeks before we launch V6, we need all hands on deck pointing AIs at it and fishing for exploit opportunities, efficiency nudges, documentation clarification, and everything in between. JBX and REV rewards to those who report issues.
All you have to do is pull up Claude Code, Codex, or your favorite LLM and run:
"Clone github Bananapus/version-6 recursively, read AUDIT_INSTRUCTIONS.md, then walk me through my options for auditing this codebase. Ask me how deep I want to go, which subsystem interests me, and whether I have any specialization to add — then start."
