@mikkodev.eth
Security Incident Report – January 30, 2026
What Happened
Earlier today, a critical vulnerability was discovered in our /api/user/dust endpoint that allowed attackers to set arbitrary dust values without actually farming. The vulnerability was exploited by one user who claimed approximately 1.485 billion WLING tokens and subsequently dumped around 1.3 billion tokens on the market.
The Vulnerability
The dust saving API trusted values sent from the frontend without server-side validation. An attacker could simply send a POST request with any dust amount they wanted.
Example request:
await fetch("/api/user/dust", { body: '{"address":"0x...", "dust": 1500000000}', method: "POST" });
This allowed them to inflate their dust balance to billions, then claim it as real tokens through our legitimate claim system.
What We’ve Done
We have deployed comprehensive security fixes:
Dust values are now validated server-side against time-based earning limits
Earning rates are calculated server-side from pet and equipment data
Multiple other vulnerabilities patched (pet naming auth, PvP race conditions, lootbox exploits)
Claims are temporarily paused while we complete our security review
Current Status
Vulnerability: PATCHED
Token Claims: PAUSED
Mining / Playing: ACTIVE
Exploiter Identified: YES
The Exploiter
Farcaster: @0x0lazycode (FID: 1132996)
Wallet: 0x247116c752420ec7fe870d1549a1c2e8d44675c6
We are evaluating our options regarding the dumped tokens and will provide updates as we determine next steps.
Apology
We sincerely apologize to our community. The mass dump of approximately 1.3 billion tokens has significantly impacted the token price, and we understand the frustration this causes. This vulnerability should have been caught before launch, and we take full responsibility.
Next Steps
1. Complete security audit review
2. Re-enable claims once confirmed safe
3. Evaluate options for addressing the damage
4. Implement additional security measures such as rate limiting and monitoring
We will keep the community updated as we work through this situation.
– CryptoMikko
7 replies
4 recasts
12 reactions