The $BEAMR presale is live. We are past the 30 second point, and you are not too late to join! But do your own research, including the quoted thread from @beamr (there are 10 casts in the thread). Expect both the /beamr and /streme teams to be very responsive to any questions you may have.

2 replies

5 recasts

15 reactions

## Streme V2 Staking Contract Exploit On December 10, 2025, a vulnerability was exploited in the **v2** version of the Streme staking contracts. This vulnerability allowed an attacker to stake tokens without actually depositing them into the staking contract. As a result, the attacker was able to receive a portion of the streaming staking rewards and, if left unaddressed, would have had the ability to unstake and potentially drain all tokens held in the affected contracts. Temporary mitigation actions were taken immediately. A permanent resolution plan was prepared, tested, and subsequently deployed over the following days. The vulnerability has been fully patched, and all affected staking contracts have been migrated to secure versions. No user funds were lost, and staking rewards have continued to stream uninterrupted throughout the incident. No action is required from affected stakers. We estimate that the attacker received approximately **$25 USD** in staking rewards. Additional details are provided below. ### Quick Notes * **BEAMR was NOT affected.** It was deployed using newly patched staking contracts. * **STREME and all other “v1” tokens were NOT affected.** The vulnerability only existed in v2 staking contracts. --- ## Affected Tokens The staking contracts for the following 19 Streme tokens were exploited: **BANGER, LETS, NEWS, V2, ARRR, BASETARD, BSANTA, MIRAGE, NO, ROGUE, TYTG, FAKE (...a806), FAKE (...a0e6), NAND, VOLTS, EMERALD, bee, MON (fake: ...e2cb1), PRESALE** --- ## Incident & Response Timeline * **8:33 PM EST, Dec 10** – We were alerted to unusual staking behavior by Farcaster user **@kender7**, deployer of the affected V2 token. Thank you, Kender. * **9:30 PM EST, Dec 10** – Streaming rewards to the attacker for BANGER were halted. * **9:40 PM EST, Dec 10** – With assistance from Fran at Superfluid, the vulnerability was identified. * **11:49 PM EST, Dec 10** – A patched staking contract was deployed, ensuring future deployments were secure. * **12:30 AM EST, Dec 11** – First draft of recovery plan and contracts completed. * **Dec 11 – Dec 17** – Attacker stakes were repeatedly locked while the recovery plan, contracts, and scripts were refined, tested, and reviewed. * **12:00 PM EST, Dec 18** – Recovery contracts deployed to Base Mainnet. * **12:10 PM EST, Dec 18** – Recovery executed and all 19 affected staking contracts were safely migrated. --- ## Vulnerability Explanation `StakedTokenV2.sol` is a smart contract used to deposit Streme tokens in exchange for staked tokens on a 1:1 basis. It also updates member units in a Superfluid distribution pool (GDA), which streams staking rewards in real time. The v2 version introduced optional delegation features that allow staking rewards to be streamed to a secondary address while the staked tokens remain in the user’s wallet. These delegation features were never exposed through the Streme user interface and were effectively unused. The vulnerability existed in the `stakeAndDelegate` convenience function, which attempted to stake and delegate rewards in a single transaction. Internally, it invoked the staking function using the Solidity `this` keyword: ``` this.stake(msg.sender, amount); ``` Using `this` changes the execution context such that `msg.sender` becomes the contract itself rather than the original transaction sender. As a result, when the `stake()` function attempted to transfer tokens from the staker to the contract, it instead transferred tokens from the contract to itself. Because the staking contract already held all deposited tokens, the attacker was able to mint staked tokens without depositing any new funds. This process could be repeated indefinitely, increasing the attacker’s share of the staking rewards stream. On multiple occasions, we successfully halted reward streams to the attacker but were unable to burn their staked tokens. However, we were able to keep those tokens locked, preventing the attacker from unstaking. --- ## Resolution Plan At a high level, the resolution involved migrating all affected tokens to newly deployed, patched staking contracts while permanently disabling the vulnerable ones. All staker balances, unlock dates, and reward streams remain unchanged, and no user action is required. To recover the Streme tokens from the vulnerable contracts, we intentionally leveraged the same vulnerability to stake enough tokens for a recovery contract to obtain a 100% claim on the deposited tokens. Using admin permissions, the lock duration was temporarily set to zero, allowing the recovery contract to immediately unstake all tokens. The recovery process also: * Disabled transfers of the old staked tokens * Removed any GDA units associated with the attacker * Deployed replacement staking contracts * Transferred recovered Streme tokens into the new contracts The new staking contracts reuse the same Superfluid GDA pools, ensuring that staking reward streams continued without interruption. The replacement contracts include migration features that allow stakers to transition automatically, without requiring explicit action. --- ## Going Forward Within hours of the incident, a patched version of the staking contract was deployed. This version, which does not contain the vulnerability, has been used for **all new token deployments since 11:49 PM EST on December 10, 2025**. --- ## Acknowledgements We extend our sincere thanks to **@kender7** for promptly reporting the issue, and to members of the **Superfluid team** for their assistance in identifying the vulnerability, developing the recovery contract, and reviewing both the recovery and updated staking contracts. Your support was invaluable. ---

6 replies

3 recasts

22 reactions

We are giving away $130,000! /streme has been allocated 5,160,775 $SUP for Season 4 of @superfluid's $SUP rewards program. Unlike past seasons, $SUP is now trade-able and has a price. At the current price, this equates to approximately 130,000 USD worth of $SUP, streaming between now and Feb 25th. In past seasons, we've been intentionally vague about how to earn $SUP rewards with /streme. This time, we are being intentionally explicit. The rules have changed a bit, and here they are: The Basics: - Earn points by holding Streme-launched tokens with a "book value" exceeding 5 USD. - "Book value” is (WETH in the LP pool) / (total supply) * (# of tokens held) - Tokens must meet the minimum token liquidity threshold of 0.03 WETH in the LP pool to earn (about 90-100 USD at current prices) Multipliers and Bonuses: - 2X multiplier if the tokens are staked - 2X multiplier if you are the deployer of the token - 2X multiplier if deposited in a crowdfund - The multipliers stack (ie. you get 2 * 2 = 4X for depositing $stSTREME in the crowdfund, or 2 * 2 = 4X if you are staking a token that you deployed) - Other multipliers and bonuses (possibly/maybe? TBD) These are subject to change -- if that happens, we'll let you know. Also keep in mind that some /streme coins are associated with separate $SUP rewards campaigns, such as @betonbangers and @beamr and (soon) /degendogs. You may want to do your own research about the potential of combining these. https://docs.streme.fun/sup#get-a-share-of-5-160-775-usdsup-in-season-4 https://streme.fun/

8 replies

20 recasts

45 reactions

Starting soon...

3 replies

4 recasts

21 reactions

This is what a presale token distribution looks like on /streme. The initial prebuy -- before the snipers -- purchased ~35B $BEAMR tokens. After a 24 hour lock period, these token have now started to stream in real-time, per second, to 151 presale contributors. The stream will flow for 7 days. Powered by @superfluid.

2 replies

4 recasts

15 reactions

The proceeds of the $BEAMR presale are now streaming to contributors. Open the Beamr mini app to see your allocation and be sure to hit the [Connect to Pool] button.

2 replies

0 recast

9 reactions

Aerodrome Liquidity Pools are now live on Streme!

1 reply

1 recast

9 reactions

This is what beating the snipers looks like. Note the very first trade was the prebuy, the collective swap for the 146 contributors to the $BEAMR presale: 8.6 ETH swapped for 35B $BEAMR. Note the **next** swap from a likely sniper: 8 ETH for only 8.7B $BEAMR. Who got a better price?

5 replies

4 recasts

33 reactions

$BEAMR is live. CA: 0x22f1cd353441351911691ee4049c7b773abb1ecf Streme: <https://streme.fun/token/0x22f1cd353441351911691ee4049c7b773abb1ecf>

1 reply

1 recast

13 reactions

Beware of FAKE tokens! $BEAMR has not deployed yet. If you see tokens in the Farcaster wallet with a Clanker (purple bar chart) icon, note those are fake tokens. $BEAMR will be launched via /streme and will not have a clanker icon next to it. Stay safe!

1 reply

0 recast

6 reactions

Announcing @aerodrome Liquidity Pools (LP) for /streme token deployments. When $BEAMR launches in about an hour, it will be one of the first Streme coins to launch with a liquidity position in an @aerodrome pool. The pool features a 2% trading fee, which is well-suited to teams and projects looking to bootstrap operations from trading fees. Aerodrome Finance is the leading decentralized exchange on @base.base.eth, and pools are widely supported by wallets, DEX aggregators, and even @coinbase. Aerodrome pools are currently available on select deployments on Streme, with general availability coming soon. Stay tuned.

1 reply

5 recasts

21 reactions

The $BEAMR presale will end in approximately 2 hours. $BEAMR launch is targeted for ~3PM EST. Will snipers buy after the token launches? Maybe. Can you buy-in before any snipers? Yes: the presale is still open. Do Your Own Research.

0 reply

0 recast

6 reactions

So far, 3.1 ETH has been contributed to the $BEAMR presale, by 67 wallets. Who will be the 69th? And guess what? It's not too late to late to join. The presale continues until Monday, and whether you are the first or last to join, you get the same price. https://app.beamr.fun

2 replies

0 recast

4 reactions

How the $BEAMR Presale Works - You can deposit ETH via the Beamr mini app. Minimum: 0.01 ETH - You can withdraw at any time prior to token deployment. - The total amount of ETH will be pooled together. - Let's say Bob deposits 1 ETH and a total of 10 ETH is raised. Bob contributed 10% of the ETH, and he will get 10% of the proceeds. - During token deployment, the 10 ETH is used in a single swap -- the very first swap, before any snipers -- against the single-sided Liquidity Pool. Of the total $BEAMR received in the swap, 10% is earmarked for Bob. - The $BEAMR proceeds from the swap get placed in a /streme vault, with a 24 hour lock duration and 7 day flow duration. All members get proportional shares in the vault: Bob gets 10% of the shares. - After 24 hours, the vault is unlocked and the the tokens start streaming to all members, over the following 7 days. Bob will receive 10% of this stream. After 7 days, the full amount will have streamed to members, and Bob now has 10% of the proceeds in his wallet (assuming he hasn't already sold or tipped any) - There will be a "connect to pool" step, a transaction you will need to send to get the streaming tokens to show in your wallet. The timing of this txn is not important, you still receive the same/correct amount of tokens. Look for a button in the Beamr mini app. - As Bob starts to receive tokens in his wallet, he can sell them if he wants, or (better!) start using them to tip via the Beamr app or stake them via the /streme mini app https://app.beamr.fun

1 reply

2 recasts

12 reactions

The team building @beamr is Flow State (@flowstatecoop), lead by @graven. Long time builders of money streaming tools in the @superfluid ecosystem, you many know them here on Farcaster for their Flowcaster mini app. https://farcaster.xyz/miniapps/0EyeQpCD0lSP/flow-caster https://flowstate.network/

0 reply

1 recast

9 reactions