# elizaOS Discord - 2025-05-04

## Overall Discussion Highlights

### Security Incident with Token Verification
- Multiple users reported losing money after purchasing tokens on Auto.fun that displayed verification checkmarks but were later revealed to be scams
- Three specific token addresses were identified as exploited tokens: HgcHazC3qtetGZZBJ2wYkfkUmDZNUn5D4AmLbKG52FUN, 8jxqtVUjKJFonRzXGGeTzPBBegQAV3111EY97EV8sFUN, 78ShedfKV1iszLyRbjHVE46z5p7PRgPvQNwBTUqVRVSN
- Kenk confirmed the team has investigated the issue, marked the contracts as scams, and isolated the verification process
- The team requested 24 hours to implement a fix for the verification vulnerability
- Users expressed frustration about the lack of transparency and demanded refunds for their losses

### ElizaOS Development Updates
- Shaw mentioned that "Vibe coding" agent feature is live on the `v2-develop` branch but with limited functionality
- More updates to this feature expected in the coming weeks
- A demo session was announced featuring seven different builders showcasing their projects: Steambot Willie, The Intern, ProAgentAI, Data Barista, Soulmates, Bork, and Phala + Eliza in TEE

### Technical Implementation Challenges
- Users reported difficulties with RAG Knowledge functionality, noting it pulls from OpenAI's prior knowledge rather than the provided knowledge base
- Twitter API integration issues were discussed, with one user reporting their API account being limited after spending $400
- Questions about execution order of provider, generateText, and evaluator handler functions in ElizaOS v0.25 were raised
- A user reported losing access to chat rooms despite being a token holder

## Key Questions & Answers

**Q: Is Vibe coding getting rolled out in v2?**  
A: The agent is live on the `v2-develop` branch but with limited functionality currently, with more updates coming in the next couple weeks. (answered by shaw)

**Q: What does the verified badge on Auto.fun mean?**  
A: It means "the token is legit by one of the partners" (answered by vas)

**Q: What were the three exploited tokens with false verification?**  
A: HgcHazC3qtetGZZBJ2wYkfkUmDZNUn5D4AmLbKG52FUN, 8jxqtVUjKJFonRzXGGeTzPBBegQAV3111EY97EV8sFUN, 78ShedfKV1iszLyRbjHVE46z5p7PRgPvQNwBTUqVRVSN (answered by vas)

**Q: Could we get a follow up and confirmation that the exploit is fixed?**  
A: The team is still exploring it. There's no 'exploit' as such. They have a fix and have isolated the verification process, requesting 24 hours to address the issue. (answered by Kenk)

**Q: Do you think it was an inside job?**  
A: No, the team had a look, marked the contracts as scams, and determined everything was safe. (answered by Kenk)

## Community Help & Collaboration

- **User Access Issue**: human_nalejzpa helped Skullcross with their issue of losing roles and chat room access despite being a token holder, indicating they need to wait for someone to return from weekend vacation to fix the issue

- **RAG Knowledge Resources**: rahmsc shared Discord message links to previous discussions about RAG knowledge implementation to help other users facing similar issues

- **ElizaOS Versioning Clarification**: rahmsc explained to users that v2 is the new version of ElizaOS (beta.1.0.0)

- **Verification Exploit Evidence**: vas and frank_grimes_sr provided evidence and token addresses of falsely verified tokens that were later unverified, helping the community understand the scope of the security incident

## Action Items

### Technical
- **Fix verification system exploit** that allowed scam tokens to appear as verified | Mentioned by vas
- **Resolve issue with token holders losing access** to roles and chat rooms | Mentioned by Skullcross
- **Investigate why RAG Knowledge function** pulls from OpenAI's prior knowledge instead of provided knowledge base | Mentioned by rahmsc
- **Resolve Twitter integration issues** in eliza-starter when credentials are properly configured | Mentioned by rahmsc
- **Address execution order** of provider, generateText, and evaluator handler functions | Mentioned by 2spooky
- **Investigate X API limitations** and potential configuration issues to prevent flagging | Mentioned by DavidRounders
- **Fix Twitter link on CoinGecko page** for AI16Z coin that redirects to a placeholder page | Mentioned by Angelon
- **Implement image generation functionality** for Eliza-Twitter integration | Mentioned by Tamplayz
- **Continue development of "Vibe coding"** functionality | Mentioned by shaw

### Documentation
- **Create a post-mortem report** about the verification exploit incident | Mentioned by frank_grimes_sr
- **Provide clear explanation** of what "verified" status means on the platform | Mentioned by gummy

### Feature
- **Implement better verification standards** that indicate legitimate projects with real utility rather than just X account connections | Mentioned by gummy
- **Consider implementing verification** only after official Auto.fun tweet confirmation | Mentioned by Tocheee
- **Implement refund mechanism** for users who lost funds due to verified scam tokens | Mentioned by frank_grimes_sr