# elizaOS Discord - 2025-12-07 ## Overall Discussion Highlights ### Critical Security Incident - ElizaOS Website Breach The most urgent issue of the day was a security breach affecting elizaos.ai. The website was compromised through a critical Next.js RCE vulnerability (CVE GHSA-9qr9-h5gf-34mp) affecting versions 15.3.0-15.3.6. Attackers deployed an XMR cryptocurrency miner on the site, which was discovered when the site returned a 502 error revealing malicious `xorDecode` functions. **Resolution Process:** - Odilitime attempted to deploy a fresh copy but it was immediately re-compromised, indicating an active exploit - The team rotated PAT tokens and deployed to a fresh VPS - Updated Next.js from version 15.3.1 to 16.0.7 using `bun update --latest` - cjft submitted PR #3 to eliza-website-v2 with necessary updates - Additional nginx configuration for websocket support was implemented - jasyn_bjorn offered a $1,000 bounty for solving the issue within 2 hours The team noted the attacker was running a worm rather than a targeted attack, as they only deployed a miner instead of more damaging payloads like fake wallet migration UIs. Vercel was confirmed to auto-detect CVEs and hot patch their runtime for affected projects. ### Twitter/X API Integration Crisis A major technical challenge emerged around Twitter agent functionality. Odilitime confirmed that username/password authentication is now legally prohibited and no longer supported in Eliza, forcing migration to API key-based authentication. **Critical Limitations:** - The free Twitter API tier only allows ~50 reads before hitting rate limits - SecretRecipe reported agents burn through 50% of API limits immediately on first run when checking mentions - This makes Twitter agents essentially non-viable for free users - The old plugin-twitter 1.0.7 can be forked, but users would face legal issues from X without team support **Future Direction:** - X is moving toward per-request pricing which should make agents cheaper - The team needs to recover suspended X/Twitter accounts (X took their accounts, likely due to previous automation practices) - Dashboard now requires Twitter API keys instead of the deprecated env-based login/password approach ### Token Migration and Economics Concerns Multiple users reported issues with the migration portal at migrate.elizafoundation.ai showing zero eligible tokens despite holding ai16z. Users were directed to support channels and advised to follow links from the mirror article in announcements. **Token Economics Discussion:** - DorianD repeatedly criticized the lack of network tokenomics and utility, stating sophisticated investors won't engage without proper token usage mechanisms - No direct connection exists between Babylon and ElizaOS beyond planned airdrops - Team tokens are confirmed locked, with Eliza treasury portion not being released soon - Migration process remains incomplete, contributing to low liquidity - Kraken sent emails to ai16z holders explaining they are considering migration and will keep holders informed **Price Performance Concerns:** - Multiple users questioned the token price collapse - Attributed to more sellers than buyers, decreased volume, and incomplete migration causing low liquidity - Babylon prediction market has 272k registered users waiting for launch - Utility is coming with airdrops for ElizaOS holders and agents created by ElizaOS framework in Babylon will increase framework reputation ### Development Progress and Roadmap **Version Planning:** - Discussion about whether version 1.6.5 should be 1.7.0 due to significant changes - Version 1.7.0 will include streaming and Eliza as MCP (Model Context Protocol) - Stan is working on streaming functionality with tests in progress, confirming no trade-offs with the implementation - Kenk shared a roadmap for Eliza Labs on Notion for team review **Technical Development:** - SecretRecipe discussed extensive home server setup with 30 GPUs (3060 Ti through 4090), 8 servers, running Ollama, N8N, and various models locally - jin recommended Strix Halo mini PCs for self-hosting LLMs, specifically the gmktec evo-x2 128gb running gpt-oss 120b - Development activity noted as strong with improved infrastructure ### Database and Plugin Development **PostgreSQL Extension:** - velsaria confirmed it's possible to extend existing PostgreSQL databases to accommodate ElizaOS core SQL plugin requirements - sayonara provided a concrete implementation reference from the otaku repository gamification plugin (line 121 of plugin.ts) **Market Data Fetching:** - Skelzor sought recommendations for plugins to fetch offchain market data - The dexscreener plugin has been removed from the plugin directory - No specific free alternative was identified, with jin suggesting traditional data engineering approaches ### Strategic Discussions **ElizaOS X Account Recovery:** - Phenowin emphasized the importance of recovering the elizaos X account for attracting investor attention during a potential bull run - Odilitime confirmed account recovery remains in the plans **Market Predictions:** - Phenowin anticipated a bull run in Q1/Q2 2026 - DorianD expressed skepticism, predicting 2028 as more likely based on macroeconomic factors - Specific conditions needed for altseason: BTC rallying above $120k and ETH surpassing $5000+ with sustained levels - DorianD shared long-term vision about AI agents operating without easy shutdown, combined with futarchy/prediction markets (estimated 50 years out) ## Key Questions & Answers **Security & Infrastructure:** Q: Is elizaos.ai down? A: Yes, confirmed 502 bad gateway error due to security breach (Odilitime) Q: What caused the website hack? A: Next.js RCE vulnerability in versions 15.3.0-15.3.6, specifically GHSA-9qr9-h5gf-34mp (Odilitime) Q: What was the attacker running? A: An XMR cryptocurrency miner (Odilitime) Q: Does Vercel auto-upgrade vulnerable dependencies? A: Yes, they auto-detect CVEs and hot patch their runtime for affected projects (cjft) **Twitter/X Integration:** Q: Why was the old username/password Twitter authentication method deprecated? A: It's legally not allowed now, at least the team can't support it. Users can fork plugin-twitter 1.0.7 but will face X's lawyers without team support (Odilitime) Q: Why is X not happy with Eliza? A: X isn't very happy with us, probably why they took our accounts. They're switching to per-request pricing which should make agents cheaper (Odilitime) Q: Should I use the dashboard's Twitter API keys or the old env login/password style? A: The user/pass method is now deprecated and no longer works - must use API keys (Odilitime) **Migration & Token Economics:** Q: Why does the migration portal show 0 ai16z tokens when I have them? A: Users were directed to support channels and told to follow links from the mirror article in announcements channel (Omid Sa, Manuel, Kenk) Q: Is the migrate.elizafoundation.ai site safe to connect Phantom wallet? A: Yes, users should check announcements channel and follow links from the mirror article (Manuel, Kenk) Q: Why is ai16z no longer available on Kraken but ElizaOS isn't listed? A: ElizaOS was never on Kraken. Kraken sent emails to ai16z holders explaining they are considering migration and will keep holders informed (Serikiki) Q: What caused the token price collapse? A: More people selling than buying, decreased volume, and migration not complete causing low liquidity (jasyn_bjorn, Omid Sa, hns71) Q: Is the team selling tokens? A: Team tokens are locked. The Eliza treasury portion won't be released soon (Omid Sa) Q: Why is there no utility for the token? A: Utility is coming. There will be airdrops for ElizaOS holders and agents created by ElizaOS framework in Babylon will increase framework reputation (Omid Sa) **Development:** Q: Can I extend my existing PostgreSQL database (with data inside) to store ElizaOS core SQL plugin needs? A: Yes, you can. Reference implementation available in the otaku repository gamification plugin (sayonara) Q: Should version 1.6.5 be 1.7.0? A: Unanswered directly, but cjft indicated 1.7.0 would include streaming and Eliza as MCP Q: What will be in version 1.7.0? A: Streaming and Eliza as MCP (cjft) Q: Any trade-offs with the streaming implementation? A: No, everything works the same, currently working on tests (Stan ⚡) Q: What's recommended for self-hosting LLMs? A: Strix Halo mini PC, specifically gmktec evo-x2 128gb with gpt-oss 120b (jin) **General:** Q: What is Babylon? A: A prediction market with agents and human integration (Omid Sa) Q: Does Shaw come to Discord? A: Yes, quite often considering (Odilitime) Q: Is it possible to connect agents to Telegram or Discord through the Eliza cloud website? A: No, that is not possible. Users should head to dev-support for more questions (Arceon) Q: What does the ♡ELZA tag after usernames mean? A: It's a tag per server that each server can have and you set yourself (SecretRecipe) **Strategic:** Q: Is it in our 2026 plans to recover our elizaos x account? A: Still planning on getting it back (Odilitime) Q: Will there be a bull run in 2026? A: Doubt there will be a bull run in 2026, more like 2028 (DorianD) Q: What market conditions are needed for altseason? A: BTC needs to rally back above 120k past ATH and ETH to 5000$+ past its ATH and sustain those levels (Phenowin) ## Community Help & Collaboration **Security Response Team:** - **Odilitime** led the response to the website security breach, identifying the Next.js RCE vulnerability and coordinating the fix - **cjft** provided critical support by suggesting deployment to Vercel, submitting PR #3 with fixes, and guiding the update process - **jasyn_bjorn** offered financial incentive with a $1,000 bounty to accelerate resolution **Migration Support:** - **Omid Sa, Manuel, and Kenk** assisted multiple users (ROTHILD, Bdcrypto7, ABY&C) with migration portal issues, directing them to appropriate support channels and verification resources **Technical Guidance:** - **sayonara** helped **velsaria** with PostgreSQL database extension by providing concrete implementation reference from the otaku repository - **jin** engaged with **Skelzor** on finding market data fetching solutions, though no complete resolution was reached - **Odilitime** explained Twitter API changes and limitations to **SecretRecipe**, including legal constraints and future pricing models **Community Support:** - **Serikiki** clarified Kraken listing status for **TJ** - **Arceon** directed **AlexMtz** and **joaz0502** to appropriate channels and resources - **0xTDL** directed **ABY&C** to migration-support channel - **SecretRecipe** engaged with **cryptograce** about PC donations for a school in the Philippines - **Odilitime** demonstrated tip bot functionality by tipping 5,117 ai16z tokens worth $22.47 **Market Analysis:** - **DorianD** provided detailed economic analysis to **Phenowin** regarding bull run timing, explaining macroeconomic factors and why 2028 is more likely than 2026 ## Action Items ### Technical - **Rotate PAT tokens after security breach** (Odilitime) - **Deploy website to fresh VPS to eliminate potential backdoors** (cjft) - **Update Next.js from 15.3.1 to 16.0.7 to patch RCE vulnerability** (Odilitime) - **Add nginx settings for websocket support** (Odilitime) - **Recover suspended X/Twitter accounts for the project** (Odilitime) - **Optimize Twitter agent API usage to work within new rate limits** (Odilitime, SecretRecipe) - **Implement per-request pricing model for Twitter agents to reduce costs** (Odilitime) - **Complete migration process to improve liquidity** (hns71) - **Resolve migration portal issues showing zero eligible tokens** (ROTHILD, ABY&C) - **Complete tests for streaming functionality** (Stan ⚡) - **Implement custom REST API endpoints in ElizaOS project** (velsaria) - **Find or create free alternative plugin for offchain market data fetching to replace removed dexscreener plugin** (Skelzor) - **Address token unlock schedule concerns and selling pressure** (joaz0502) - **Recover elizaos X (Twitter) account** (Phenowin) ### Feature - **Implement network tokenomics to create utility for the token** (DorianD) - **Create meaningful connection between Babylon and ElizaOS beyond airdrops** (DorianD) - **Launch Babylon prediction market (272k registered users waiting)** (joaz0502) - **Enable Telegram and Discord agent connections through cloud website** (AlexMtz) - **Integrate blockchain development, NFT marketplace, and gaming services into ecosystem** (AL) - **Release version 1.7.0 with streaming and Eliza as MCP** (cjft) - **Implement streaming functionality in Eliza** (Stan ⚡) - **Implement Eliza as MCP (Model Context Protocol)** (cjft) - **Develop AI agents that can run without being shut down easily combined with futarchy/prediction markets** (DorianD) ### Documentation - **Update documentation for new Twitter API key authentication method** (SecretRecipe) - **Clarify exchange listing status and migration timeline** (TJ, joaz0502) - **Update showcase channel with recent developments** (Omid Sa) - **Document PostgreSQL database extension patterns for ElizaOS core SQL plugin integration** (velsaria) - **Review and comment on Eliza Labs Roadmap on Notion** (Kenk) - **Decide if roadmap should live in main elizaOS repo** (Kenk) - **Schedule session on roadmap before Christmas break** (Kenk)