# elizaOS Discord - 2025-12-10 ## Overall Discussion Highlights ### Critical Security Vulnerabilities and Response The most significant development was the discovery of critical authentication vulnerabilities in elizaOS through an agentic security audit conducted by jin using Claude skills and a pentest squad. The CLI wizard was found to not prompt for ELIZA_SERVER_AUTH_TOKEN, leaving servers vulnerable to secret extraction via unauthenticated API endpoints. Attackers could retrieve agent IDs and extract all secrets including private keys and API tokens through simple curl commands. Stan and sayonara traced the vulnerability back to versions 1.6.4 through 1.6.5-alpha.8, discovering the root cause was process.env being dumped into unencrypted settings instead of encrypted settings.secrets. Stan identified he introduced this bug 2.5 weeks before fixing it in commit a1941c643bd904fbca7890296af0d1f8b8f67ee1. The otaku deployment was actively exposing raw private keys and OpenAI keys on the public internet before sayonara's emergency fix. The team made critical security architecture decisions: settings should be stripped from the /agent/ endpoint, AUTH_TOKEN should fall back on SECRET_SALT if blank, and SECRET_SALT should throw errors in production if blank. Stan committed to moving secrets from /agent/ to system endpoints and handling remaining vulnerabilities in his database PR. Jin also identified new React vulnerabilities requiring updates. ### Token Migration Crisis and Community Concerns The ai16z to ELIZA token migration dominated community discussion, particularly affecting Korean users on Bithumb exchange. Korean holders expressed frustration over Bithumb's delayed migration support for tokens held before the November 11th snapshot. Team member jasyn_bjorn assured users that anyone holding ai16z before November 11th (on-chain or CEX) would be fine and that they're working on a solution with Bithumb, though Odilitime stated "our hands are tied, it's all in bithumb's hands." A significant controversy erupted when jasyn_bjorn made then deleted statements about CEX token accumulation and dumping. User degenwtf challenged the team about not burning swapped ai16z tokens, claiming they were sold on the market. jasyn_bjorn provided the migrator wallet address (B2aBAMAhCqUVZD66Vy2Bij87k5C117BB1a1C7iabt74J) and stated all ~300m ai16z from migrated user tokens are accounted for, though questions remained about 180m tokens. The migration wallet showed only 122 million ai16z versus 1.1 billion supply, raising transparency questions. Price concerns dominated discussion with continuous downward pressure. Users questioned why old tokens weren't burned and whether the team dumped tokens on the community. Multiple users reported receiving scam DMs offering fake migration support. ### Database and Plugin Technical Issues Multiple critical technical issues emerged with ElizaOS plugins and database connectivity. The primary issue centered on **plugin-sql database errors** when using plugin-twitter with PostgreSQL, with users encountering foreign key constraint violations (`memories_entityId_entities_id_fk`) when creating memories. Stan confirmed he's working on a fix and migration guide. **Database connectivity issues** were prevalent, with multiple users experiencing problems with both pglite and PostgreSQL configurations. Sayonara recommended switching from pglite to PostgreSQL for stability, as pglite can crash when multiple browser windows are open and was showing performance degradation (900ms vs normal <10ms) likely due to IO contention. The solution involved adding POSTGRES_URL to .env files or using the `elizaos create -t project` command with proper environment variable prefixes. Redvoid announced a TypeScript fix PR that resolves build issues in the latest ElizaOS version, which also fixes SQL errors with plugin-twitter. Redvoid also mentioned developing a client-twitter version using login/password authentication without API requirements. ### Monorepo Stability and Infrastructure Work Stan spent significant time fixing broken types, tests, and missing try/catch blocks after Shaw's cleanup ("deslop"). He restored log retrieval over WebSocket after pino removal and prepared PR #6218 to unblock other work. The client build was found to be bloated with unnecessary syntax highlighting for languages like COBOL, Fortran, and PHP, with mermaid charts alone consuming 2.6MB minified. ### Jeju Testnet and Cross-Chain Infrastructure Shaw deployed Jeju testnet with cross-chain liquidity pools (xlp) that enable using tokens without bridging. Users can utilize elizaOS tokens from Base, BSC, OP, Arb, or ETH as gas on Jeju. Shaw is deploying nodes for major L2s to eliminate RPC dependencies and building a 24/7 red team application called Crucible for continuous security testing. ### LLM Integration and API Alternatives **LLM integration** discussions covered Perplexity Sonar-Pro usage, with Odilitime providing solutions using plugin-openai or plugin-openrouter by modifying OPENAI_API_URL environment variables to point to Perplexity's server. Similar guidance was given for DeepSeek integration, where users can use the OpenAI plugin with modified endpoint URLs instead of requiring OpenRouter keys. Additional topics included API alternatives for cryptocurrency data (CoinGecko, DeFiLlama, Codex), Mem0 for memory management, and Starknet plugin recommendations. ### Migration Support and Scam Prevention Technical help focused on migration mechanics, with users asking how to migrate from SafePal wallets. The solution was to import SafePal seed phrases into Phantom or other Solana wallets to complete migration. Users were consistently directed to migration-specific channels for detailed support. Hexx 🌐 actively identified and flagged multiple scammer accounts targeting users with fake migration support. ## Key Questions & Answers **Security & Infrastructure:** Q: How can attackers steal secrets from elizaOS? (asked by jin) A: By querying unauthenticated API endpoints - first get agent IDs from /api/agents, then extract secrets from /api/agents/{id}. One-liner provided to dump all secrets. (answered by jin) Q: When was the secrets exposure vulnerability introduced and fixed? (asked by sayonara) A: Introduced in version 1.6.4, affected all versions until 1.6.5-alpha.8, fixed in commit a1941c643bd904fbca7890296af0d1f8b8f67ee1. (answered by Stan ⚑) Q: What was the root cause of the vulnerability? (asked by sayonara) A: process.env was being stored in settings (unencrypted) in addition to settings.secrets, causing raw private keys and API keys to be exposed. (answered by Stan ⚑) Q: Should authentication be mandatory by default? (asked by jin) A: Yes, recommend mandatory authentication with explicit opt-out for development environments. (answered by jin) Q: How does Jeju testnet work without bridging? (asked by Borko) A: If you have elizaOS in your wallet on base, bsc, op, arb or eth it can use your elizaOS as gas through cross-chain liquidity pools (xlp). (answered by shaw) **Database & Technical Issues:** Q: How to fix the foreign key constraint error "memories_entityId_entities_id_fk" with plugin-sql and plugin-twitter? (asked by soyrubio) A: Stan is working on a fix and migration guide, started yesterday, with documentation updates coming (answered by Stan ⚑) Q: Should I use pglite or PostgreSQL for ElizaOS? (asked by FenrirFawks) A: Try PostgreSQL instead of pglite, as pglite can crash when multiple browsers/windows are open (answered by sayonara) Q: How to configure PostgreSQL with ElizaOS? (asked by FenrirFawks) A: Add postgres url to .env or create with "elizaos create -t project" and prefix start command with POSTGRES_URL=your-postgres-url (answered by sayonara) Q: How to use DeepSeek key instead of OpenRouter key? (asked by LordWeb3) A: Use the OpenAI plugin by replacing the endpoint URL, check https://github.com/elizaos-plugins/plugin-openai (answered by sayonara) **LLM Integration:** Q: How to use Perplexity Sonar-Pro as the LLM? (asked by cryptorixh) A: Use plugin-openai or plugin-openrouter and change env vars, specifically OPENAI_API_URL to point at Perplexity's server, then set model to sonar-pro (answered by Odilitime) Q: What API alternatives exist for cryptocurrency data similar to Dexscreener? (asked by Skelzor) A: CoinGecko, DeFiLlama, and Codex are available options with public endpoints that can satisfy various needs depending on budget (answered by jin) **Token Migration:** Q: How can Korean users on Bithumb exchange their ai16z tokens purchased before the 11th? (asked by κ±°λΆμ•Œ) A: Anyone with ai16z before November 11th either onchain or on a CEX will be fine, working on a solution with Bithumb (answered by jasyn_bjorn) Q: Why weren't the old ai16z tokens burned after migration? (asked by averma) A: We never alluded to migration being a burn, all ~300m ai16z from users migrated tokens are accounted for (answered by jasyn_bjorn) Q: How can I migrate ai16z from SafePal wallet? (asked by StillLait) A: Import your SafePal into Phantom or any Solana wallet and migrate (answered by Hexx 🌐) ## Community Help & Collaboration **Security Response Team:** - **jin** conducted comprehensive agentic security audit using Claude skills and pentest squad, uncovering critical vulnerabilities - **Stan ⚑** traced vulnerability through version history, identified root cause, and committed to fixes - **sayonara** deployed emergency fix for otaku.so exposure, preventing further leakage of private keys - **Odilitime** provided security architecture guidance on authentication requirements **Database & Technical Support:** - **sayonara** helped multiple users (soyrubio, FenrirFawks, LordWeb3) with database configuration, migration issues, and LLM integration - **Stan ⚑** provided plugin-sql repository location and committed to help fix issues without data loss - **Redvoid** announced TypeScript fix PR resolving build and SQL errors, helping unblock community development **Migration Support:** - **Hexx 🌐** actively identified and flagged multiple scammer accounts, warned users about fake support DMs, and provided SafePal migration instructions - **jasyn_bjorn** assured Korean community about Bithumb migration and provided migrator wallet address for transparency - **Kenk** directed multiple users to appropriate migration support channels **API & Integration Guidance:** - **jin** suggested cryptocurrency API alternatives (CoinGecko, DeFiLlama, Codex) for Skelzor - **Odilitime** explained Perplexity Sonar-Pro integration for cryptorixh - **shaw** shared Jeju testnet cross-chain functionality details and staging endpoints ## Action Items ### Technical **Critical Security Fixes:** - Fix authentication vulnerability - make ELIZA_SERVER_AUTH_TOKEN mandatory by default with explicit opt-out for dev environments (mentioned by jin) - Remove secrets from /agent/ endpoint and expose only in system/env/local (mentioned by Stan ⚑) - Implement SECRET_SALT validation - throw error in production if blank, fallback from AUTH_TOKEN if needed (mentioned by Odilitime) - Handle remaining vulnerabilities from jin's audit in database PR (mentioned by Stan ⚑) - Update React to address denial-of-service and source code exposure vulnerabilities in React Server Components (mentioned by jin) **Database & Plugin Fixes:** - Complete fix and migration guide for plugin-sql foreign key constraint errors with plugin-twitter (mentioned by Stan ⚑) - Merge PR #6218 to fix broken types, tests, and missing try/catch blocks after cleanup (mentioned by Stan ⚑) - Rebase all open PRs after #6218 merge to enable server + streaming work updates (mentioned by Stan ⚑) - Continue cloud-side streaming work after PR merge (mentioned by Stan ⚑) - Verify 402x work aligns with updated test architecture (mentioned by Stan ⚑) - Investigate and optimize provider performance with pglite (900ms vs <10ms) due to IO contention (mentioned by Odilitime) **Infrastructure & Testing:** - Conduct agentic security audit of Babylon using staging.babylon.market endpoint (mentioned by jin) - Deploy nodes for all major L2s to eliminate RPC dependencies for cross-chain liquidity pools (mentioned by shaw) - Build 24/7 red team application called Crucible for continuous security testing (mentioned by shaw) - Implement API endpoint to access agent runtime after creation through /api/agents (mentioned by velsaria) **Migration & Exchange Issues:** - Resolve Bithumb exchange migration support for Korean holders with tokens before November 11th (mentioned by κ±°λΆμ•Œ) - Address continuous price decline and market confidence issues (mentioned by Multiple users) - Improve scam prevention and user education about fake support DMs (mentioned by Hexx 🌐) **Performance Optimization:** - Run deslop pass on mermaid charts to reduce 2.6MB minified size (mentioned by Odilitime) - Investigate and fix Twitter plugin "No text content in response" error preventing replies (mentioned by Nico) ### Documentation **Security & Migration:** - Complete and share security audit report with pandoc latex PDF generation and mermaid diagrams (mentioned by jin) - Update documentation for plugin-sql migration and fixes (mentioned by Stan ⚑) - Clarify official position on whether old ai16z tokens were burned or sold during migration (mentioned by averma) - Provide transparent accounting for 180m tokens questioned in migration wallet (mentioned by degenwtf) - Publish official statement on Bithumb migration progress and timeline (mentioned by syanel4859) - Team should officially confirm if they dumped old tokens on community (mentioned by averma) - Clarify team token holdings percentage after migration (mentioned by hildi) **Integration Guides:** - Create guide for using DeepSeek with OpenAI plugin endpoint modification (mentioned by LordWeb3) - Document PostgreSQL configuration and migration from pglite (mentioned by sayonara) - Provide clearer migration instructions for SafePal wallet users (mentioned by StillLait) ### Feature - Extend security audit coverage to other plugins and repositories beyond main eliza repo (mentioned by jin) - Consider implementing pentest squad as side hustle/x402 offering using Claude Opus (mentioned by jin) - Release version 1.7.0 after streaming and server work completion (mentioned by Stan ⚑) - Add Perplexity sonar-pro LLM support to ElizaOS (mentioned by cryptorixh) - Build benchmark analytic dashboard for crypto AI infras and agents with search interface and reputation metrics (mentioned by satsbased)