Summary
We’ve identified a logic flaw in how SimpleSwap handles loyalty incentives. The endpoint responsible for applying the “25% Loyalty Bonus” (a perk meant for high-volume users) lacks proper server-side validation, allowing it to be triggered by unauthenticated users through a modified client-side request.
https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?tab=t.0