its not a vulnerability if they're modulating the hardcoded key per CJ round correct? as @waxwing suggested on original vulnerability disclosure post Jan 7th? either way, the server CANNOT give clients a unique key for identification.

there hasnt been enough time to actually review the implementation. so I'd just STFU for now.

yeah but he didn't accurately describe the result. there just hasn't been enough time to review and theres lots of nuance.