We learned about the exploit on TikTok.
Diego runs monetization at a mobile F2P studio with 300K players. A duplication bug shipped on Tuesday; Discord was selling the gems by Thursday. Here's the week he shut it down.
Mobile F2P at 300K MAU where a dupe-and-refund scheme drained $38K overnight; contained and resolved within three days.
TikTok, then the dashboard
Monday morning. A 40-second TikTok clip sits at the top of Diego's Slack: a player trades gems to a second account, refunds the purchase inside Google Play's 48-hour window, and walks away with the gems on both sides. 80K views and climbing before standup.
He opens the Vault ledger. Every transaction is signed and timestamped; one trade-chain query and the pattern is right there — three hops deep, running since Friday night. Fifteen minutes in, Diego has the scope. On the old stack this would have been a Looker ticket and a two-day wait.
Containment without a deploy
1,847 accounts are in the ring. About 740K gems live in wallets that shouldn't have them — roughly $38K at store price, bleeding from the whale cohort that actually pays the bills. Diego flips a Canvas flag: trades above 10K gems now pause for review. Forty seconds, no deploy, no pipeline. Just a config push in Pulse, and the grey-market listings on Discord thin out by lunch.
Engineering ships the root-cause patch in parallel. The trade handler now debits the sender before it credits the receiver, inside a single transaction — the shape Vault uses for everything it ships. The race condition that let gems double up is gone.
Clawback
The patch rolls to 5%, then 100%. The ring's listings on Discord go quiet. Diego queues the Vault revoke workflow against the 1,847 accounts: legitimate trades inside the window stay untouched, the fraud chain loses its gems, every action lands a non-rewritable audit entry behind it. The CFO gets one PDF instead of a spreadsheet that needs a lawyer.
The top 2% of payers fund 60% of the revenue. The ring knew exactly which 2%. Diego's ledger report names them by cohort.
Support catches up
This used to be the part that took weeks. Today, the three-person support team opens the Vault CS console: player ID on the left, ledger on the right, refund / regrant / revoke buttons in the middle. Every click writes a signed audit entry the player can see. Mean handle time drops from 11 minutes to 3. The chargeback SLA stops running against them.
The same tickets that used to bounce across Zendesk, a receipt validator, a PlayFab admin, and a shared spreadsheet close in one workflow.
Prevention, shipped
Diego drops two rules into Canvas. Trades above a threshold wait for review; any wallet gaining more than a daily cap triggers a Signals anomaly. Neither needs an engineer. The LiveOps manager will own both from next sprint.
The post-mortem goes out Friday afternoon. It names the exploit, names the ring, names the total clawback, and clocks the time from TikTok to resolved: three days. Last time something like this happened, it was three weeks and six tools.
“Found it on TikTok. Closed it in three days, with one tool. Last time took three weeks, six tools, and an auditor with follow-up questions.”
They catch payments, not economy exploits. RevenueCat covers subscription state and nothing below it — no virtual-currency fraud, no catalog logic, no link from refund to clawback. Xsolla adds card-level fraud detection at the payment boundary and sees nothing past it. Neither ties a platform refund to a virtual-item clawback. Neither ships a non-rewritable audit trail. The three-to-eight percent of gross revenue that leaks to refund-then-keep lives in that gap. Vault closes it.
Bring your worst week. We'll show you what Vault sees.
Have a refund-fraud number you're trying to put behind glass? Talk to the fraud team.