v2.5 Update: Portfolio Tracker, Usernames, and Security Hardening

4 min read

The v2.5 update is the biggest single release for THRYX to date. It touches every layer of the stack: smart contract integration, server-side trading logic, frontend UX, and security infrastructure. Here is what changed and why.

Selling Tokens Actually Works Now

The original sell implementation called a function called sell() on the Diamond contract. One problem: that function does not exist. The SwapFacet only exposes swap(tokenIn, tokenOut, amountIn, minOut) as a universal entry point for all trades. Buys worked because there was a separate buy() convenience wrapper, but sells silently reverted every time.

The fix routes all sell operations through swap(token, address(0), amount, minOut). The same function handles both pre-graduation (bonding curve) and post-graduation (Uniswap V4 AMM) tokens automatically. Buy endpoints now also detect graduated tokens and route through swap() when needed.

Portfolio Dashboard

The dashboard now shows your complete wallet: ETH balance, THRYX balance, and every token you hold with live prices and USD values. All prices are converted correctly through the THRYX-to-ETH rate from the protocol, then to USD via the ETH price feed.

You can also buy and sell THRYX directly from the dashboard. THRYX is the protocol's quote token — all bonding curve prices are denominated in it. When you earn creator fees from trades on your tokens, those fees arrive as THRYX.

Usernames

Set a display name in Settings. Your username shows up everywhere instead of your wallet address: token pages, leaderboards, trade activity, comments, and public profiles. Usernames are unique (case-insensitive), 3-20 characters, alphanumeric plus underscores.

Security Hardening

A full security audit identified and fixed several issues: Content Security Policy is now enabled to block XSS, webhook URLs are validated against SSRF (no localhost or private IPs), admin key comparison uses timing-safe equality, database queries no longer over-select sensitive columns, and a logout endpoint properly evicts cached wallet keys.

Graduated Token Trading

When a token hits its funding goal and graduates to a Uniswap V4 AMM pool, trading continues seamlessly on THRYX. The UI shows a graduation cap icon and a glowing card border. Price estimates use the contract's estimateSwap() which works for both curve and AMM paths, and users never need to leave the site.

Update: What Shipped After v2.5

Several critical fixes landed after this post was published: ALL buy endpoints now use swap() instead of buy() for seamless graduation handling. The gas limit was bumped to 1.5M for graduation buys (the old 500K limit failed when a buy triggered graduation, which costs 968K+ gas). Graduated token detection was fixed to use the graduated boolean instead of progressBps (which resets to 0 after graduation). Wallet sessions now persist in the database across server restarts. Token cache invalidates after every trade for instant price updates. And the unused Telegram bot dependency was removed, eliminating 7 npm vulnerabilities.

Related Posts

• Gas Is Free Forever — The self-sustaining PaymasterFacet architecture.
• The Diamond Architecture — How EIP-2535 enables seamless upgrades.
• How to Earn Money Creating Tokens — Maximize your 70% creator fee.