• $FLIP matches are now commit-reveal fair. Before this release, token-currency outcomes were derived from vrf[0] % 2with no player seed contribution — provable-fair against the oracle but asymmetric vs. SOL's SHA256(vrf ‖ seedA ‖ seedB) % 2. The fix: each player's SPL deposit tx now bundles an SPL Memo v2 ix carrying flipseed:<sha256(seed)>, committing the seed on-chain BEFORE the Switchboard oracle reveals. The worker validates each memo against the plaintext seed the client POSTs, persists both seeds on the match snapshot, and the cranker derives the outcome via the exact same SHA256 formula SOL uses. Asymmetric seeding (one player committed, the other didn't) is rejected with 409 seed_commitment_asymmetryso the seeded side can't stall until after the oracle to bias their pick.
• Verify panel reworked for currency parity. The arena's Provably-fair panel + the /verify/:id replay page both branch on currency. New FLIP matches show the full five-field audit trail (Final entropy, Client Seed A, Client Seed B, Switchboard account, formula) identical to SOL — plus two FLIP-only rows surfacing the creator + acceptor wallets with their picks / winner badge, and Solscan-linked rows for each deposit sig so anyone can walk deposit → cranker escrow → settle-split → winner + multisig end-to-end. The /verify/:id Independent-replay section now emits a runnable 4-step SHA256 verifier with the match's actual values inlined, so a reader can paste it into a Node REPL and confirm the outcome without touching our code. Legacy pre-commit-reveal FLIP matches fall back to the VRF-only layout + copy.
• Stopped lying about missing data. Prior releases showed matchIdin place of client seeds on settled FLIP matches (defensive fallback from pre-FLIP days), which looked like verification data even though it was filler. The panel now leaves those fields empty for legacy rows, and the "verified" green-shield gate distinguishes genuine commit-reveal matches from the older VRF-only shape.
• FLIP snapshot telemetry. New flip_entropy_mix timing mark fires once per settle when both seeds are mixed into the final entropy — payload carries a short prefix of the raw VRF + the mixed sha256 so operators can correlate the deposit memo commitments to the settled snapshot without reading the DO directly. Legacy pure-VRF settles skip the mark.
• Backward-compat.Old clients (deposits without the memo ix) still settle via the legacy pure- VRF path — worker's verifyFlipDeposit.expectedClientSeedHex is optional, and the cranker derivation falls back when both snapshot seeds are null. Safe to roll forward incrementally as users refresh their cached JS bundle.

• $FLIP matches settle end-to-end again. The v1.7.1 Switchboard SDK bump shipped alongside a byte-poll bypass of revealIxon the FLIP cranker tick, under the (incorrect) assumption that On-Demand oracles auto-publish the signed reveal to chain. They don't — the authority has to call randomness_reveal to write revealSlot + value. flipRevealAndConsumenow builds the SDK'srevealIx against a 30-attempt gateway retry (mirroring the SOL revealAndSettle loop), submits it, and then reads the revealed bytes viagetAccountInfo — so we bypass only the broken Anchor decode, not the actual on-chain submission. Fast- path idempotency check skips the submit when a prior tick already landed the reveal but crashed before settle.
• Blockhash-expired retry for FLIP settle + refund. buildAndSendFlipSettle andbuildAndSendFlipRefund usedsendAndConfirmTransaction directly, which surfaces block height exceeded as a terminal error instead of retrying with a fresh blockhash. Under mainnet congestion that stranded the SPL transfer and left the match stuck until the 3-min timeout refunded. Both builders now route through Cranker.sendAndConfirm (promoted to public) which has a 3-attempt fresh-blockhash loop with getSignatureStatusesfallback for the confirm-raced-the-landing case + a 100k microLamport priority fee so congested leader slots don't shelf the tx.
• Client stops spamming 409s on FLIP matches. The arena's acceptor effect used to fall through its "off-chain demo" postResult branch for any match without a matchPda— which includes every FLIP match (the pot lives in the cranker's escrow ATA, not an on-chain PDA). The server correctly rejects those with 409 flip_settle_is_cranker_only, but the now tick re-fired the effect every 250ms, hammering the worker. The effect now short-circuits on currency === "token" and waits for the cranker-driven settled snapshot.
• Admin: bulk-cancel FLIP matches. NewPOST /admin/flips/cancel-allendpoint (ADMIN_TOKEN gated) surfaces in the admin panel's Lobby page as a "Cancel all FLIP matches" button. Enumerates every open + accepted FLIP challenge, refunds deposits from the cranker escrow in one atomic tx per row, marks the lobby row cancelled, and stamps any in-flight MatchRoom DO with endedReason="cancelled" so both browsers see the recovery banner immediately. Intended for operational resets — e.g., clearing stale pre-fix in-flight matches so users can remake cleanly.

• $FLIP escrow auto-refund on Switchboard timeout. Token-currency matches now self-heal when the Switchboard on-chain reveal doesn't land within a 3-minute window. Cranker fires buildAndSendFlipRefund for both deposits and stamps the snapshot with endedReason="switchboard_timeout" so funds never sit locked in escrow if the oracle, RPC, or SDK ever drifts. Idempotent recovery via a persisted refund-sig marker + on-chain signature status — re-entry after a partial completion picks up where the previous tick left off without double-spending the escrow. /match/:idrenders a dedicated "Match refunded · oracle timeout" banner.
• Switchboard On-Demand SDK 3.9.0 → 3.10.1. Switchboard published a new on-chain account format on Apr 21 that the older SDK can't decode (Invalid account discriminator on everyrevealIx attempt). Bumped the cranker dep so all new FLIP matches reveal cleanly; pre-existing accounts from the old format auto-recover via the timeout refund path above.
• Server hardening. Per-challenge accept session dedup so two concurrent accepts never spin up competing match rooms. FLIP deposit-sig replay protection.POST /matches/:id/result locked down to acceptor-authority SOL (cranker is the sole settler in the default mainnet path). handleMatchRoundAdvanced gated to SOL — FLIP never had DoR support and the snapshot-only update would have desynced wager from escrow.
• Alarm-loop resilience. Cranker init failures now reArm instead of stranding the chain. declineStaleDor short-circuits when the PDA is already closed instead of looping forever.awaitingRandomness retries detect terminal on- chain states and exit cleanly. pollReveal distinguishes account-not-found (quiet) from RPC errors (logged) so transient Helius hiccups stop masquerading as "oracle slow".
• Wager precision. BigInt-only wagerToBaseshared by client + worker so whale-sized integer FLIP wagers never silently round past Number's 2⁵³ mantissa.
• Stuck-on-open grace widened to 120s + extra re-check. Slow-but-legit joins on congested leader slots are no longer terminated as failures. The confirmed-but-not-yet-rooted false-positive window narrows to a single retry tick.
• Client UX. DoR / claim / decline / recrank handler failures now surface as setTxState toasts instead of silent console logs. postedRef ordering fixed so a failedpostResult retries on the next tick. Toast auto-dismiss keyed on event.idso a chatty WS doesn't reset the 12s window. Lobby pin for mid-accept rows survives currency tab toggles. Hydration-safe Date.now() + en-US locale on slot/amount text.real-money-modal currency-aware copy + units (SOL vs $FLIP). Mobile bottom-nav breakpoint aligned with the home grid (md → lg) so tablet sizes get the single-pane layout + sticky nav.
• Recovery-banner polish. StuckMatchBannerhides the "PDA still open on-chain" Solscan link for cancelled + switchboard_timeout (funds-already-returned) cases, and the action button switches from "Go to lobby (Remove tab)" to a simple "Back to lobby".

• $FLIP token wagers live end-to-end.SPL-token matches escrow via the cranker's ATA and settle with a cranker-signed payout + 2% multisig fee route. Full lifecycle covers deposit verification, match-room init, settle broadcast, and a dedicated Remove-tab refund path (buildAndSendFlipRefund) that was previously dead code — FLIP cancels now actually refund tokens from the cranker escrow instead of silently marking the lobby row cancelled while the SPL balance sat stranded.
• Stuck-match recovery system.Match rooms whose acceptor's join tx was reported confirmed by the wallet but never actually rooted on-chain used to spin forever. A new alarm branch detects status=open + joinedAt past a 60s grace window and terminates the session with endedReason="tx_a_dropped" instead of re-arming every 30s. A second branch stamps endedReason="cancelled" when the Match PDA is closed before reaching settled (creator cancel_open / permissionless cancel_stale). /match/:id now renders a role-aware recovery banner pointing the creator at the lobby's Remove tab for a one-click refund. New admin POST /admin/match/:id/force-alarm endpoint covers the rare case where a DO loses its pending alarm to a long eviction window.
• Notifications end-to-end audit. Closed three shipped-but-unwired paths: MatchAcceptedToast (creator confirmation before arena redirect), MatchSettledToast (in-tab win/lose card for users without push permission), and a 15-minute freshness window on DirectChallengeToast so stale inbox events stop firing zombie modals. Added webhook redundancy formatch_settled events and promoted silent failure modes to structured telemetry so regressions surface in logs instead of user reports.
• Double-or-Nothing walk-away recovery. Losers' in-app DoR requests now auto-expire after a 5-minute TTL with a dor_request_expired broadcast + toast, so the arena reverts to the settle view cleanly when the winner closes their tab. Fixes the failure mode where both parties got stranded in a "Pending winner approval…" state with no escape hatch.
• Program: per-match wager ceiling raised to 1M SOL. Post-audit cap lifted from the early-mainnet 0.0025 SOL guardrail to a realistic 1,000,000 SOL hard cap (prevents pathological bigint overflow in pot math without gating real users). Fee-posture updates via update_config now accept partial-update semantics, operable end-to-end through the Squads multisig dial in the admin panel.
• Admin + observability.Worker-proxy chain reads consolidate the admin panel's RPC traffic through the indexer worker (one Helius token, centralised rate-limit handling, 403 banner on mainnet-RPC denial). Post-rotation Squads export flow + randomness-pool ops surface in the admin dashboard.

• Treasury rotated to a 3-of-5 Squads multisig vault (2RJ3kF…UigL). 100% of the 2% fee now flows here until the $FLIP-backed Realms DAO launches; community share resumes at 1% post-Raydium graduation.
• Double-or-Nothing round 2 now completes end-to-end. Loser's accept tx is followed by a single second wallet popup for round-2 randomness binding (Anchor requires a participant signer on request_randomness); cranker resumes reveal+settle from there.
• Private DMs work again.Chat WebSocket and history requests now attach the Privy auth token (regression from the friends-DMs ship). Optimistic send-side append removes the "did it actually send?" feel during transient reconnects.
• New header inbox icon next to the wallet button with an unread DM badge + recent-threads popover.
• Modern UI sound design. Countdown ticks, flip whoosh, and win/lose stingers rebuilt with FM synthesis + noise transients + reverb tail (no more retro-arcade beeps); new soft DM ping when a message arrives in the background.
• P0 webhook hardening. Helius event apply-then-claim ordering: a thrown applyEvent no longer permanently dedups a real on-chain settle; mismatched program-IDs now fail closed at first request instead of silently misrouting.

The community token is live on pump.fun. Holding $FLIP gives proportional voting power over community treasury sweeps via Realms. The first buy & burn proposal FB-009 passed a week later.

Anchor program audited and deployed to mainnet-beta. Initial config set with 1% community + 1% maintenance fee bps. Switchboard On-Demand wired up for verifiable randomness. Web app live at flip.bet.

Upgrade authority remains with the founding multisig for 60 days post-launch then is set to --final.