As a former staff member for Ex Corp, I was part of the team introducing the XPlay Play2Earn Network to North America. During this time, an alarming discovery was made when they started advertising for SkinClub, an online casino. I am not totally opposed to gambling, but I tried out the site, & I discovered a duplication vulnerability - a bug that I learned had persisted for over two years. This bug & another potential duplication vulnerability was revealed to the public through PokeR988TV's YouTube videos that promote the site.

In these videos PokeR988TV experiences the same duplication vulnerability I was able to re-create, with an AK-47 | Case Hardened. The way that this vulnerability works is with floats. For a long time - if two vendors on two different withdrawal services (SkinClub uses many) parsed the same skin with a very similar float cap, SkinClub would often pass a request onto both vendors that could fufil this request, rather than isolating one vendor. The second bug with the AWP | Medusa is even more interesting, because it outlines a direct flaw in the SkinClub backpack system, where for some reason - PokeR988TV recieves two AWP | Medusa drops inside his SkinClub backpack, both redeemable to his Steam inventory.

 

 

 

 

On March 6th, 2023 shortly after 9:00 AM CST; I deposited some balance into SkinClub, because I saw that XPlay was doing a promotion & I wanted to support them while doing a bit of gambling. I had seen SkinClub in plenty of videos & I felt they were a trustworthy professional site with a sleek interface too. I used this balance to open some cases & participate in some case battles. Later, I upgraded to a StatTrak™ AK-47 | Slate (Factory New) from Team Dignitas | Cologne 2014. I accepted the skin I acquired directly from the upgrader, similar to how PokeR988TV accepted his AK-47 | Case Hardened directly from the upgrader. Just like PokeR988TV, I was sent two offers from two diferent bots for the result of a single roll. Obviously, just like PokeR988TV, I couldn't resist & I accepted them both. Later I began to research more heavily into the topic which is when I discovered his videos.

Shocked by this prevailing issue, ArrowCS & Illicit contacted SkinClub in order to disclose this vulnerability to them hoping that they could fix it right away. However, rather than taking either of us seriously, they decided to offer ArrowCS a sponsorship, when at the time he was known in the community for not endorsing these types of things. This is concering, because it shows that SkinClub not only lacks an understanding of the CS2 community at large, but they also do appreciate security. Later on, I contacted the web master at SkinClub. The web master disclosed to me that because SkinClub is insured by their deposit partners for skins that are lost, they basically do not care about this issue, & they would let me keep the skins without addressing the issue. 

https://skin.club/en/provably-fair?roll-id=R105275377 

 

 

On October 22nd, 2025, Valve would release an update that would shock many fans & traders alike. The update would allow for Covert tier skins to be traded up into knives or gloves, which were previously only attainable via opening cases. During the panic, many sites began to reverse trades, a feature thought to be intended for breached accounts or on potential scams. However, because of this surprising update Covert tier items shot up in price compared to other market avenues, which were quickly crashing. SkinClub was part of the group of sites which reversed trades on Covert skins, taking away users' items which they previously claimed.

This shows that SkinClub clearly does not care about it's users or the integrity of it's platform, it only cares about making the most profits. They will allow duplicated skins to persist in their platform for years at a time because it doesn't hurt their bottom dollar, but when the skins you rightfully claimed via their site increase in price they will not hesitate to take those skins away before the trade protection is up.

 

 

This is all extremely concerning, because it seems like the vulnerabilites on their site are exclusive, not present on other sites that use similar deposit partners, especially the bug out-lined in PokeR988TV's video directly within the SkinClub backpack. Therefore, it seems like SkinClub was potentially scamming their deposit partners by not addressing these issues. When our team researched similar case opening & upgrade sites with similar core mechanics (as well as similar deposit partners) they did not seem to be vulnerable to this issue, but we still disclosed the info we discovered about SkinClub to them in-case they could use it to improve their systems. Key-Drop offered our team a bug bounty for disclosing the info as well, when they were seemingly not vulnerable.

With this information, we are asking that Valve & ESL address SkinClub's backpack security issues, since they have previously taken action against companies like Gamdom for seemingly no reason. They allow SkinClub to persist as a prevolent sponsor in CS2 eSports, sponsoring teams like Vitality, champions on a major stage. We are asking for a full investigation into the SkinClub backpack security issues & for SkinClub to be banned from sponsoring any ESL events or Valve sponsored events. We also demand that SkinClub be banned from advertising on Steam Inventory Helper, XPlay, X, & YouTube where they have previously done marketing.