its not a vulnerability if they're modulating the hardcoded key per CJ round correct?

as nostr:nprofile1qqsxwkuyle67y94tj378gw8w2xw2wa6nwmwlqhddlwnz0z7sztsaw2qpz9mhxue69uhkummnw3ezuamfdejj7nxasma suggested on original vulnerability disclosure post Jan 7th?

either way, the server CANNOT give clients a unique key for identification.