P.S. Have you thought of the possibility that BCX does not know the precise technical details due to the complexity of the CN codebase, but can still create a successful attack? It could be an empirically found exploit and not theoretically based. The fact that BCX said it depended on "implementation" is some clue about this.
Absolutely - we are very open to the possibility of an attack, and we are
not discounting his claims. It's not that we don't believe him or we think he's dishonest, we just haven't seen any evidence or enough specifics to pin it down.
Thus without the technical details we cannot verify his claims. We also cannot scramble to look through the codebase any more than we have been doing, it is a relatively large codebase and working through it has taken time and will continue to take time.
If he wanted to ethically and responsibly disclose this he could privately send us the details and give us 72 hours to fix it.