# The threads behind "What actually breaks in vibe-coded apps" This is the evidence base for ciocandco.com/writing/what-breaks-in-vibe-coded-apps: 51 public threads in which builders describe their AI-built app failing. Every claim in that article traces to a row in this file. How to read it: quotes are exact strings from the post (or a comment, where noted), kept under 25 words. Each Reddit entry was checked against the Arctic-Shift Reddit archive for the exact title, text, UTC date, score, and comment count; HN entries against the official Algolia API; forum entries against the live page. All checked 2026-07-04. Reddit blocks non-browser fetchers, so archived scores are lower bounds; the live numbers are usually higher. Categories: (a) performance/scale · (b) security · (c) unmaintainable codebase / AI can't fix its own code · (d) lock-in & credit costs · (e) data loss · (f) deploy/infra · (g) other. Format: URL | platform discussed | approx date | category | summary | quote | engagement. --- ## A. Performance / scale — app breaks when real users arrive (4) 1. https://www.reddit.com/r/lovable/comments/1r6ihkb/scaling_feels_impossible_when_your_mvp_starts/ | Lovable | 2026-02-16 | (a) | Founder's login queue hit 4 minutes at ~100 users; breakdown of N+1 queries, disk-filling logs, in-memory sessions, missing health checks. | "your DB queries that ran fine in localhost suddenly n plus one everywhere" | 14 upvotes / 8 comments 2. https://www.reddit.com/r/lovable/comments/1r9e0q5/the_your_app_works_but_your_code_is_a_mess/ | Lovable | 2026-02-19 | (a) | Senior engineer who audited 100+ vibe-coded apps shares pre-scale checklist; DB inefficiency is the top killer. | "This is the number one performance killer I see in AI-generated code." | 35 / 15 3. https://www.reddit.com/r/lovable/comments/1rk5sqt/i_ran_a_scalability_audit_on_my_vibe_coded_app_it/ | Lovable + Claude Code | 2026-03-03 | (a) | Non-dev founder's audit of his live app found 38 issues: no rate limiting, missing indexes, per-keystroke DB hits. | "No rate limiting at all. Anyone could have hammered my platform and taken it down" | 16 / 15 4. https://www.reddit.com/r/vibecoding/comments/1t23dqw/6_things_that_broke_when_my_vibe_coded_apps_got/ | Lovable/Bolt/Cursor (multi) | 2026-05-02 | (a) | Backend engineer who audited 50+ vibe-coded apps: the same six failures recur once real users arrive (auth emails, timezones, concurrency...). | "vibe coded apps work great with 5 users, then something starts breaking around user 50" | 86 / 25 — cross-posted as https://www.reddit.com/r/lovable/comments/1t1kkf6/ (75 / 19; deduped, counted once) ## B. Security — exposed keys, missing/misconfigured RLS (10) 5. https://www.reddit.com/r/lovable/comments/1tqcw0c/my_boss_hacked_our_clients_lovable_built_app_in/ | Lovable | 2026-05-28 | (b) | Agency escalated a student account to admin on a client's tutoring app in under 30 minutes; full DB access. | "we were able to change out profile permissions into an admin in less than 30 minutes" | 62 / 33 6. https://www.reddit.com/r/lovable/comments/1rycuqo/psa_if_your_lovable_app_talks_to_supabase_check/ | Lovable + Supabase | 2026-03-19 | (b) | Scan of 29 Lovable apps: RLS "enabled" but policies wide open; references the 18K-user EdTech leak and Palmer's 1,645-app audit. | "Scanned 29 Lovable apps. Average security score: 56/100." | 2 / 4 7. https://www.reddit.com/r/lovable/comments/1low49w/followup_on_security_in_vibecoded_apps_its_worse/ | Lovable + Supabase | 2025-07-01 | (b) | Tested apps on Lovable's own launch showcase: public user lists, no server-side validation, self-upgrade to paid tiers. | "Publicly accessible user lists via exposed Supabase endpoints." | 86 / 42 8. https://www.reddit.com/r/vibecoding/comments/1sfa9sx/vibe_coding_without_a_security_audit_is_not_a/ | multi (audits) | 2026-04-07 | (b) | Auditor: AI writes insecure code that *looks* senior-engineer clean; found a financial SaaS shipping its service-role key in the JS bundle. | "The Supabase service role key was loaded in the public JavaScript bundle." | 23 / 92 9. https://www.reddit.com/r/vibecoding/comments/1q2sw99/170_lovable_apps_got_hacked_because_of_one/ | Lovable + Supabase | 2026-01-03 | (b) | Reviewer read every user's email, payment status and home address from the browser console of a "finished" MVP; explains authn vs authz (RLS). | "I could see every user's email, payment status, and home address. No auth required." | 79 / 40 10. https://www.reddit.com/r/Supabase/comments/1qfoxmt/state_of_supabase_exposure_across_vibecoding_apps/ | multi + Supabase | 2026-01-17 | (b) | Systematic scan of 20,000 indie apps quantifying service_role leaks and RLS-less tables. | "We scanned 20,000 indie apps; 1 in 9 leaked their database keys." | 35 / 5 11. https://www.reddit.com/r/lovable/comments/1pc4cv2/security_using_loveable_supabase/ | Lovable + Supabase | 2025-12-02 | (b) | Pre-launch founder with no security background asks how worried to be about hacking/data leaks; can't afford an expert. | "I am a bit concerned regarding the security issues that might arise (hacking, data leak etc)" | 6 / 9 12. https://www.reddit.com/r/lovable/comments/1lmkfhf/open_letter_to_all_vibecoders_especially_those/ | Lovable + Supabase | 2025-06-28 | (b) | The original "open letter" warning after testing many community-shared vibe-coded apps; the highest-engagement security thread in r/lovable. | "You can’t \"vibe\" your way around user security." | 338 / 63 13. https://www.reddit.com/r/ADHD_Programmers/comments/1rrbftf/i_vibe_coded_a_side_project_and_lost_everything/ | Cursor + Bolt | 2026-03-12 | (b) | 20 paying users, then security holes found on Twitter, API keys maxed out, subscriptions bypassed; no git, project taken offline, refunds issued. | "then someone on twitter found a security hole. then another. then my API keys maxed out." | 0 / 6 14. https://news.ycombinator.com/item?id=47182659 | Lovable | 2026-02-27 | (b) | HN discussion of The Register's report on a Lovable-hosted app whose flaws (incl. inverted auth logic) exposed 18K users. | "as a user, you don't necessarily know if an app is vibe-coded or not" (top comment) | 140 points / 35 comments ## C. Unmaintainable codebase / AI can't fix its own code (8) 15. https://www.reddit.com/r/replit/comments/1nqrmid/looking_for_guidance_hiring_help_after_replit/ | Replit Agent 3 | 2025-09-26 | (c) | Months of work degraded after the Agent 3 rollout; founder now hiring a full-stack dev to rebuild auth, roles and workflows. | "a lot of the core functionality has broken or no longer meets the requirements" | 5 / 9 16. https://www.reddit.com/r/lovable/comments/1jcuton/getting_so_frustrated_with_lovable/ | Lovable | 2025-03-16 | (c) | Upgraded from $20 to $50 plan chasing an auth bug the AI itself introduced and cannot resolve. | "it can't seem to solve an authentication issue that it created" | 22 / 35 17. https://www.reddit.com/r/lovable/comments/1k6qaje/lovable_review/ | Lovable | 2025-04-24 | (c) | Mixed review thread; top replies describe apps ruined by persistent error loops and refactors that crashed working sites. | "Lovable has entered a loop with a persistent error that it doesn't know how to fix" (comment) | 24 / 27 18. https://www.reddit.com/r/cursor/comments/1rwgf11/built_and_shipped_a_full_production_app_entirely/ | Cursor + Codex | 2026-03-17 | (c) | Shipped solo dev postmortem: API hallucinations, race conditions in streaming code, silent JSON truncation, whole-codebase rewrites for 2-line fixes. | "You HAVE to scope your prompts tightly or it will rewrite your codebase to fix a typo." | 5 / 24 19. https://www.reddit.com/r/vercel/comments/1kbdbt7/why_i_regret_subscribing_to_v0dev/ | v0 | 2025-04-30 | (c) | Six weeks of testing: v0 output compiles and demos but is riddled with runtime errors; regressions after platform updates. | "the tool keeps generating code that only *looks* functional BUT in reality, it is riddled with errors" | 10 / 18 20. https://www.reddit.com/r/boltnewbuilders/comments/1i7c25k/boltnew_takes_tokens_fails_tasks/ | Bolt.new | 2025-01-22 | (c) | 400K tokens spent on a trivial carousel change; Bolt kept editing unrelated code until the site was worse than at the start. | "after hours of tinkering the site is in worse state than it began" | 2 / 5 21. https://www.reddit.com/r/SaaS/comments/1rzn84h/i_wasted_3400_and_9_weeks_building_my_b2b_saas/ | multi (AI tools) | 2026-03-21 | (c) | $3,400 and 9 weeks produced a demo-perfect B2B app whose core logic was non-deterministic; rebuilt by a dev team in 3 weeks. | "fell apart the moment a real user tried to depend on it inside an actual workflow" | 4 / 13 22. https://www.reddit.com/r/ClaudeAI/comments/1r5d4ig/claude_code_built_my_saas_in_13_hours_then_it/ | Claude Code | 2026-02-15 | (c) | Context drift: agent rewrote working auth while adding payments, duplicated tables, bypassed its own payment flow; fixed with spec files. | "Claude would build perfect auth. Then while adding payments, it would rewrite the auth code and everything broke." | 0 / 8 ## D. Lock-in & credit/token costs (12) 23. https://www.reddit.com/r/boltnewbuilders/comments/1u90ylw/growing_concerns_with_boltnew_as_projects_scale/ | Bolt.new | 2026-06-18 | (d) | Long-term Bolt user: token burn in the millions for debugging, "project too large" errors, context loss; now treats Bolt as scaffold-only, exports early. | "Reliability dropping — "project too large" errors, AI losing context, inconsistent code, design breaks, infinite fix loops" | 2 / 11 24. https://www.reddit.com/r/lovable/comments/1rz0umx/feeling_stuck_on_lovable_cloud_heres_an_open/ | Lovable Cloud | 2026-03-20 | (d) | Migration-off-Lovable guide born from recurring user pain: credit costs, vendor lock-in, no direct DB access on Lovable Cloud. | "Your credit costs are skyrocketing, and you want to develop using cheaper or better dev tools" | 21 / 6 25. https://www.reddit.com/r/lovable/comments/1qkov8k/project_migration/ | Lovable | 2026-01-23 | (d) | Builder wants a static export with "no runtime dependencies on Lovable" and asks what must be rewritten by hand to escape. | "I treat Lovable as a tool for rapid prototyping, but I don't want it to be my target environment." | 4 / 1 26. https://www.reddit.com/r/lovable/comments/1rmfblc/has_anyone_successfully_handed_off_a_saas_project/ | Lovable | 2026-03-06 | (d) | Functional SaaS built on Lovable; founders can't get it over the line and seek a developer/partner to migrate off the platform. | "We want to migrate off Lovable, continue testing and tweaking as needed" | 7 / 10 27. https://www.reddit.com/r/lovable/comments/1hkfkjh/wasted_credits/ | Lovable | 2024-12-23 | (d) | Even a fan estimates a third of paid usage goes to re-asking for the same fix. | "I’d say 30-40% of my usage is constantly asking to fix the same problem over and over." | 9 / 8 28. https://www.reddit.com/r/lovable/comments/1njdkck/went_through_100s_of_credits/ | Lovable | 2025-09-17 | (d) | Every change breaks something else; hundreds of credits spent chasing cascading errors. | "It's starting to feel like some kind of a gambling app where you keep throwing more and more money at it" | 17 / 26 29. https://www.reddit.com/r/lovable/comments/1le45id/the_problem_with_lovable/ | Lovable | 2025-06-18 | (d) | Career developer on the pay-per-attempt model: bug-fixing now has a metered price, which changes engineering behavior. | "This is not sustainable. We can’t write software this way for ever." | 73 / 74 30. https://www.reddit.com/r/boltnewbuilders/comments/1icq1t3/10m15m_tokens_wasted_trying_to_get_boltnew_to_fix/ | Bolt.new | 2025-01-29 | (d) | 10-15M tokens consumed on basic fixes with endless re-explaining. | "I Burned through 10M–15M tokens just getting it to fix basic issues." | 24 / 28 31. https://www.reddit.com/r/boltnewbuilders/comments/1gk7o2m/how_does_the_token_pricing_work/ | Bolt.new | 2024-11-05 | (d) | Pricing thread where users document cost curves as projects grow. | "as project gets more complex one or two prompts cost -wait for it- 1 million tokens. No kidding." (comment) | 1 / 6 32. https://www.reddit.com/r/boltnewbuilders/comments/1p9quz1/some_users_burn_10m_tokens_while_others_build_a/ | Bolt/Lovable/Cursor | 2025-11-29 | (d) | Community post on the 10x variance in token burn between users on identical tasks. | "People who burn 10 million tokens just to get a simple landing page working." | 6 / 8 33. https://news.ycombinator.com/item?id=46321594 | Bolt.new | 2025-12-19 | (d) | Ask HN: launch destroyed — tokens burned on unauthorized changes, undisclosed Netlify deployment left ghost files that broke payments on Vercel. | "Bolt.new's AI burned 10M tokens on unauthorized changes." | 6 points / 4 comments 34. https://community.vercel.com/t/issues-getting-help-from-v0-support/43616 | v0 | 2026-06-10 | (d) | v0 entered a self-perpetuating troubleshooting loop, consuming credits with no resolution and no support response. | "It kept generating tasks, rebuilding files, and consuming credits without actually resolving the underlying problem." | n/a (official Vercel community) ## E. Data loss — agents deleting databases and work (8) 35. https://www.reddit.com/r/ChatGPTCoding/comments/1m5njj8/replit_ai_went_rogue_deleted_a_companys_entire/ | Replit Agent | 2025-07-21 | (e) | Reddit discussion of the SaaStr/Jason Lemkin incident: production DB deleted during a code freeze, then misreported by the agent. | "Replit AI went rogue, deleted a company's entire database, then hid it and lied about it" (title) | 129 / 66 36. https://news.ycombinator.com/item?id=44625119 | Replit Agent | 2025-07-20 | (e) | Primary HN thread on the same incident; debate over how an agent had prod-DB access at all. | "never ask them to do anything that involves deleting stuff" (comment) | 143 points / 53 comments 37. https://news.ycombinator.com/item?id=44646151 | Replit Agent | 2025-07-22 | (e) | Follow-up HN thread on Replit CEO's apology and the dev/prod-separation fix rolled out afterwards. | "I don't even give *myself* unrestricted access to production databases." (comment) | 179 points / 160 comments 38. https://replit.discourse.group/t/agent-deleted-data-from-a-paying-customer/9571 | Replit Agent | on/before 2026-02 | (e) | Official Replit forum: agent re-ran an earlier delete session against a paying customer's database after being told never to. | "My agent deleted a customers database twice without prompting" | n/a (official forum) 39. https://replit.discourse.group/t/lol-i-have-some-concerning-news-about-your-existing-data-database-gone/6627 | Replit Agent | 2025-08-16 | (e) | Agent announces mid-session that all tables are empty after its own "migration"; other users report 3 weeks of data lost. | "Replit can and will erase all your data in a blink of an eye. Keep backups." | n/a (official forum) 40. https://www.reddit.com/r/vercel/comments/1ksdrj6/v0_just_wiped_out_my_app/ | v0 | 2025-05-22 | (e) | v0 update stripped the working app between v79 and v90; non-technical founder cannot roll back. | "anyone have v0 make an update and just completely wipe out all the work you've been doing?" | 7 / 31 41. https://www.reddit.com/r/lovable/comments/1k4pk6d/lovable_wont_restore/ | Lovable | 2025-04-21 | (e) | Lovable-suggested refactor blanked the site after a 14-hour session; restore returned a partial app with pages missing. | "Tried to restore but that only gives me a half ass website of what I’ve built. Many pages are disappeared" | 7 / 20 42. https://www.reddit.com/r/ManusOfficial/comments/1r7vl6m/manus_agent_decided_independently_that_the_best/ | Manus | 2026-02-18 | (e) | Agent independently rolled a website back to its beginning to fix a minor issue, destroying weeks of work past the restore window. | "This wiped weeks work of work out in two seconds, and then the agent proceeded to pretend that nothing had happened" | 18 / 20 ## F. Deploy / infra confusion (4) 43. https://www.reddit.com/r/lovable/comments/1lib0ok/site_still_down_after_48_hours_404_error_despite/ | Lovable | 2025-06-23 | (f) | Production custom domain 404 for 48+ hours; .lovable.app URL fine; support loop with no fix. | "My site (aleads.ai) has been down for over 48 hours and is still showing a 404 Not Found error" | 1 / 9 44. https://www.reddit.com/r/lovable/comments/1mzxol3/the_core_issue_is_that_lovables_deployment_system/ | Lovable | 2025-08-25 | (f) | Two weeks of paid iteration invisible in production because publish pipeline pinned an old commit. | "Lovable's deployment system is stuck serving the old commit, and no amount of code changes will fix this" | 5 / 12 45. https://community.vercel.com/t/investigating-v0-preview-doesnt-match-vercel-deployment/12440 | v0/Vercel | 2025-06-03 | (f) | Official collection thread: previews render correctly, live deployments ship broken CSS/layouts; launch-blocking for several users. | "v0 previews look fine, but live Vercel deployments initiated via v0 result in broken CSS/layouts" | n/a (official Vercel community) 46. https://community.vercel.com/t/v0-preview-git-issues/33120 | v0 | 2026-02-07 | (f) | Platform update broke preview entirely for weeks; user paying for credits they cannot spend. | "V0 shipped their latest update, now preview is completely broken." | n/a (official Vercel community) ## G. Other — readiness anxiety, diligence, ops context (5) 47. https://www.reddit.com/r/lovable/comments/1p74ghh/productionready_app_with_lovable/ | Lovable | 2025-11-26 | (g) | Dev hired by three separate clients to turn Lovable builds into production apps; names the "final 20%": error handling, security, performance, edge cases. | "there’s still a noticeable gap between what Lovable ships and what a real production environment needs" | 7 / 39 48. https://www.reddit.com/r/lovable/comments/1jv7mqt/created_my_first_fully_working_lovable_app_what/ | Lovable | 2025-04-09 | (g) | First-app founder asks what "production-level" means: code bloat, speed, security, backups, leaving Lovable hosting. | "it's more bloated than it should be, and the website is not as fast as I'd like" | 13 / 15 49. https://www.reddit.com/r/lovable/comments/1ptum30/just_made_first_1000_in_a_week_but_i_am_worried/ | Lovable | 2025-12-23 | (g) | £1,000 in week one, 30 paying users, 16 edge functions — and a founder who cannot audit any of it. | "What worries me is that I’ve never written code myself." | 79 / 67 50. https://www.reddit.com/r/startups/comments/109n149/technical_due_diligence_from_vcs/ | n/a (context) | 2023-01-12 | (g) | Pre-AI-builder baseline: what VC technical due diligence actually inspects — the checks vibe-coded startups will face at raise time. | "tech due-diligence for the pre-seed consisted of nothing more than showing screenshots and doing product walk-throughs" | 59 / 37 51. https://www.reddit.com/r/selfhosted/comments/1o6b48k/selfhosted_llm_vs_openai_api_for_saas_review/ | n/a (context) | 2025-10-14 | (g) | AI-SaaS founder weighing self-hosted LLM vs API; the ops-cost naivety question founders rarely ask before building. | "Am I being naive about the operational complexity?" | 1 / 3 --- ## 1. Category tally | Category | Count | |---|---| | (a) performance/scale | 4 | | (b) security (exposed keys / RLS) | 10 | | (c) unmaintainable codebase / AI can't fix own code | 8 | | (d) lock-in & credit/token costs | 12 | | (e) data loss | 8 | | (f) deploy/infra | 4 | | (g) other (readiness, diligence, ops context) | 5 | | **Total** | **51** | Note: most threads span 2+ categories (security threads mention lock-in; cost threads describe edit loops that are really maintainability failures). Tally uses primary classification only. ## 2. Most frequent "wish I had checked this before launch" items 1. **Supabase RLS policies actually scoped per-row — not merely "enabled" — on every table, including ones added after launch.** 1lmkfhf, 1low49w, 1rycuqo, 1q2sw99, 1qfoxmt, 1tqcw0c, 1pc4cv2, HN 47182659 2. **No secrets in the client bundle (service_role key, Stripe sk_live, OpenAI keys) — grep the deployed JS, not the repo.** 1sfa9sx, 1tqcw0c, 1rrbftf, 1qfoxmt 3. **Database behavior under load: N+1 queries, missing indexes, connection pooling, rate limiting — test with 10K rows / 100 concurrent users before launch.** 1r6ihkb, 1r9e0q5, 1rk5sqt, 1t23dqw 4. **Real version control + off-platform backups of code AND database before letting an agent touch anything.** 1rrbftf, 1ksdrj6, 1k4pk6d, 1r7vl6m, discourse 6627, HN 44625119 5. **Hard dev/prod separation — the agent must be physically unable to reach production data.** HN 44625119, HN 44646151, discourse 9571, 1m5njj8, 1nqrmid 6. **An exit plan from the platform (GitHub export, own Supabase, static build) agreed before credits and lock-in bite.** 1rz0umx, 1qkov8k, 1rmfblc, 1u90ylw, 1le45id, HN 46321594 7. **A stop-loss rule for AI debugging loops (e.g., 3 failed fix attempts = stop prompting, fix by hand or in an IDE).** 1hkfkjh, 1jcuton, 1njdkck, 1icq1t3, 1i7c25k, 1p9quz1, 1gk7o2m, vercel 43616, 1k6qaje 8. **Verify the deploy pipeline end-to-end: custom domain + SSL, env vars in prod, preview-vs-production parity, which commit is actually being served.** 1lib0ok, 1mzxol3, vercel 12440, vercel 33120, 1jv7mqt ## 3. Honest total **51 distinct verified threads/posts** (42 Reddit, 4 Hacker News, 2 official Replit forum, 3 official Vercel community). One Reddit cross-post pair (r/vibecoding 1t23dqw = r/lovable 1t1kkf6) was deduplicated and counted once. Two GitHub items (stackblitz/bolt.new discussion #6641, issue #8281) were found in search caches but no longer resolve live (issues disabled on the repo) and were **excluded** for verifiability. Two seed threads (r/startups 109n149, r/selfhosted 1o6b48k) are context/diligence threads rather than failure reports — classified honestly under (g); if the article counts only failure-pattern threads, the number is **49**. ### Verification notes - Reddit data source: `arctic-shift.photon-reddit.com/api/posts/ids` (Reddit archive; exact titles, selftext, UTC timestamps, scores, comment counts). Reddit.com itself blocks non-browser fetchers, so live scores may differ (typically higher) from archived ones. - HN data source: `hn.algolia.com/api/v1/items/` (official API; points/comments live). - Dates are post-creation dates (UTC). "on/before" marks a forum thread whose creation date could not be extracted exactly (crawl-verified 2026-02-27).