Add trophy case and submit first vulnerability

[BowTiedRadone]

This PR adds a trophy case to README, links docs to it in SUMMARY, and records the first vulnerability reported via DM.

Congrats to @Rapha-btc!

[moodmosaic]

Happy to see this!

[Rapha-btc]

Thanks for kicking off the trophy case, @BowTiedRadone — humbled to be the first entry 🙏

Quick context on what RV caught:

While preparing Jing V3, I ran @stacks/rendezvous 500-run sweeps with 13 state invariants against both markets (sBTC/STX + sBTC/USDCx). 12 of them checked list/totals/map consistency the "obvious" way. The 13th — invariant-balance-eq-cycle-totals — compared the contract's actual token balance against the sum of declared cycle-totals across all cycles.

That 13th invariant caught a cancel-cycle × small-share-roll bug:

When close-deposits ran small-share-filter, it rolled sub-threshold depositors' lists + totals forward to next-cycle. If cancel-cycle then fired on the current cycle, our roll code was overwriting next-cycle's totals instead of merging — the totals from the small-share roll silently got wiped. List/totals/map stayed mutually consistent at the wrong values, so the other 12 invariants happily passed. Only the actual-balance-vs-declared-totals check saw the corruption.

Caught within ~30 random tx sequences after adding the invariant. Fix is a one-liner in roll-depositor-lists (concat next-cycle's existing list with cycle's, then + the totals). Verified by reverting the fix in .build/ — RV trips the invariant deterministically. With the fix, both markets pass 500-run sweeps clean.

v2 was paused as soon as the bug was identified; v3 ships with the fix plus other improvements — so no exposure remained.

Takeaway for other Clarity teams: when fuzzing balance-preserving protocols, always add a conservation invariant (actual on-chain balance vs sum of declared accounting). Internal-consistency checks alone can miss the entire class of "the accounting is corrupted but consistently corrupted."

Full writeup with repro / failing invariant / fix details: https://github.com/Rapha-btc/jing-contracts-v3/blob/master/tests/rv/README.md

[wileyj]

Very cool! only nit is that you may want to move the trophy case section to it's own file if the intent is to grow that list.
but, that's a preference/style change and could be done at any time in the future if you choose to.

[BowTiedRadone]

@wileyj Yep, I had it in mind. Since we will also need at least a trophy case preview in the README as the list will grow, I'd keep it in README for now and eventually move (the full list) to it's own file/directory later. Thanks for the review!

[moodmosaic]

What a journey!

[moodmosaic]

@Rapha-btc, thanks for sharing this! 🚀

[Rapha-btc]

Opposite, thank you for building this. You are awesome! This is incredibly valuable @moodmosaic

https://x.com/RaphaStacks/status/2055296601229251028?s=20