Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2021bugPublic

GTA Online — The Six-Minute Load

Millions of players lost 5+ minutes per game launch for 7 years. Aggregate human-hours lost incalculable.

2 min read
Root Cause

10MB JSON catalog parsed with sscanf on every launch, followed by O(n²) deduplication — ~63 billion comparisons per startup

Aftermath

Rockstar patched within weeks of public disclosure. Paid t0st $10,000 bug bounty. Loading times reduced by ~70%.

The Incident

GTA Online, released in 2013, had notoriously slow loading times on PC — averaging 6 minutes per launch. Players accepted it as the cost of a massive open world. Nobody at Rockstar fixed it because it had been that way since launch.

The Discovery

In February 2021, a developer going by t0st decided to reverse-engineer the GTA Online launcher to find out why it was so slow. Using a CPU profiler, they identified two compounding flaws:

Flaw 1: Full JSON Parse on Every Launch

On every startup, the game parsed a ~10MB JSON file (net_shopping_catalog — the entire in-game store catalog) using sscanf, character by character. This file grew with every content update.

Flaw 2: O(n²) Deduplication

After parsing, the game ran a uniqueness check on every item — comparing each entry against every other entry. With ~63,000 items, this meant ~63,000 × 63,000 = ~4 billion comparisons. Every single launch.

The Fix

A cache for the parsed data and a hash set for deduplication. A few lines of code. The kind of fix a junior developer could implement in an afternoon.

The Aftermath

Rockstar acknowledged the bug, patched it within weeks, and paid t0st $10,000 through their bug bounty program. Loading times dropped by approximately 70%.

Why It Matters

This wasn't a security vulnerability. It was The Greedy Initializer — the same pattern from 1990s desktop CRM applications — surviving in a 2013 AAA game engine. Load everything at startup. Process it every time. Never cache the result. The pattern didn't evolve with the data. The data grew. The pattern didn't.

The Pattern

This incident is a direct instance of [The Greedy Initializer](/exhibits/the-greedy-initializer) (EXP-002): a system that loads all possible data at startup and reprocesses it on every launch, regardless of whether it has changed. The fix — a parse cache and a hash-based deduplication set — is documented there, along with its full lineage from 1990s enterprise software to modern applications.

The O(n²) deduplication is also a textbook instance of Complexity Accretion: no single decision was obviously wrong. The catalog grew. The algorithm stayed. The cost compounded silently for seven years.

Techniques
quadratic algorithmeager initializationjson parsing