TL;DR
Security researcher extracted Anthropic's exact pricing formulas and usage limits by analyzing unrounded floats in API responses, revealing subscription plans offer 36× better value than API pricing with caching.
Key Points
- Extracted precise usage limits using Stern-Brocot tree algorithm to recover fractions from IEEE 754 floats with ~10^-17 precision
- Claude Max 5× plan delivers 6× higher session limits (not promised 5×) and 8× weekly limits, making it the best value tier
- Subscription caching reads cost nothing vs. API's 10% per read, compounding advantage in agentic loops to 36× better value
- Side channel existed in /generation endpoint SSE responses with unrounded doubles like 0.16327272727272726 before rounding fix
Why It Matters
This demonstrates how minor implementation details (unrounded floats) can leak sensitive business information through side channels. For developers, it quantifies the massive cost difference between subscription and API pricing, especially for agentic workloads. It's a reminder that security-relevant data requires careful handling at every layer, not just API-level.
Source: she-llac.com