The real cost of vibe coding: what Lovable and Bolt won't tell you

Vibe coding looks free until you count the hours. Lovable, Bolt, and v0 promise you can build a full app with prompts instead of code. The landing pages show polished UIs generated in seconds. The pricing pages show $20-$100/month plans. Founders see those numbers and think: "Why would I pay an agency $15,000 when I can build it myself for $50?"

That math falls apart the moment you move past a demo. The real costs hide in credits burned on debugging, security holes you don't know exist, and rewrites you'll pay for twice. Here's what those platforms won't put on their pricing page.

The credit trap

Lovable users burn through 400 credits in under an hour during active development. Each prompt costs a credit. Each fix attempt costs a credit. And here's the part the pricing page omits: fixing something the AI broke also costs a credit.

30-40% of all prompts go toward fixing problems the AI introduced in previous prompts. You ask it to add a login form. It breaks the navigation. You spend three prompts fixing the navigation. It breaks the footer. Two more prompts. You've burned six credits to get back to where you started, plus the feature you wanted.

This creates a perverse incentive. Credit-based platforms profit from their own mistakes. Every bug the AI introduces is another credit consumed. The worse the AI performs on complex tasks, the more revenue the platform generates. Your debugging is their business model.

On a $50/month plan, you get roughly 500 credits. Active builders exhaust those in 1-2 sessions. Upgrading to the $100 or $200 tier buys more credits, but the burn rate stays the same. For complex projects, token consumption escalates fast; a multi-page app with authentication, database operations, and API integrations can eat through $200 worth of credits in a single week.

Over a 6-8 week build, a founder spending $200/month on credits plus 20+ hours per week of their own time isn't saving money. They're paying in credits and labor while getting a codebase no engineer wants to maintain.

The debugging tax

A majority of developers report spending more time debugging AI-generated code than they would have spent writing it from scratch. That finding comes from people who know how to code. For non-technical founders, the ratio is worse.

AI-generated code carries 1.7x more major issues than human-written code. Code duplication increases by 8x. When the AI generates a component, it doesn't check whether a similar component already exists in your project. It creates a new one. Then another. Then another. You end up with three slightly different button components, two navigation bars, and four copies of the same API call, each with minor variations that make bugs hard to trace.

The debugging tax compounds over time. Week one feels productive; you're generating pages and features fast. By week four, every new prompt breaks two existing features. By week six, you're spending 80% of your prompts on damage control and 20% on new features. That's the trajectory for every non-trivial vibe-coded project.

The security bill

AI-generated code has a 2.74x higher rate of security vulnerabilities compared to human-written code. That's not a theoretical risk. It shows up in production apps right now.

10.3% of Lovable-built apps had critical Row Level Security (RLS) flaws in their Supabase databases. RLS is the mechanism that prevents User A from reading User B's data. When it's misconfigured, anyone with basic browser dev tools can read, modify, or delete other users' data. That's not a minor bug. That's a data breach waiting for someone curious enough to open the network tab.

It gets worse. 11% of indie-launched apps built with these tools expose Supabase credentials in their frontend code. API keys, database URLs, service role keys; all visible in the browser's source view. Anyone can copy those keys, connect to the database directly, and do whatever they want with the data.

What does a data breach cost a startup? The direct costs (legal, notification, remediation) run $50,000-$200,000 for a small company. The indirect costs (lost customers, damaged reputation, killed fundraising momentum) are harder to quantify but often fatal. A $50/month vibe coding subscription that leads to one exposed database can cost more than a decade of agency invoices.

The rewrite cost

Agencies see vibe-coded projects regularly now. The pattern is consistent: a founder builds a prototype in Lovable or Bolt, gets initial traction, then hires an agency to "clean it up and add features." The agency looks at the codebase and recommends starting over.

Why? Vibe-coded apps have no consistent architecture. The AI generates whatever pattern fits the current prompt, with no regard for what it generated yesterday. Database schemas lack proper indexing and relationships. Authentication logic gets scattered across files. Business rules live in random components instead of a service layer. State management is a patchwork of local state, global state, and direct API calls with no pattern.

Fixing this codebase takes longer than building it correctly from scratch. An agency quoting $15,000 for a fresh build would quote $20,000-$25,000 to refactor a vibe-coded version of the same app. The founder ends up paying for the build twice: once in credits and their own time, and once in agency fees.

There's also the backend lock-in problem. Lovable forces Supabase as the only backend option. v0 has no backend at all. If your product needs a custom API, background jobs, or third-party integrations beyond what Supabase offers, you've hit a wall. Moving off Supabase means rewriting your entire data layer; every query, every auth flow, every real-time subscription.

A fair comparison: vibe coding vs. agency costs

Here's what the same project costs through each path, based on a typical B2B SaaS MVP with authentication, a dashboard, CRUD operations, payment integration, and an admin panel.

When you factor in the founder's time at $100-$200/hour opportunity cost, the vibe-coded MVP costs $12,000-$42,000 in total. The agency build costs $8,000-$20,000 and ships faster with fewer risks.

When vibe coding makes sense

Vibe coding isn't worthless. It's a tool with a specific, narrow use case. It works well for:

Throwaway prototypes. You need to test whether users understand a concept. Build a clickable prototype in Lovable, show it to 20 potential customers, and gather feedback. Then throw the code away and build the real version. The key word is "throwaway." Treat it as a research expense, not a foundation.

Internal tools with no security requirements. A dashboard that only your team uses, pulling data from an internal API you control. No user authentication. No sensitive data. No external access. If it breaks, your team tells you in Slack, not a lawyer in a demand letter.

Idea validation before investment. You want to see if a workflow makes sense before committing budget to a full build. Generate the screens, click through the flow, identify gaps. This is a $50-$100 exercise that can save you $10,000 in building the wrong features.

The common thread: vibe coding works when the code is disposable. The moment you plan to put it in front of paying customers, handle their data, or scale beyond a handful of users, you've outgrown the tool.

When to hire engineers instead

Hire engineers when your product touches real users, real money, or real data. That covers most things worth building.

Specifically, hire engineers when:

You're handling user data. Authentication, authorization, data isolation, encryption at rest, GDPR compliance. These aren't features you can prompt into existence. They require architectural decisions that compound across every part of your application.

You need a custom backend. Lovable gives you Supabase. v0 gives you nothing. If you need background jobs, webhook processing, third-party API integrations, custom business logic, or anything beyond basic CRUD, you need an engineer writing server-side code.

You plan to raise funding. Investors do technical due diligence. A codebase with 8x code duplication, exposed API keys, and no test coverage tells investors that technical risk is high and the rewrite cost will eat into the capital they're providing.

You need to iterate fast after launch. A well-architected codebase lets you add features in days. A vibe-coded codebase makes every new feature a negotiation with accumulated technical debt. The speed advantage of vibe coding inverts after launch; the messier the code, the slower every future change.

The cost of hiring engineers looks high on day one. The cost of not hiring them shows up on day 90, when you're debugging security flaws, explaining exposed credentials to users, or paying an agency to rebuild what you already built once.

Vibe coding sells the dream of free software. The invoice arrives later, and it's always bigger than the subscription fee.

Frequently asked questions