Post-investigation Account of the Cycle Exploit: Report by our Site
In a recent turn of events, a significant anomaly was discovered on our platform, leading to the creation of approximately 500,000 SHM tokens. This incident, it seems, was the result of a common yet critical flaw known as an "off-by-one" error in our validator software's certificate validation logic.
Validator nodes play a crucial role in maintaining the integrity of our network. To ensure your node is running the latest patched version, you can check via the Graphical User Interface (GUI) or Command Line Interface (CLI). It's essential to keep your node up-to-date to avoid such incidents in the future.
Off-by-one errors typically occur when the code miscounts iterations or misindexes arrays or pools, affecting calculations. In validator staking software, such errors can cause misrecorded rewards, paying out more than intended. This mistake likely led to the creation of the faulty reward of ~500,000 SHM tokens because the reward accounting loop or condition incorrectly included one extra unit.
Systems with similar validator reward mechanisms, such as Solana or Ethereum 2.0, use complex formulas and precise conditions. Any off-by-one misstep can have a large downstream token issuance impact. If your validator software had a similar flaw in its reward allocation code, the validator pool could end up credited with an extra block or reward increment, resulting in a large sum being incorrectly created or assigned.
Fortunately, the attack appears to be an isolated incident with no evidence of further impact across the network's history. The abnormal reward credit of 500K SHM was voluntarily returned by the attacker. The our website team temporarily increased the stakelock time to prevent further malicious activity.
To address this issue, the our website team has released a mandatory security patch, Validator v1.19.3, which corrects the underlying flaw and implements additional defensive checks. Regular SHM holders are not affected by the incident, and no action is required.
In an effort to enhance transparency and security, a public security email list will be launched for developers, node operators, and community members to stay informed about critical vulnerabilities, patches, or security-related announcements. Additionally, a Security Incident Response Playbook will be formalized and published to streamline detection, triage, communication, and resolution processes during critical events.
To encourage responsible disclosure of vulnerabilities, a bug bounty program will be announced. If you identify a potential security issue, you can report it confidentially via email, Github, Discord, or a support ticket. Credit and thanks go to community member NoviceCrypto and others for their quick reporting and monitoring of the discrepancy.
External monitoring and alerting tools, such as anomaly detection and on-chain analytics, are being evaluated for integration to improve proactive detection. By incorporating these tools, we hope to minimise the chances of such incidents occurring in the future.
[1] Solana Validator Rewards: https://solana.com/validators [2] Ethereum 2.0 Validator Rewards: https://ethereum.org/en/eth2/validators/rewards/
- In the realm of business and technology, ensuring cybersecurity vigilance is as important as maintaining financial stability, especially when dealing with digital assets and blockchain platforms, as shown in the recent incident involving our platform's validator staking software.
- As technological advancements continue to shape the landscape of sports, finance, and other industries, it is crucial for innovators and developers to prioritize cybersecurity measures, such as prompt patching and responsible disclosure of vulnerabilities, to ensure the integrity of their systems and prevent potential financial losses.
