Postmortem Analysis of Cycle Exploit Occurrence on Our Site
In a swift and decisive response, the team behind the popular cryptocurrency network has resolved an off-by-one error in its validator software that averted a potential loss of approximately 500,000 SHM during cycle 111165.
The error, common in software of this kind, led to an improper credit of SHM tokens due to a boundary condition mistake. In this instance, the validator's logic may have erred when handling cycle counters, reward calculations, or ledger updates at the final step of the cycle.
Such mistakes can occur when iterating over cycles or states with zero-based vs one-based indices or inclusive vs exclusive range boundaries. In the case of cycle 111165, the validator software credited roughly 500,000 SHM tokens erroneously, likely by applying changes meant for one cycle to either this cycle or the next incorrectly.
Following the discovery of the error, the network's team launched a thorough investigation and found no evidence of further impact across the network's history. They also temporarily increased the stakelock time to prevent any further malicious activity.
The attack, a deliberate one, involved a sophisticated method to exploit the vulnerability and trick the network into thinking a single node had been active since 2019. The attacker generated two crafted service queue transactions at cycle 111165 with backdated cycle numbers and extra fields, reusing a valid historical certificate inserted at array index 0, and the remaining certificates in the array passing normal validation.
To rectify the issue, the team deployed a hotfix to the validator software, called Validator v1.19.3, which corrects the underlying flaw and implements additional defensive checks. They also announced a bug bounty program to encourage responsible disclosure of vulnerabilities and a Security Incident Response Playbook to streamline response processes during critical events.
Regular SHM holders are not affected by the incident and no action is required. However, validators are advised to check if their nodes are running the latest patched version by looking at the main dashboard under Version Info (GUI) or running certain commands in their server terminal (CLI).
The network's team would like to extend their gratitude to the community member NoviceCrypto and others who reported and helped monitor the discrepancy quickly. They also encourage anyone identifying a potential security issue to report it to the security team via email, Github, Discord, or a support ticket.
Lastly, to foster a more secure environment, external monitoring and alerting tools, such as anomaly detection and on-chain analytics, will be integrated for improved proactive detection. The team is also launching a public security email list for developers, node operators, and community members.
The cryptocurrency network remains committed to maintaining the security and integrity of its platform for its users and the wider community.
- Despite the recent incident involving a potential loss of SHM tokens due to a software error, the team behind the cryptocurrency network has shown a strong commitment to cybersecurity by deploying a hotfix, implementing defensive checks, and announcing a bug bounty program.
- In the realm of technology, where business and sports overlap, the collaborative approach between the cryptocurrency network's team and the community in identifying and rectifying security vulnerabilities serves as an exemplary demonstration of the power of proper financial systems and cybersecurity measures.
