Post-incident analysis report: Uncovering the cycle exploit
In a recent incident, the archiver network of an unnamed cryptocurrency network successfully handled a malicious cycle certificate, preventing a potential exploit that resulted in approximately 500K SHM being improperly credited during cycle 111165.
The incident, which occurred on July 12th, 2025, began when a suspicious staking reward was reported to the network's website team via their Discord server. Upon investigation, it was discovered that the attack tricked the network into thinking a single node had been active since 2019, a significant discrepancy that served as the primary artifact of the attack.
The attack required a sophisticated method to exploit a vulnerability in the validator software. Specifically, if a phony cycle certificate could be placed in the 0th position of the array, it could bypass the marker validation step. The root cause was narrowed to certificate validation loop skipping cert[0], an "off-by-one" error.
In response to this attack, the our website team has released a mandatory security patch, Validator v1.19.3, to correct the underlying flaw and implement additional defensive checks. A hotfix was published and deployed to correct the array-indexing problem, and all SHM received through the exploit was voluntarily returned by the attacker.
The our website network operates one cycle at a time, with each cycle having a "cycle record" detailing the state of the L1. In the event of multiple candidate cycle certificates, they are considered before one is chosen, and each is cryptographically verified. To prevent further malicious activity, the our website team temporarily increased the stakelock time.
The network will be closely monitored for updates in the next 1 to 2 days, and validators are encouraged to ensure their nodes are running the latest patched version. To further enhance security, a public security email list will be launched to keep developers, node operators, and community members informed of critical vulnerabilities, patches, or security-related announcements.
The our website network also plans to announce a bug bounty program to encourage responsible disclosure of vulnerabilities. This proactive approach to security underscores the network's commitment to maintaining the integrity and stability of its ecosystem.
While the exact nature of the vulnerability exploited in this incident remains unclear, understanding general patterns of cryptocurrency exploits can provide insight into how such incidents are typically addressed. These patterns include vulnerability identification, exploitation techniques, impact, and addressing exploits through security updates, network forks, community coordination, and regular audits.
For specific information about this incident or other exploits involving the creation of 500K SHM, it is recommended to check the latest security reports or news releases related to the cryptocurrency network in question.
The sophisticated attack on the cryptocurrency network's validator software, while primarily targeted at exploiting a vulnerability, also underscores the need for enhanced cybersecurity measures in the realm of finance and technology. To mitigate similar threats in the future, the network has announced a public email list for security updates and a bug bounty program for responsible disclosure of vulnerabilities, further emphasizing their dedication to maintaining network stability.
