Postmortem Analysis of the Cycle Exploit: A Report from our Site
In a significant turn of events, a critical flaw in our validator software, known as an "off-by-one" error, was discovered and promptly addressed. This error, which often occurs in code that tracks time intervals or token distribution cycles, led to an abnormal reward of 502,692.05 SHM being issued on July 30, 2025.
The error stemmed from a deliberate attack on our website network, with the attacker exploiting the system by carefully timing their transactions to cause incorrect time differences or supply totals in the reward formula. As a result, a single node was tricked into thinking it had been active in the network since 2019, leading to an improper credit of approximately 500K SHM during cycle 111165.
To prevent such incidents in the future, we are taking several measures. Firstly, a mandatory security patch, Validator v1.19.3, has been released to correct the underlying flaw and implement additional defensive checks. It is crucial for validators to ensure their nodes are running the latest patched version, which can be checked through the GUI or CLI.
Secondly, a bug bounty program is being announced to encourage responsible disclosure of vulnerabilities. This program will reward individuals who help us identify and fix potential security issues, fostering a stronger and more secure network.
In addition, a public security email list will be launched for developers, node operators, and community members to stay informed about critical vulnerabilities, patches, or security-related announcements. This list will complement our existing channels, including our Discord server, where suspicious activities, such as the high staking reward reported on July 12, 2025, can be promptly reported.
To further improve our response to security incidents, a Security Incident Response Playbook will be formalized and published. This playbook will streamline detection, triage, communication, and resolution processes during critical events, ensuring a swift and effective response.
External monitoring and alerting tools, such as anomaly detection and on-chain analytics, are also being evaluated for integration to improve proactive detection.
We would like to express our gratitude to the community member NoviceCrypto and others involved for their quick reporting and monitoring of the discrepancy. If you identify a potential security issue, we encourage you to report it confidentially via email, Github, support ticket on Discord, or by not posting exploit details publicly until acknowledged by our security team.
Rest assured, regular SHM holders are not affected, and no action is required. We are committed to maintaining the security and integrity of our network, and we appreciate your continued support and vigilance.
[1] Reference: Security Analysis of Smart Contracts: A Case Study of an Off-by-One Error [2] Reference: Secure Programming Practices for Smart Contracts [3] Reference: Best Practices for Access Control in Smart Contracts
- As a result of the off-by-one error discovered in our finance sector, a significant reward was issued in an unusual transaction, highlighting the need for enhanced cybersecurity measures.
- To mitigate such incidents, our business is taking steps such as launching a bug bonty program, implementing mandatory security patches, and establishing a public security email list for more effective communication.
- To maintain the integrity of our technology in the general-news and sports domains, it's important for the community to stay vigilant, report potential security issues responsibly, and utilize external monitoring tools for early detection.
