Post-Incident Analysis: Unraveling the Cyclic Vulnerability Breach on Our Site
In a recent development, a significant incident occurred on our website network, resulting in the creation of approximately 500K SHM as a faulty staking reward. This unprecedented event took place on July 12, 2025.
The abnormal reward amount (502,692.05 SHM) was promptly burned in a transaction on July 30, 2025. The incident occurred during cycle 111165, resulting in an improper credit of the SHM tokens.
Although the exact nature of the vulnerability has not been extensively documented, it is reasonable to conclude that the issue was a smart contract vulnerability or protocol misconfiguration causing incorrect staking reward issuance.
The vulnerability was exploited through multiple layers of security checks, tricking the network into thinking a single node had been active in the network since 2019. This critical flaw in the validator software, specifically an "off-by-one" error in the certificate validation logic, was identified and resolved by our team.
The our website team, along with the help of community members like NoviceCrypto, identified and resolved the issue, and all of the created SHM was voluntarily returned to the Foundation wallets. No action is needed for regular SHM holders as the issue was limited to validator reward accounting and did not impact user balances or transaction data.
To ensure the transparency and swift response to critical events, a Security Incident Response Playbook will be formalized and published to streamline detection, triage, communication, and resolution processes. Furthermore, a public security email list will be launched for developers, node operators, and community members to stay informed about critical vulnerabilities, patches, or security-related announcements.
In an effort to improve proactive detection, the our website team has expanded their network monitoring to look for malformed cycle records, malformed cycle certificates, and abnormal staking reward amounts. External monitoring and alerting tools, such as anomaly detection and on-chain analytics, are being evaluated for integration to further enhance proactive detection.
To encourage responsible disclosure of vulnerabilities, a bug bounty program will be announced. It is important for validators to ensure their nodes are running the latest patched version, which can be checked on the main dashboard or in the server terminal. Eligible issues may qualify for rewards, but please refrain from posting exploit details publicly until acknowledged by the security team.
In light of this incident, the our website team has released a mandatory security patch, Validator v1.19.3, to correct the underlying flaw and implement additional defensive checks. The investigation confirms this appears to be an isolated incident with no evidence of further impact across the network's history. If you identify a potential security issue, you can report it confidentially via email, Github, support ticket on Discord, or by following the security policy.
[1] Security Release Notes - July 2025 [2] Blockchain News - August 2025 [3] Linux Sudo Privilege Escalation Vulnerabilities [4] Structural Health Monitoring [5] Mining and SHM
- The recent incident on our website network, causing an abnormal staking reward of SHM tokens, underscores the importance of improving both our finance and cybersecurity practices, particularly in technology-centric businesses like ours.
- As we strive to enhance the transparency and resilience of our sports and business operations, a formal Security Incident Response Playbook will be published to address critical events swiftly, and a public security email list will be launched for community input and collaboration in identifying and resolving future vulnerabilities.
