Post-Incident Analysis: Unraveling the Cycle Exploit
In an unexpected turn of events, a security incident was uncovered on a popular website network. On July 12, 2025, a community member noticed a suspicious high staking reward on the Discord server of the website. After a thorough investigation, it was confirmed that this was an isolated incident with no evidence of further impact across the network's history.
The root cause of the issue appears to be an off-by-one error in the certificate validation logic of the network service handling staking or cryptocurrency reward distribution. This programming bug, common in software development, caused the system to incorrectly verify or reject certificates or keys, leading to the improper authorisation of staking reward creation.
As a result, the staking reward contract or system generated an excess amount of tokens, reflecting as a faulty or unintended reward distribution. This type of error would likely arise in smart contracts or backend code that links identity/authentication (certificate validation) with staking reward logic.
To address this critical flaw, a mandatory security patch, Validator v1.19.3, has been released to correct the underlying error and implement additional defensive checks. The website team took several steps to ensure this was the first and only occurrence of this sort of attack, including deploying a hotfix to the validator software, scanning the network's history for similar artifacts, and expanding network monitoring.
The abnormal reward credit was voluntarily returned by the attacker, and the exploited SHM was burned in a transaction on July 30, 2025. Regular SHM holders are not affected by the incident, and no action is required.
To stay informed about such incidents and enhance network security, a public security email list will be launched for developers, node operators, and community members. Additionally, a Security Incident Response Playbook will be formalized and published for streamlined response during critical events.
To encourage responsible disclosure of vulnerabilities, a bug bounty program will be announced. Eligible issues may qualify for rewards. If you identify a potential security issue, you can report it via email, Github, Discord, or a support ticket.
External monitoring and alerting tools will be integrated to improve proactive detection. The attack can be reconstructed as follows: the attacker generated two crafted service queue transactions at cycle 111165 with backdated cycle numbers and extra fields, reused a valid historical certificate inserted at array index 0, and tricked the network into selecting the attacker's record.
Huge thanks to the community member NoviceCrypto and others for their role in reporting and monitoring the discrepancy quickly. The website team acknowledges the importance of transparency and collaboration in maintaining network security and invites everyone to contribute to their ongoing efforts.
- The unexpected security incident on the website network was traced back to an off-by-one error in the certificate validation logic, a common programming bug that often arises in smart contracts or backend code that links identity/authentication (certificate validation) with staking reward logic.
- In response to this incident, the website team launched a public security email list for developers, node operators, and community members to stay informed about such incidents and enhance network security. Additionally, a Security Incident Response Playbook was formalized and published for streamlined response during critical events.
- As part of their ongoing efforts to maintain network security, the website team announced a bug bounty program to encourage responsible disclosure of vulnerabilities, with eligible issues qualifying for rewards. This initiative in personal-finance (cryptocurrency reward distribution), technology (smart contracts and backend code), and cybersecurity (network security) aims to foster a collaborative community committed to improving business (website network) practices in finance (cryptocurrency).
