On August 2nd, the Casper team held an insightful Ask Me Anything (AMA) session in the Casper Telegram channel. The session covered various topics, including the recent security breach, network upgrades, and the future of Casper's projects. Below are the key questions and answers from the session:
1. When was the security breach detected?
The Casper team was made aware of the breach on July 26. Immediate action was taken to mitigate further risk, and a subset of validators agreed to pause consensus on July 27, 2024, at 07:50 UTC to prevent fund transfers.
2. What was the nature of the issue?
A vulnerability allowed an attacker to gain elevated access to resources via an elevation of privilege exploit. It is important to note that this was not related to the Casper platform architecture or consensus mechanisms.
After a thorough investigation, it was discovered that malicious actors exploited a vulnerability which allowed a contract installer to bypass the access rights check on urefs, thereby enabling them to grant the contract access to uref based resources. This escalation of privilege enabled illicit access including the ability to transfer tokens.
3. How many accounts were affected?
A total of 13 wallets were affected. The Casper Association is working directly with the parties to ensure all affected parties receive their CSPR back.
4. Why was the Casper network halted?
Once the security incident was recognized, validators agreed to pause the consensus mechanism and stop transactions. Decentralized Validators across many time zones came together to agree on this course of action. An update to neutralize the issue was quickly developed. Several days of comprehensive testing followed to ensure the network’s security. The network was returned to consensus and the minting blocks on 31 July.
5. Was this an upgrade or a fork?
This was not a fork of the network. This is an upgrade to the Casper network with a global state write of data. Prior to staging the upgrade a meeting was held with 64 decentralized validators representing ~85% of network stake. In this meeting, the situation was described. All validators had an understanding of the writes being done to global state. We had an open question and answer session to assure that all validators were comfortable with this upgrade. After that, ~85% voted by applying this upgrade and resuming consensus and minting blocks.
6. Were there any transactions or blocks lost?
When the network was paused, there were two blocks within the current era. There is a higher technical challenge with resuming the network when paused in the middle of an era instead of at a switch block at the end of an era.
The decision was made to remove the two existing blocks back to the previous era’s switch block. The two removed blocks contained four (4) transactions which will effectively be orphaned, meaning their effects on the blockchain are removed. These transactions can be replayed with a current timestamp and signature to re-apply the effects to the the chain.
7. Would Casper Labs/Network consider halting CSPR Token inflation and is that even possible?
Casper is a proof-of-stake network. Any changes to reward mechanisms would need to be ratified by 67% of the validators.
8. What security measures were taken because of this incident?
In order to ensure this vulnerability is eliminated, a tool was developed to traverse the entire blockchain from genesis to tip and detect other instances. This thorough process took several days and yielded no other instances of exploitation. Multiple layers of assurance, including manual and automated testing, as well as third-party reviews of the network upgrade, provide confidence that the vulnerability has been eliminated. We are looking forward to working with our validator and broader community to resume growing and strengthening our network.
9. Does this impact Prove AI development efforts? What about Condor?
No. It does not impact Prove AI, our relationship with IBM, or the work on Condor. Prove AI will launch on the Casper network in September. Pilot use cases are already going through final testing and will soon appear on the public Casper network in the interim period.
We continue to progress towards the Condor update, which is currently on Devnet. Among other features, Condor will further enhance the network’s architecture and introduce a more accessible consumption model for less technical users, including startups, mainstream businesses and public sector organizations.
10. What about staking rewards while the network was halted?
Staking rewards are generated by proposing blocks. During the time that the network was paused, there were no blocks proposed. Given the lack of block proposals, no rewards could be generated and subsequently distributed to accounts during that period.
11. Why have some exchanges halted trading and some not?
Each exchange decides to halt trading or not independently. Many exchanges halted deposits and withdrawals in order to check for illicit transactions related to the attack. It is up to the exchanges to decide when to resume deposits and withdrawals.
12. Why was the chain halted for longer than it took to develop a patch?
It's because a tool was developed to check the entire blockchain from genesis to tip and detect other instances. This thorough process lasted a few days and yielded no other instances of exploitation. Multiple layers of assurance, including manual and automated testing, as well as third-party reviews of the network upgrade, provide confidence that the vulnerability has been eliminated. The validator meeting which resulted in Casper resuming consensus was held when maximum confidence had been reached on the upgrade.
13. How is the Casper network doing after resumption of consensus and minting blocks?
The Casper network is fully operational and all on-chain activities are working as per usual. We can see a very supportive community and have noticed staking behavior similar to recent months.
14. Would it be fair to say that as CL is focusing on Prove AI and Enterprise adoption, the responsibility for retail adoption rests on CA?
That's a fair categorization - retail and b2b audiences are generally quite distinct and require different marketing channels. Casper Labs' marketing efforts are largely focused on developing a robust enterprise sales funnel for Prove AI. That's a distinct approach that generally focuses on targeting different audiences, and is thus less visible to this community. For context, much of what Labs is currently doing is focused on paid search and enterprise events, including the recent IBM THINK keynote in May. Casper Labs will also be running an campaign in the Financial Times in September, which will boost overall Casper visibility.
The Casper Association is the official steward of the community and leads marketing efforts, including community and KOL management and representing Casper at major blockchain industry events.
15. Did the recent security issue fracture any of your strategic business partnerships (eg IBM, ACTUS Foundation, Sarson Funds, etc.)?
These relationships remain intact. We've remained in close touch with all of our strategic partners throughout the recent events and appreciate their continued support and trust.
16. Will there be a commitment to join major exchanges for advertising?
We do not control the decision as to what is and what isn't listed on third-party exchanges. We are always working to make the Casper network more accessible to more people and we welcome (and encourage) this community to reach out to any exchange of interest to ask them about listing plans for CSPR. It never hurts to show more and timely demand.
Stay tuned for more updates on Casper's progress and initiatives.
