Casper Security Update on the July 26th Breach

Dear Casper Community,

This is an update on the security incident which was detected on the Casper blockchain on Friday 26 July 2024.  

Highlights:  

  • A security breach on a limited number of accounts was detected on 26 July 2024
  • The Casper team identified the issue and is delivering  a solution  
  • The Casper blockchain was halted by a decision of the validator community to contain the breach
  • The update to the Casper blockchain will be made available to the validator community once testing is complete
  • The validator community will then resume running consensus and restart producing blocks

UPDATE (Wednesday 31 July 2024): Read the Security Update: Preliminary Incident Report.

Description

Following the analysis on Friday 26 July 2024, the Casper team and partners involved started to develop a patch for the problem. It was established at that time that a limited number of accounts had been targeted to obtain CSPR without proper authorization from the owners of those accounts.  

In the early morning hours (CET) on Saturday 27 July 2024 it became clear that tracing and recovering those misappropriated funds may become difficult without immediately preventing further dispersion.  

A subset of validators joined in coordination to halt the consensus and block production to enable a patch to be thoroughly tested before staging an update to the Casper blockchain. Consensus was halted on 27 July 2024 at 07:50 UTC.  

The Casper network continues to be live.  Consensus and validation will resume once a patch is released and staged by validators. This procedure and timing are expected to be similar to the many upgrades and rollouts performed by the Casper team when upgrading the network.  

At this point, on 28 July 2024 at 17:30 UTC, the Casper Association is confident that the extent of the security breach is limited to under 15 accounts. All unauthorized transfers have been traced by Casper and related parties.  

A post-mortem will be made available after resolution, and any code change will be published in Casper’s public GitHub repository.

The Casper Association and parties affected by this incident will conduct a thorough investigation, including working with proper authorities to recover any funds which may have been transferred without proper authorization.  

For any enquiries or information, please contact Casper Association here:   https://casper.network/contact