Postmortem Analysis: Cycle Hack Incident
In a recent development, the Marinade Finance team has addressed a critical flaw in their validator software, specifically an "off-by-one" error in certificate validation logic. This error, common in programming, typically involves a miscalculation in indexing or boundary when processing epochs or staking reward distributions.
In the case of Marinade Finance, the off-by-one error led to a faulty staking reward allocation, resulting in the unintentional creation of approximately 500,000 SHM tokens. These tokens, not corresponding to actual earned rewards, arose from an improper calculation or issuance caused by the indexing mistake.
The abnormal SHM reward amount, originally stated as 502,694.51 SHM, has been corrected to 502,692.05 SHM. Following the attacker's return of the exploited SHM, the abnormal reward amount was burned on July 30, 2025.
The investigation confirms this appears to be an isolated incident, with no evidence of further impact across the network's history found. The suspicious high staking reward was a result of a deliberate attack on the Marinade Finance network.
To prevent such incidents in the future, the team has taken several measures. They have released a mandatory security patch, Validator v1.19.3, which corrects the underlying flaw and implements additional defensive checks. A public security email list will be launched for developers, node operators, and community members to facilitate easier communication and collaboration.
Moreover, a Security Incident Response Playbook will be formalized and published, outlining steps to be taken in case of similar incidents. To encourage responsible disclosure of vulnerabilities, a bug bounty program will be announced. External monitoring and alerting tools will also be evaluated for integration.
The community played a significant role in this incident's resolution. Members like NoviceCrypto and others helped monitor the discrepancy quickly, allowing for prompt action from the Marinade Finance team. The abnormal SHM return can be seen via the five transaction hashes: Transaction 1, Transaction 2, Transaction 3, Transaction 4, Transaction 5.
Regular SHM holders do not need to take any action as the issue was limited to validator reward accounting. It's important to note that as a validator, it's crucial to ensure the node is running the latest patched version to minimise the risk of such incidents.
To report potential security issues, options include emailing the security team, reporting on Github, opening a support ticket on Discord, or not posting exploit details publicly until acknowledged by the security team. Marinade Finance values the security of its network and encourages its community to be vigilant and proactive in reporting any suspicious activities.
- Despite the incident, Marinade Finance acknowledges the significance of technology in their operations, highlighting the need for continuous improvements in areas like cybersecurity, particularly personal-finance technology, to prevent similar incidents in the future.
- In the world of investing, where every penny counts, it's essential for projects like Marinade Finance to prioritize finance security, ensuring the accuracy of earnings, and preventing miscalculations or exploitations, as seen with the SHM tokens.
