During an audit of the Neptune Cash protocol a vulnerability has been found. The vulnerability was disclosed to us on June 6.
Our strategy for fixing this is to do a shallow rollback to a few days before the vulnerability was disclosed and then continue from there. We will be sharing a new version of neptune-core within the next few days.
The good news is that we have already implemented the rather simple fix, and that the audit greenlighted the rest of the codebase, including Triton VM. The remaining engineering work consists of managing the logic of changing the rule set at a yet-to-be-decided block height.
A new lustration barrier will be set up to give everyone a guarantee that the exploit has not been used to increase the money supply beyond its intended amount. We don’t want future users to always be in doubt if past soundness errors have made their investments worthless.
On the bright side this means that we have the chance to add a few more security-in-depth checks to the consensus protocol, thereby reducing the chance that this happens in the future.
It’s also no secret that we can’t wait to start building more visionary projects on top of Neptune, foremost of all being succintness and smart contracts.
For now, we suggest that miners stop mining since their efforts will be rolled back.
Although we’ve experienced a few soundness bugs in the Neptune Cash protocol, we’ve also been able to preserve all user balances across all of our fixes. We have little doubt that that will be the case with this vulnerability, too.
