Last week, a potential vulnerability in the protocol was reported to Concordium through our support ticket system. What followed was a 36-hour operation spanning detection, diagnosis, patching, and a staged rollout to validators.
By the very early hours of May 1, over a third of mainnet stake was running patched nodes, making the exploit structurally impossible to execute on the live network. By the following afternoon, that figure had reached 70%.
Mainnet was not affected at any point. User funds remained protected, and the integrity of balances in the protocol’s ledger were preserved.
Timeline
- April 29 — A security researcher, going by the handle @oxbut on Discord, contacted the team through Concordium's ticket system, claiming to have found a vulnerability, and that they could demonstrate veracity of their finding on testnet.
- April 30 — The vulnerability was confirmed on testnet. Within 70 minutes, engineers had traced the anomaly to its source and located the bug. A fix was developed in private repositories, validated internally, and rolled out to validators by late evening.
- May 1 — Just after midnight, 37.6% of mainnet stake was running patched nodes, making the exploit structurally impossible to execute. By that afternoon, coverage had reached 70%.
Nature of the Vulnerability
The bug allowed for a misrepresentation of the at-disposal balance of the receiving account, though the total balance remained correct. Left unaddressed on mainnet, this could have created inconsistencies in how account balances were displayed and interpreted. The issue has been fully patched. A full description of the issue, and the resolution will be published in the near future.
Response and Remediation
From the first anomaly alert to the bug being located, approximately 70 minutes elapsed. From detection to a validated fix, under eight hours. From detection to mainnet secured against the exploit, approximately 11 hours.
The team deployed the fix through direct coordination with network validators rather than issuing a public advisory that could have drawn attention to an unpatched vulnerability. The engineering team worked directly with the individual who reported the issue throughout, treating the disclosure as a collaborative effort.
Next Steps
Further investigation is being conducted, and a mainstream 10.0.8 node release has been released for general availability. The team is also coordinating with major validators and ecosystem infrastructure providers on next steps. Certik has been engaged as part of the ongoing investigation.
This incident began with someone doing the right thing: reporting a vulnerability directly to the team rather than exploiting it, a responsible disclosure. Notably, the researcher identified the issue using AI agents to probe for protocol-level vulnerabilities, an approach that underscores how the security landscape is evolving and why protocols need to stay ahead of it. Concordium acknowledges their responsible disclosure, and is committed to making it as straightforward as possible for issues to be reported. More on Concordium's security infrastructure and what's ahead can be found on the roadmap.
Update Your Node
Node operators who have not yet applied the latest update should do so at their earliest opportunity. The patched node package (10.0.8-2) is available now. For technical guidance on updating, refer to https://docs.concordium.com/en/mainnet/how-to/nodes/node-requirements.html
If you have any issues with the updating process, raise a support ticket in our Discord channel.