Responsible Disclosure Announcement
On August 13th, 2018 I discovered an issue with the KAPU blockchain:
- All database entries in the votes table got duplicated on July 17th.
- The KAPU team had distributed a corrupted snapshot (with the duplicated database entries) to all nodes and doing so corrupted their blockchain.
- ARK delegate Goose informed KAPU of the duplicate vote issue because it broke his payscript. This took place on the moment the problem occured and KAPU failed to recognize the severity nor did they act to analyse and find a solution.
Currently the KAPU blockchain is corrupted:
- It can't be restored from 0
- It can't be upgraded to ARK v2
- A number of forging delegates is only elected due to the duplicated votes, receiving and distributing KAPU tokens that they shouldn't
There are 2 possible solutions:
1. Revert to the blockchain as per July 17th (and lose all transactions since)
2. Restart a new blockchain and distribute tokens to reflect the current balances (and lose all history)
The KAPU team has been informed of the problem on July 26th and August 13th. We have been working closely with their dev team to analyse the problem and this has lead to a security update on ARK Node v1 (v1.1.0). KAPU team however has a responsibility to their users to take a decision how to proceed and how to compensate their token owners. Up until today KAPU failed to inform their tokenholders and take measures to secure the integrity of their blockchain.
@Marc - cryptology , ARK Slack
https://steemit.com/arkecosystem/@jarunik/kapu-disclosure-announcement