Kopalnie Krypto Team - Saturday 13 August 2022
CAT standard update - white hat intervention
At the end of July, a rapid update of the CAT standard made headlines. It turned out that Chia Network used this approach to address a code flaw. Fortunately, the issue was detected in time, and a solution was implemented to minimize the damage. Find out exactly what happened and how Chia managed to overcome the difficulties in our latest article.
What is CAT?
Let's start by explaining the basic concept. The acronym "CAT" stands for Chia Asset Tokens, which are exchangeable tokens of resources issued on the Chia blockchain. The CAT1 financial exchange standard was introduced in January 2022. CAT tokens include, among others, stablecoin USD (USDS), Marmot (MRMT), and Spacebucks (SBX).
The Heart of the problem
So, what happened? In short, Chia Network swiftly eliminated CAT1 tokens from the blockchain and replaced them with CAT2 tokens. The reason for this decision, as the network admitted after the fact, was the discovery of a serious code flaw, specifically an infinite inflation bug.
An independent security audit commissioned by Chia and conducted by the company Trail of Bits revealed that the CAT1 code allowed the creation of an infinite number of tokens. In simple terms, it was possible to activate a "money printer" that would endlessly produce counterfeit CAT tokens. The Chia Network team immediately responded to the discovered issue. Once confirmed that the exploit had not been used, they developed a strategy to address it. Within a day, a blockchain monitoring tool was built to alert the team of any abuses. To prevent counterfeiting of tokens, it was necessary to implement the CAT2 standard.
Immediate correction was not an option, especially since the risk only affected the CAT1 standard, not XCH. Chia Network then devised a robust fix and, once it was ready, prepared public exchanges and the entire ecosystem for a major change. The CAT1 standard's shutdown was announced 24 hours in advance, minimizing the risk to end-users.
The rapid implementation of the new financial exchange protocol was done to ensure the overall network security, which remains a priority for Chia. Closing all open orders simultaneously prevented abuses and tied the hands of potential fraudsters.
Crisis management and white hat actions
Users who read the Chia Network announcement on July 25th did not yet have a full view of the situation. They were only informed that if they had any CAT1 assets in their wallets, they should upgrade their blockchain version as soon as possible. In edition 1.5.0, which supports CAT2 standard, the previous tokens would no longer be supported. However, the old CAT1 balance would correspond to CAT2 assets in their new wallets (tokens reissued by developers).
The network also advised asset holders not to take any other actions, particularly not to engage in transactions involving CAT until the blockchain update. Any submission or acceptance of CAT1 transactions after the significant blockage would result in the loss of XCH funds. The received tokens could not be converted to CAT2, and outdated CAT1 assets would become completely worthless after the changes.
After the blockage, Chia itself began forging CAT and filling outstanding offers with them, accepting the offers, and then returning XCH to their original owners. Ethical hacking, also known as white hat hacking, was the best possible solution in this case. Thanks to this, as well as transferring CAT1 offers to offline mode and blocking the creation of new transactions, the risk was minimized to an absolute minimum.
The changes introduced do not affect the security of Chia Network and the blockchain itself – the implemented update patched the CAT1 vulnerability. The NFT or XCH transactions themselves were never at risk. The problem was specific to CAT1 tokens, and it was successfully eliminated.
Fire extinguished
In hindsight, the flaw in critical software seems obvious and difficult to overlook. However, working on new technologies and stimulating development always carries the risk of errors. Clearly, certain obstacles will appear on the previously unbeaten path. The key is to quickly detect them and effectively deal with them.
It must be acknowledged that Chia Network identified the problem and promptly implemented a solution that minimized the damage. It's commendable that the decision-makers dared to make corrections immediately and honestly admitted their mistake, rather than waiting under the rug until a real disaster occurred. It is hoped that lessons will be learned from this painful experience, and Chia Network will put even more effort into testing and auditing phases. They already do so regularly – Trail of Bits' security review was the third independent code audit conducted by Chia.
It is also worth appreciating the honesty of the network and the fact that Chia Network published extensive blog posts explaining the details of the whole matter. Fortunately, thanks to the collaboration of developers and CAT issuers, the fire was extinguished in time. Although the community was exposed to significant changes, they were necessary changes – and undoubtedly for the better.
