Hope everyone has been having a great week so far. This week, devs successfully scaled internal testing for our blockchain layer with additional improved efficiency. The dev team also notes the success of recent testing for storage layers, 0Box and 0Wallet. A relatively quiet week on non-dev progress as we continue to review demos/samples and provide feedback to our UI team. This week, Sculptex takes a look back and reflects upon the GitHub breach incident.
Sculptex’s Update: GitHub Breach
“A bit of a change to my usual section this week. I’ll reveal a little more of what went on with the hacker incident..
On the night of Saturday 25th September (UK time) a message appeared on 0chain Telegram from someone claiming they had control of Saswata’s GitHub account. Expecting it to be a scam, I privately messaged him to establish if there was any substance. I soon realized it was legitimate when he showed me a screenshot of many repos that aren’t yet publicly visible.
Once this was established, I asked if he was happy for me to remove his original message from the 0Chain telegram group so as not to cause panic in the community. The hacker made it clear that he was financially motivated. I made sure to tell him that his timing couldn’t have been much worse in this regard!
He was frustrated that Saswata hadn’t responded to his private TG message GitHub breach. I assured the hacker that I would pass the message on to him. In fact, I had already contacted Saswata via Slack but quite rightly he didn’t want to engage directly. Keeping a degree of separation is a wise move. It buys more time and negates the possibility of revealing IP address and location information plus additional potential exploits using booby-trapped links etc.
By the next evening, the hacker had started removing Devs from the 0Chain repos. This was more of a frustration than anything, obviously designed to entice a response out of Saswata. Monday evening, the GitHub breach hacker popped up again on the 0Chain Telegram, sharing frustration with the lack of response.
By now, as was inevitable, Saswata had regained control of GitHub, so I was expecting the hacker to be a bit more hostile. There was no chance of keeping this under wraps any longer, so I thought I’d try another tact. I asked him what he thought of the code and if he’d had a chance to look for the elusive VC bug! He was quite responsive to this, impressed with the amount of work that continued to be committed over the weekend, even while the GitHub was compromised!
By this time, several community members were engaging with the hacker. This bought me more time to be able to relay back and forth to Saswata as our private conversation progressed. The hacker showed me several security keys that were still working, obviously hoping to cause some panic, but fortunately, these were just minor functionality keys that had not yet been patched.
His main angle now seemed to be that he could release the private repos, but when I informed him they were going to all be made public anyway he didn’t have much left to bargain with. At this time, per the suggestion of Saswata, I offered him a legitimate reward to perform a security audit on our code (looking for vulnerabilities), but he refused, suggesting the offer was not worth his consideration.
At the end of GitHub breach, the hacker realized that there was little value in pursuing things further, but I also think he was quite flattered by the attention from our community. And he left me with one final note, never to return (yet anyway).”
A rather quiet week on the non-dev updates as we continue to review various UI samples developed by the team. At this time, we have opened up our samples for review by a larger team to bring into consideration of a variety of factors and preferences. As one of those reviewing the potential UIs, I must say they are looking great! Thus far, the demos have shown intuitive designs that are easy to use. This will enable anyone to simply download and get started using 0Box. By minimizing the barriers to onboarding new users to 0Box, we enable everyone to start using the Züs platform without complicating the process for those who are not familiar with crypto.
Development Team Updates
Great success on multiple fronts over the past week. Notably, core testing of the storage layer has been completed with all areas of improvement being addressed. At this time, we have moved on to more complex scenarios and edge cases to ensure that we find and fix as many potential bugs as possible prior to launch. Over the past week, the number of bugs and performance bottlenecks has sharply reduced which illustrates our successful approach to testing for and fixing these issues. Make sure to read on to learn more about 0Box, 0Wallet, and Blockchain progress.
0Box & 0Wallet
This week we made great strides in our 0Wallet and 0Box mobile applications. Both applications now have major bugs resolved and feature enhancements merged, with more on the way in the coming weeks. The team is currently reviewing a few remaining tickets. Over this time while also made small updates to address potential UI bugs. The team continues to note ongoing work with the implementation of the USDC-ZCN swap feature, noting approximately 90% completion. This itself is another feature that will enable crypto users to simply get started with 0Box, and 0Wallet with minimal friction.
We have ramped up testing on the blockchain layer, noting successful scaling of our cluster size at this time. Recent weeks’ testing has resulted in implementations that have enhanced network stability. We are now able to double the number of miners with the chain remaining stable. Not only is this a notable improvement in network stability as it scales, the miners were also able to perform more efficiently requiring 1/3 fewer CPU resources than previously.
These improvements are a result of updates given in previous weeks. As well as recent updates to goroutine leak issues, improving the finalization/update process for new blocks. This also improved state-saving speeds. The cluster of bugs addressed here, as well as in previous weeks, are all components of the interrelated bugs that compose ‘the View Change bug.’ Initial Active Set testing revealed issues that would ‘boot’ miners from the active set, place excessive CPU demand on miners, and cause the network to slow/stall. At this time, the team has enhanced numerous processes that address these aforementioned issues, resulting in a more stable and efficient chain as the team scales the network.
Züs is a high-performance storage platform that powers limitless applications. It’s a new way to earn passive income from storage.