On April 28, the founder of Io.net will dispel apprehension, uncertainty, and dread by demonstrating live cluster formation via livestream.
There was a recent cyberattack on the decentralized physical infrastructure network (DePIN) known as Io.net. On the GPU network, malicious users were able to make unauthorized changes to device metadata by using exposed user ID tokens to perform a SQL injection attack.
Io.net’s chief security officer, Husky.io, wasted no time in implementing fixes and security patches to shore up the system. Thanks to their strong permission layers, the GPUs’ real hardware was luckily unharmed by the assault.
A rise in write operations to the GPU metadata API triggered alarms at 1:05 am Pacific Standard Time on April 25, during which the vulnerability was found.
The answer was to strengthen security by making it more difficult to inject SQL into APIs and by better documenting instances of illegal attempts. Another quick fix for issues with UATs was the implementation of a user-specific authentication system based on Auth0 and OKTA.
This security upgrade happened to coincide with a snapshot of the rewards program, which is bad since it will make the projected decline in supply-side participation much worse. As a result, the number of active GPU connections dropped dramatically from 600,000 to 10,000, since valid GPUs that failed to restart and update were unable to use the uptime API.
In response to these difficulties, in May we launched Ignition Rewards Season 2 to motivate supply-side involvement. Upgrading, restarting, and reconnecting devices to the network is an ongoing operation that involves coordinating with vendors.
Vulnerabilities in the implementation of a proof-of-work approach to detect fake GPUs led to the compromise. Due to an increase in attack tactics caused by aggressive security patches applied before the event, ongoing security evaluations and enhancements are necessary.
Attackers accidentally exposed user IDs while searching by device IDs by taking advantage of an API vulnerability that allowed content display in the input/output explorer. This stolen data was already in a database for a few weeks prior to the incident.
The perpetrators gained access to the “worker-API” by using a legitimate universal authentication token, which allowed them to modify device information without needing authentication at the user level.
Husky.io highlighted the need for regular, comprehensive inspections and penetration testing on public endpoints in order to identify and mitigate attacks promptly. There have been setbacks, but work is continuing to reestablish network connections and promote supply-side involvement, which will guarantee the platform’s integrity and allow it to serve thousands of compute hours every month.
In March, Io.net intended to improve its AI and ML offerings by integrating technology from Apple’s silicon processor family.