Last Notes
Your cat hasn't escaped the Matrix yet
https://video.nostr.build/abe51f0e788d44607a829698e43f4cf8a0e12e430e0c9c4875d946d2f8d8b6ec.mp4
https://blossom.dreamith.to/653283698b180f0e8d4ba5ab27569b6cf0466b216d733a2f7a3da0a35db47c45.jpeg
Everyone is getting richer, it’s just the rich are getting richer at an extremely accelerated rate while the poor are getting richer at a rate that isn’t as fast.
In theory, a poor person today is better off than they were even 20 years ago.
However, the problem is things like zoning laws, medical regulation, government loans for college, etc. make goods, and services more expensive over time.
@npub1hqa…t56s 😎 plan your trip to Europe...
IT WAS AN ERA! There's a reason they still pine for goth girlfriends 🤣
https://i.nostr.build/v68FCIjqELfnuBV6.gif
The problem is ai is a big bet, perhaps the biggest one humanity has ever made.
The people that are investing millions to trillions want to be on the winning side of the bet because if you own the resources, and infrastructure needed for ai you’ll essentially get an indefinite amount of labor for a drastic cost reduction, we’re going from $20,000 to $100,000+/year for inefficient human labor for probably $5 to $10/year worth of tokens.
People are betting on 1 being the most likely scenario, and whoever breaks the wall first is going to be the biggest winner.
#nevent1q…ckum
https://youtu.be/4kL9roeVmuI
Quick update is warranted here:
1. I've managed to get rid of the server. It provided important scaffolding for a while but wasn't ultimately necessary. You can now log into https://www.inkan.cc with NIP-7 and interact with the existing inkan identities without any further registration.
2. Ethereum gas fees can now be paid by a sponsor if you don't hold ETH yourself. You just send the identity creation transaction to the sponsor and they can get your identity recorded on-chain.
3. I've added a wizard for creating a "toy identity" directly in the browser at https://www.inkan.cc . This is obviously not very secure and inkan identities should really be created on an airgapped system using the Management Utility. But in-browser creation is effortless and it's a nice way to try out an inkan identity.
4. To fully use your own inkan identity, you currently still need access to the inkan relay (happy to allow-list anyone who wants to try). This is just because your events need OTS timestamping and the inkan relay splices suitably formatted timestamps into the events it returns. I'll try to make some relay code available soon, so people can run their own OTS-enabled relays rather than having to use the inkan relay.
I think inkan is now pretty functional as a way to use Nostr with a true cold storage identity.
The AI Bet
1. Ai wins, and the promised profits are delivered.
2. Ai loses, and the global economy tanks.
3. Ai wins but growth is small.
4. Ai loses but the economy stays resilient.
Definitely @nprofile…j4al should be the man 😎
Do you a link to the note?
https://blossom.dreamith.to/92d23c7a86b9f08a7f74c00b12380776e096c8bd3557eae8f9f7808d7ec2d952.jpeg
https://blossom.laantungir.net/0ee03242c2ec4fb3b29b1aeb755afb58cafd82513c68207d7f0865c4c39603a2.jpg
I used to only wear black. Everyone did. 🤭
It's nowhere near as bad, as it used to be.
Sugarbaby DMs and kind 1 randoms asking me to sit on their face. 🙄
It used to be intimidatingly, horrifically bad. Shit gave me nightmares.
https://blossom.dreamith.to/f674ad47039e5db45ccdde91b01519c559bf9e40dbc2636844e542e61e47354b.jpeg
#nevent1q…83he
This is a great critical discussion about natinal identities as a measure of suppression. And an activisted that renounced his national identity to change towards a selfemissioned world govefnment identity. 🙌
Seeing Islamic drop to tokenization makes me cringe.
https://i.nostr.build/X7he4txfOK2ML0wy.gif
I don't support shitcoiners. I support bitcoin. I love bitcoin more than I hate shitcoins.
Also... I like to shill shitcoins to people I dislike.
I love black but it looks too harsh on me a lot of the time. That said I still love black eyeliner 😍
A transparent look at the May 2026 exploit, the community response, and how the network recovered stronger.
On May 19, 2026, the Signum network faced one of the most serious security incidents in its recent history.
A crafted block exploited an integer overflow vulnerability in the Signum node’s block reward calculation. The result was extreme: approximately 140 billion SIGNA were credited to the attacker’s account in a single block — an amount far beyond the legitimate circulating supply.
At first glance, this could have been catastrophic.
But what happened next showed something far more important than the exploit itself: the strength, discipline, and speed of the Signum community.
Within the same day, the anomaly was detected, exchanges were contacted, emergency patches were released, pool operators coordinated, and a rollback process began. By the evening of May 21, the chain had reached consensus again. By May 23, exchanges had received the necessary CVE details and patch confirmation, and SIGNA trading resumed.
No legitimate Signum holder balance was affected.
This is the story of what happened, how the network recovered, and what we are improving next.
What Happened?
The exploit occurred at block 1,541,011.
An attacker crafted a malicious block that abused an integer overflow in the block reward calculation. Because the crafted block still satisfied the Proof-of-Commitment consensus rules on vulnerable nodes, it was initially accepted by parts of the network.
Shortly after the block was mined, community member ANGiS noticed an absurd account balance and detected that funds were starting to move toward exchanges. ANGiS immediately escalated the issue to frank_the_tank and ohager.
That early detection was critical.
It gave the team and the community enough time to act before the situation could spiral further.
The Root Cause
The vulnerability was introduced in the context of the SMART_FEES hardfork, which added fee cash-back and burn accounting to Signum’s block reward calculation.
In the affected versions, some arithmetic operations were performed using unchecked Java long calculations.
The vulnerable logic looked like this:
rewardFeesNqt -= block.getTotalFeeCashBackNqt();
rewardFeesNqt -= block.getTotalFeeBurntNqt();
By setting totalFeeCashBackNqt to a very large negative value, the attacker caused the reward calculation to overflow into a large positive value. That inflated reward was then credited directly to the miner account.
The issue affected Signum node versions:
signum-node >= 3.9.0 and < 3.9.8
The vulnerability was later registered as:
CVE-2026–48486
The Immediate Response
Once the issue was confirmed, the response moved quickly.
Exchanges were contacted and asked to halt SIGNA trading and deposits while the investigation was ongoing. This prevented further damage and limited the internal accounting impact for exchanges.
On the same day, two releases were published:
v3.9.7 was an emergency containment release.
It temporarily blocked the malicious account through the configurable node.accBlocking property, preventing further exploitation.
v3.9.8 was the root-cause fix.
It replaced vulnerable fee arithmetic with overflow-safe operations and introduced explicit rejection of invalid negative fee fields.
The response was public and transparent. The malicious account, the blocking mechanism, and the code changes were visible in git history. There was no silent patching and no attempt to hide the incident.
That transparency matters.
In decentralized systems, trust is not created by pretending that incidents never happen. Trust is created by responding quickly, communicating clearly, and fixing the root cause in public.
The Rollback
Because parts of the network had accepted the malicious block, a coordinated rollback was required.
Pool operators and node operators worked together to roll the chain back to before block 1,541,010. Operators still within the 1,440-block rollback window could perform a popOff through the API. Nodes outside that window required a full resync.
During testing and recovery, another issue appeared: some nodes performing a full resync from genesis encountered a non-deterministic fork-resolution bug introduced by the v3.9.8 patch.
This led to the release of v3.9.9 on May 21.
v3.9.9 completed the fix by adding a block-version-4 requirement for burnt-fee validation and correcting the chain-restoration logic.
By the evening of May 21, the network had stabilized and reached consensus again.
Impact
The exploit credited approximately 140 billion SIGNA to the attacker’s account in a single crafted block.
However, the coordinated rollback fully invalidated the fraudulent on-chain balance.
Most importantly:
No legitimate Signum account or holder balance was affected.
There was, however, temporary disruption:
SIGNA trading and deposits were suspended from May 19 to May 23.
Some exchanges that received attacker deposits before the trading halt experienced internal ledger divergence between their own records and the rolled-back canonical chain. These cases were resolved through direct coordination between the exchanges and the Signum team.
What Was Fixed?
Three releases were part of the incident response:
v3.9.7 — Emergency containment
The malicious account was temporarily blocked through node.accBlocking to prevent further exploitation.
v3.9.8 — Root-cause fix
All vulnerable fee arithmetic was replaced with overflow-safe operations using Convert.safeAdd() and Convert.safeSubtract().
Blocks with invalid negative fee fields are now rejected during block acceptance.
Fee totals are also validated against per-transaction sums.
v3.9.9 — Complete recovery fix
A block-version-4 requirement was added for burnt-fee validation, and the non-deterministic chain-restoration bug affecting full resyncs was fixed.
All operators should now run: v3.9.9 or later
What We Learned
The response worked. The network recovered.
The fraudulent balance was invalidated. Exchanges reopened.
But this incident also revealed areas where Signum must improve.
1. Emergency communication must be faster
Some key pool operators were difficult to reach quickly.
In a rollback situation, time is measured in blocks.
A dedicated emergency channel for major pool operators and infrastructure providers would reduce response time significantly.
2. Vulnerability disclosure needs a formal process
This incident was handled successfully, but still too much of it was improvised under pressure.
Going forward, Signum should formalize the use of GitHub Security Advisories or a similar process for coordinated disclosure, private patch development, CVE handling, and exchange communication.
3. Anomaly detection should be automated
The incident was detected because a community member noticed something unusual.
That was fortunate.
The next step is automated monitoring for abnormal block rewards, suspicious supply changes, and other values outside expected ranges. Human vigilance is powerful, but critical alerts should not depend on someone randomly seeing the anomaly first.
A Community That Showed Up
Signum has no company behind it.
No centralized foundation with a professional incident-response department. No VC-backed security team waiting in the background.
What Signum has is something different: a community that moves when it matters.
Special thanks go to:
ANGiS for first detection and immediate escalation.
frank_the_tank for exchange coordination, pool operator outreach, and rollback orchestration.
ohager for root-cause analysis, patch development, and the rapid release of v3.9.7, v3.9.8, and v3.9.9.
pir8Radio from Nam Pool and Shadow from OG Ro-Pool for critical contributions to chain stabilization.
Balazs for post-incident analysis and ongoing hardening work.
And all pool operators, node operators, exchanges, and community members who acted quickly under pressure.
This was not just a technical recovery.
It was a community recovery.
Final Thoughts
Security incidents are never good news.
But they are also moments of truth.
They show whether a project hides, delays, blames, or acts.
In this case, Signum acted.
The vulnerability was identified.
The exploit was contained.
The chain was restored.
Legitimate balances were protected.
The root cause was fixed.
Trading resumed.
And the hardening work continues.
Signum is not stronger because the incident happened.
Signum is stronger because of how the community responded.
Transparent. Fast. Decentralized. Together.
That is what this network is built on.
Discover Signum
Signum is the world’s first truly sustainable blockchain, featuring world-class applications on a sustainable, leading-edge blockchain architecture. Unlike other cryptocurrencies, Signum powers its native cryptocurrency Signa (SIGNA), with a minor fraction of energy use and e-waste. Signum empowers users and developers worldwide with innovative blockchain solutions for everyday life.
Find out more at https://signum.network/or join a Signum channel below.
Get SIGNA : https://signum.network/exchanges
Twitter
Telegram
Discord
Reddit
Youtube
Documentation
NFT-Portal
Defi-Portal
Your
SIGNUM-NETWORK
Signum
Blockchain Security
Proof Of Capacity
Decentralization
Cryptosecurity
Some rights reserved
Follow
Published in Signum-Network
89 followers
·
Last published Apr 17, 2025
Signum is the foundation for our sustainable future. It’s easily accessible to everyone and as a customizable platform, it has the power to feature unstoppable and censorship-resistant decentralized applications.
Follow
Written by Signum
170 followers
·
12 following
Join the movement! https://signum.network
No responses yet
a lawyer ....
I see the words “Germany” and “Munich Regional Court” ...
Yes, my jurisdiction ...
“Please don't hesitate to contact us with confidence ...”
Every case is a journey—you just have to take it.
Coffee?
Coffee?
I’m not that easy to scam, even before my first (or second) coffee!
If you think the whitepaper comprehensively describes the system, you're incredibly naive.
Watch and learn how this plays out. You'll either turn tk shitcoining or leave the place entirely.
Good luck
I think Luke is a sufficiently crazy enough puritan that he would try a PoW change to fire the "bad actors" even if it meant walking away from OCEAN. He has said he's open to the idea multiple times.
https://blossom.dreamith.to/f7cd7c43b17fa6e4d3c1dde32c593f9d8fb5065c051fe7ffe2e8f9a4a9d46657.jpeg
https://media.tenor.com/NvdrkFQj668AAAAC/principal-skinner-yes.gif
Who gets to decide what’s “spam”, the problem is power users of Nostr could accidentally be conflated as “spam” due to high note output at times due to nostr’s incentive mechanism that reward over posting.
People who post little to none get no traction unless previously famous.
I’d hope you consider these weights into your model.
Stay away from the latest thing at all costs
@nprofile…jejf I like the improvement in search where it automatically goes to notes or profile depending of what you paste into the search field 🤌🏾
Jay is asking a fair question. There is a reason why nobody put child porn on the blockchain so far. Risking a chain split just to prevent something that never happened is dumb. But hey, feel free to do whatever you want to bitcoin. This is fuck around and find out territory. I guess the prudes are going to find out the hard way about this. So no spoilers for them. The question about the nature of evil might be above your paygrade. Js.
Bitcoin is bigger than any single mind or group of minds regardless of their egos. In spite of their egos in fact... 🐸
#nevent1q…jp8t
Yes, their 3 users say it's good
olm sen beni görüyorsan mesaj at artık yeter mk
Oh whoops, I see I've confused things further. They are not the same person, nor actor. I have no recollection of Qui Gon's role in the movies... may be time for a rewatch.
Do relays support NIP-40 yet?
peren peren Alperen götüne girsin çokoktem
Not a lawyer, but suspect you’ll be forced to block that note on your domain.
So will any client that also gets named directly.
Ok, maybe @npub1wht…r3ec but I never tried it
