Verify a decision

{"actor":"system:backfill","investigation_id":"26425c6f-e476-4181-87a2-e94d3148db6b","kind":"publish","page_slug":"phala-cloud-june-2026-api-breach","published_at":"2026-06-15T17:18:27.920Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Phala Cloud (June 2026 API Breach)","sections":[{"content":"On June 1, 2026, Phala Network publicly disclosed a security vulnerability in its Phala Cloud API. The vulnerability allowed an unauthorized party to modify certain Confidential Virtual Machines (CVMs) managed under Phala Cloud's Offchain Key Management System (KMS). According to the official disclosure, the earliest confirmed unauthorized activity occurred at 2026-05-31T22:26:36.808Z, and the vulnerability was identified and the API endpoint patched at 2026-06-01T15:47:49.456Z — a window of approximately 17 hours. The attacker deployed a malicious pre-launch script to affected CVMs. That script may have accessed decrypted environment variables after CVM boot, potentially exposing secrets stored by users who believed those secrets were protected by the TEE boundary.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Security incident notice: Phala Cloud API vulnerability | Phala","type":"official","url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"}]},{"content":"Phala Cloud operates two distinct key management modes: Offchain KMS and Onchain KMS. Only CVMs using Offchain KMS were within the scope of this incident. CVMs using Onchain KMS — where key authorization operations are required to be anchored on-chain and observable via blockchain governance — were not affected. The distinction matters architecturally: Offchain KMS operations occur invisibly relative to the blockchain, while Onchain KMS requires all key authorization changes to be initiated on-chain, providing a higher security guarantee. Phala's own documentation describes Offchain KMS interactions as 'invisible off-chain,' which created the attack surface exploited in this incident. The exact number of affected CVMs and the identity of affected customers has not been publicly disclosed as of June 2026.","heading":"Scope and Affected Systems","severity":"high","sources":[{"credibility":1,"name":"Security incident notice: Phala Cloud API vulnerability | Phala","type":"official","url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"},{"credibility":1,"name":"What is KMS - Phala Docs","type":"official","url":"https://docs.phala.com/phala-cloud/key-management/key-management-protocol"}]},{"content":"Phala Cloud's encrypted environment variables are intended to store sensitive secrets including API keys, database connection strings, Docker registry credentials, AWS ECR authentication details, and other credentials. Per Phala's documentation, secrets are encrypted client-side using X25519 + AES-256-GCM before transmission and are designed to be decryptable only inside the TEE at runtime — Phala Cloud servers are explicitly documented as being unable to read plaintext values. The incident undermined this guarantee for affected Offchain KMS CVMs: the malicious pre-launch script, injected via the API vulnerability, could access secrets after they were decrypted at CVM boot but before they were used by the intended workload. Phala explicitly advised affected customers to treat as compromised: all secrets stored in encrypted environment variables, AWS registry credentials (including ECR credentials), and any other external service credentials used by affected CVMs.","heading":"Nature of Exposed Data","severity":"critical","sources":[{"credibility":1,"name":"Security incident notice: Phala Cloud API vulnerability | Phala","type":"official","url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"},{"credibility":1,"name":"Set Secure Environment Variables | Phala Docs","type":"official","url":"https://docs.phala.com/phala-cloud/cvm/set-secure-environment-variables"}]},{"content":"Phala Network markets itself as a confidential AI cloud providing hardware-rooted trusted execution environments (TEEs) on Intel TDX and NVIDIA H100/H200 GPUs. The platform's core value proposition is that operators — including Phala itself — cannot read user workload data or secrets. The June 2026 incident represents a breach of this trust model specifically for Offchain KMS users. An attacker was able to exfiltrate decrypted secrets by injecting code at the pre-launch stage via an API flaw, bypassing the TEE protection that was the reason customers chose the platform. This is particularly consequential for downstream AI agent and crypto wallet deployments — documented use cases in Phala's own developer guides — where private keys or high-value API credentials may have been stored as encrypted environment variables.","heading":"Severity Context: TEE Trust Model Violation","severity":"critical","sources":[{"credibility":1,"name":"Confidential AI Cloud - Private Inference on GPU TEE | Phala","type":"official","url":"https://phala.com/"},{"credibility":1,"name":"Developer Guide: Securely Deploy a Crypto Wallet MCP Server on Phala Cloud | Phala","type":"official","url":"https://phala.com/posts/developer-guide-securely-deploy-a-crypto-wallet-mcp-server-on-phala-cloud"}]},{"content":"Phala Network patched the vulnerable API endpoint approximately 17 hours after the earliest confirmed unauthorized activity. Affected users and CVMs were notified directly by email. Phala publicly disclosed the incident via a dedicated post on its website and provided specific remediation guidance: replace all affected CVMs entirely, rotate all secrets stored in encrypted environment variables, and rotate AWS registry credentials and other external service credentials used by affected CVMs. Phala stated it was continuing its investigation and would provide further updates as needed. No independent post-mortem from a third party had been published as of the date of this investigation. Community commentary observed as Tier 3 sources noted a generally positive reception to the transparency of disclosure, though this assessment is low confidence given its sourcing.","heading":"Incident Response and Remediation","severity":"medium","sources":[{"credibility":1,"name":"Security incident notice: Phala Cloud API vulnerability | Phala","type":"official","url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"}]},{"content":"Prior to this incident, Phala Network had undertaken several security evaluations. A Code4rena smart contract audit in March 2024 identified a denial-of-service vulnerability in which malicious users could send requests with excessive timeouts to crash workers. A smart contract audit by EtherAuthority conducted on June 12, 2024, reported no active critical issues. Phala's dstack confidential container framework completed an independent security audit by zkSecurity between May and June 2025, validating its zero-trust compute architecture using secure boot, cryptographic measurements, and remote attestation. Phala also obtained SOC 2 Type I and HIPAA compliance certifications. None of the disclosed prior audits identified the API authorization vulnerability that led to the June 2026 incident.","heading":"Prior Security Audits and Compliance","severity":"medium","sources":[{"credibility":2,"name":"Code4rena Phala Network Audit Report (March 2024)","type":"research","url":"https://code4rena.com/reports/2024-03-phala-network"},{"credibility":2,"name":"Phala Network Smart Contract Audit - TrustBlock","type":"research","url":"https://app.trustblock.run/audit/bb61f86e-e46b-4727-b99d-1d9dd3c52509"},{"credibility":3,"name":"Phala's Security Audit: What It Actually Means for Developers | Medium","type":"other","url":"https://medium.com/@jamessoulman69/phalas-security-audit-what-it-actually-means-for-developers-fe471534ff3e"}]},{"content":"Phala Network is a blockchain-based confidential computing platform. Its native token, PHA, has a maximum supply of 1 billion and is used for staking, governance, and payment for TEE compute resources. The platform launched its Phala Cloud product as a developer-accessible confidential container hosting service, targeting AI agent developers, crypto-native applications, and enterprise workloads requiring data privacy. In 2025 Phala donated its dstack framework to the Linux Foundation. The network processed over 1.34 billion LLM tokens in a single day during 2025 stress tests. No regulatory actions by the SEC, CFTC, OFAC, or DOJ against Phala Network or its operators were identified in available sources as of June 2026.","heading":"Platform Background","severity":"low","sources":[{"credibility":2,"name":"What Is Phala Network? | OKX","type":"other","url":"https://www.okx.com/en-us/learn/what-is-phala-network"},{"credibility":1,"name":"Phala 2025: Year in Review | Phala","type":"official","url":"https://phala.com/posts/phala-2025-report"},{"credibility":1,"name":"Introduction - PHA Token | Phala Docs","type":"official","url":"https://docs.phala.network/overview/pha-token"}]},{"content":"The full scope of the breach — including the number of CVMs affected, whether exfiltration was confirmed rather than merely possible, and any downstream losses suffered by users — has not been publicly disclosed. No independent forensic report or third-party confirmation of the attack chain was available at the time of writing. The attacker's identity and whether any stolen credentials were subsequently used have not been publicly reported. Community sentiment sources are Tier 3 and are not weighted heavily in the confidence score. This investigation relies primarily on Phala's own disclosure and official documentation.","heading":"Limitations of This Investigation","severity":"low","sources":[{"credibility":1,"name":"Security incident notice: Phala Cloud API vulnerability | Phala","type":"official","url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"}]}],"sources_used":[{"credibility":1,"name":"Security incident notice: Phala Cloud API vulnerability | Phala","type":"official","url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"},{"credibility":1,"name":"What is KMS - Phala Docs","type":"official","url":"https://docs.phala.com/phala-cloud/key-management/key-management-protocol"},{"credibility":1,"name":"Set Secure Environment Variables | Phala Docs","type":"official","url":"https://docs.phala.com/phala-cloud/cvm/set-secure-environment-variables"},{"credibility":1,"name":"Confidential AI Cloud - Private Inference on GPU TEE | Phala","type":"official","url":"https://phala.com/"},{"credibility":1,"name":"Developer Guide: Securely Deploy a Crypto Wallet MCP Server on Phala Cloud | Phala","type":"official","url":"https://phala.com/posts/developer-guide-securely-deploy-a-crypto-wallet-mcp-server-on-phala-cloud"},{"credibility":1,"name":"Production Checklist | Phala Docs","type":"official","url":"https://docs.phala.network/phala-cloud/be-production-ready/production-checklist"},{"credibility":1,"name":"Introduction - PHA Token | Phala Docs","type":"official","url":"https://docs.phala.network/overview/pha-token"},{"credibility":1,"name":"Phala 2025: Year in Review | Phala","type":"official","url":"https://phala.com/posts/phala-2025-report"},{"credibility":1,"name":"dstack whitepaper: A Zero Trust Framework for Confidential Containers | Phala","type":"official","url":"https://phala.com/posts/dstack-whitepaper-a-zero-trust-framework-for-confidential-containers"},{"credibility":2,"name":"Code4rena Phala Network Audit Report (March 2024)","type":"research","url":"https://code4rena.com/reports/2024-03-phala-network"},{"credibility":2,"name":"Phala Network Smart Contract Audit - TrustBlock","type":"research","url":"https://app.trustblock.run/audit/bb61f86e-e46b-4727-b99d-1d9dd3c52509"},{"credibility":2,"name":"What Is Phala Network? | OKX","type":"other","url":"https://www.okx.com/en-us/learn/what-is-phala-network"},{"credibility":2,"name":"Phala Network Price, PHA to USD, Research | Messari","type":"research","url":"https://messari.io/project/phala-network"},{"credibility":1,"name":"Detailed Analysis of Phala Cloud's Decentralized Root of Trust, KMS Protocol, and ZKP Enhancement | Phala","type":"official","url":"https://phala.com/posts/detailed-analysis-of-phala-clouds-decentralized-root-of-trust-kms-protocol-and-zkp-enhancement"},{"credibility":3,"name":"Phala's Quick Response to Security Findings Shows What Good Infrastructure Looks Like | Medium","type":"community_report","url":"https://medium.com/@jamessoulman69/phalas-quick-response-to-security-findings-shows-what-good-infrastructure-looks-like-ae8c1771f8f8"}],"summary":"On June 1, 2026, Phala Network disclosed and patched a vulnerability in the Phala Cloud API that permitted unauthorized modification of Confidential Virtual Machines (CVMs) using Offchain KMS key management. An attacker deployed a malicious pre-launch script beginning May 31, 2026, potentially exfiltrating decrypted environment variables including AWS credentials and ECR registry keys from affected CVMs. Phala patched the vulnerability within approximately 17 hours and notified affected users directly, though the incident exposed a structural gap between the platform's confidentiality marketing and the actual security boundary enforced by its Offchain KMS configuration.","timeline":[{"date":"2024-03-01","event":"Code4rena audit of Phala Network identifies a denial-of-service vulnerability in the cluster system via excessive timeout requests.","source":"Code4rena Audit Report","source_url":"https://code4rena.com/reports/2024-03-phala-network"},{"date":"2024-06-12","event":"EtherAuthority completes smart contract audit of Phala Network; no active critical issues reported.","source":"TrustBlock Audit Registry","source_url":"https://app.trustblock.run/audit/bb61f86e-e46b-4727-b99d-1d9dd3c52509"},{"date":"2025-06-01","event":"zkSecurity completes independent security audit of Phala's dstack confidential container framework, validating its zero-trust compute architecture.","source":"Medium / Phala Security Audit Commentary","source_url":"https://medium.com/@jamessoulman69/phalas-security-audit-what-it-actually-means-for-developers-fe471534ff3e"},{"date":"2026-05-31","event":"Earliest confirmed unauthorized activity detected at 22:26:36 UTC. Attacker begins deploying a malicious pre-launch script to affected Offchain KMS CVMs on Phala Cloud.","source":"Security incident notice: Phala Cloud API vulnerability | Phala","source_url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"},{"date":"2026-06-01","event":"Phala identifies the vulnerability and patches the affected API endpoint at 15:47:49 UTC, approximately 17 hours after first confirmed unauthorized activity.","source":"Security incident notice: Phala Cloud API vulnerability | Phala","source_url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"},{"date":"2026-06-01","event":"Phala publicly discloses the incident via official blog post and directly notifies affected users and CVMs by email. Recommends full CVM replacement and rotation of all secrets.","source":"Security incident notice: Phala Cloud API vulnerability | Phala","source_url":"https://phala.com/posts/security-incident-notice-phala-cloud-api-vulnerability"}]},"v":1}