Published by: XDC Innovation Lab — Security & Compliance Team
Date: 16 April 2026
Summary
The XDC Innovation Lab is issuing this update to inform the community about a recently identified and fully resolved security incident involving the accessibility of KYC/KYB verification documents submitted during the masternode application process.
Transparency and trust are core to the XDC ecosystem. We believe it is important to communicate openly about what happened, what was done, and what has changed.
What Happened?
Our team identified a configuration vulnerability that allowed certain KYC/KYB verification documents — submitted as part of the masternode onboarding process — to become temporarily accessible via direct URL access without proper authentication.
To clarify, the XDC masternode KYC/KYB process requires applicants to submit only a single-page verification certificate confirming the identity and role of a Director/Trustee/Partner within their organisation, certified by an authorised signatory such as a Company Secretary, Notary Public, or Lawyer. No additional personal documents are collected beyond this single certificate.
What Was Done?
Upon discovery, the Foundation treated this as a Priority 0 (P0) incident and took the following immediate actions:
- Access revoked — Public accessibility to all affected documents was immediately revoked
- Vulnerability patched — The configuration issue was identified and a fix was deployed
- Verification completed — Internal testing confirmed that no KYC/KYB documents remain publicly accessible
- Root cause analysis — A thorough root cause analysis was completed to understand how the exposure occurred
- Logs preserved — System logs were preserved for forensic review
What Has Changed?
We have implemented significant improvements to our security infrastructure:
- Enhanced encryption — All KYC/KYB documents are now stored under encryption with strict access controls
- Strengthened access controls — Multi-layer authentication and authorisation checks have been implemented for all document access endpoints
- Continuous monitoring — Automated monitoring is now in place to detect any unauthorised access attempts
- Updated protocols — Our KYC/KYB data handling and classification policies have been revised and strengthened
- Regular audits — Periodic access control audits and penetration testing have been scheduled as ongoing practice
Decentralised by Design
It is important to note that XDC is a decentralised network. The Foundation does not centrally control or manage KYC/KYB processes, nor is any such data stored in a single centralised location. The decentralised nature of the network ensures that no single entity has unilateral control over validator data. All KYC/KYB processes are designed with decentralisation principles in mind, with appropriate encryption and distributed security safeguards.
Community Acknowledgement
We want to sincerely thank the community members who promptly flagged this concern. Your vigilance plays a vital role in strengthening the security and integrity of the XDC ecosystem. Our team is reaching out directly to each individual who raised this issue to provide clarity and gather feedback on the improvements made.
Our Commitment
The XDC Foundation takes the security and privacy of validator documentation with the utmost seriousness. We are committed to maintaining the highest standards of data protection and will continue to invest in strengthening our security infrastructure.
We believe that transparency in addressing such incidents is essential to building and maintaining the trust that our community, validators, and institutional partners place in the XDC Network.
XDC Innovation Lab
Building a Secure and Decentralised Future
Discussion (0)