Verge Network Mining Hack Explained
On the 4th April 2018, a post was made on Bitcointalk forums about an exploit in Verge (XVG). Specifically that someone has found a way to mine blocks in Verge much faster than normal, at a rate of one block per second, causing many new Verge to be created and given to the malicious person/group behind this.
This guide will explain what's happened here, why it happened, and possible future implications because of it.
NOTE: Be careful looking at Tweets related to this topic, many malicious people are impersonating the official Verge Twitter account offering giveaways to apologise for the hack. Any giveaways of this type are very likely scams (see an example of one of these scams here).
Summary of Verge network hack/attack
Just to reassure anyone holding Verge, if you hold Verge on an exchange/wallet, your Verge is not effected by this hack. The Verge was stolen through mining new coins, not from an existing Verge holder. The only thing you'll have to do is update your wallet at some point (if you hold it on an exchange, they should deal with this for you).
So that said; Verge is a proof-of-work coin, which means to generate new coins people mine it (similar to Bitcoin). Most proof-of-work coins use a specific algorithm; some like Verge use a combination of lots of them, Scrypt, X17, Lyra2rev2, myr-groestl and blake2s in Verge's case. This gives many different mining setups the ability to mine this coin equally (as each setup would generally mine a specific algorithm).
When a new block is mined for Verge, the miner that mined it gets a reward in Verge coins. Normally each new block would be a different algorithm, so you can't for example mine two Scrypt blocks in a row.
With the above in mind, at 6am UTC on the 4th April 2018 someone launched an attack on Verge where by abusing a bug (by spoofing timestamps) they were able to mine blocks very quickly using the Scrypt algorithm, much faster than they should have been able to. Currently on the 7th April they seem to have been able to mine enough blocks to get over 60M Verge (equivalent to around $3.85M at Verge's current price, or an increase of around 0.39% in the total circulating supply of Verge).
Who's fault was this?
This is where things get more messy, where people have strong opinions on who's fault this was and what to do next. In general there are two main opinions here on why it happened:
- The first is that this was Justin Vendetta's fault, the founder and lead developer of Verge. Based on this thread, two other coins Myriad and DigiByte both had the same issue that was used in the above attack, so this was a known issue. Many are arguing that the fact that this wasn't already fixed was a massive oversight by Justin, as if he's used the fix DigiByte used back in 2014 this wouldn't have happened. This Reddit thread gives a good summary of this point of view.
- The second opposite argument is that Verge has grown very fast over the past 4 months, and like many coins with small development teams they often don't have the resources and/or budget to avoid attacks like this ahead of time, but that Justin's response has been sufficient to avoid this happening again. This Reddit thread covers this point of view well, pointing out these new coins represent less than 0.5% of Verge's total circulating supply.
The majority of people seem to agree with the first argument here, as recent actions by the Verge development team have been questionable, with this Reddit thread again covering it well. This post suggests that having independent reviews of Verge would be a good way to overcome this, or to perhaps form a non-profit foundation around Verge similar to Ethereum for leading development.
A short summary of why recent developments on Verge are questionable:
- Because of various factors like John McAfee Tweets, Verge grew in popularity and value significantly in December 2017 due to 'hype'. So although Verge has a small development team, it now had a very high market cap.
- The development team said they were adding the 'Wraith Protocol' on a specific date, this was then delayed, and when it did come out it left people disappointed.
- The lead developer of Verge made several posts related to crypto taxes, then soon after requested donations on the 22nd March from the Verge community to fund a partnership to be announced/named on the 26th March. This was then delayed until the 16th April.
- The Verge blockchain was hacked on the 4th April. This in itself isn't good, but what's worse was that the lead developer's attempts to fix this didn't initially work (where some posts suggest he accidentally hard-forked Verge, which if true is extremely concerning).
Now keep in mind that many people still hold Verge. So even if the above is true, many people may continue to support it regardless, as they don't want the value of their Verge coins to go down. So be very careful around this coin over the next month, given enough bad news even long-term Verge holders may sell (for example Doug Polk posted on Twitter that he's going to do a video on the topic soon, if this is very negative it could cause Verge's price to drop; also if the partnership announcement on the 16th April isn't significant, this could also cause a drop in price).
What's been done to stop the attack?
There are two things to deal with here. First, Verge developers need to fix the bug abused in the attack to avoid it continuing/happening again (which they've been working on for the past few days). Secondly, they need to decide what to do with the coins introduced because of the attack. There are several different approaches here:
- In certain scenarios, if the specific coins that were maliciously generated can be tracked, they can be removed again/transferred to a different owner in a hard-fork. This happened in Ethereum back in July 2016, leading to the creation of Ethereum Classic (where Ethereum decided to return stolen funds, and Ethereum Classic decided to leave them with the thief - there's a risk that the same could happen to Verge, where a second variation might be created like Ethereum Classic).
- The Verge blockchain could be rolled back to the point in time when this attack started (which we believe would be done via a soft-fork). This is not ideal though, as any transactions since that point in time would also be rolled back, so anyone who's moved money around since then would be effected (e.g. if someone sold coins since the attack, they'd get these back, and if they bought them since the attack they'd be taken away, so this can have both a positive & negative effect).
- The final option is to just allow the attacker to keep their coins, to take no action other than fixing the bug the attacker abused.
Working out exactly what approach Verge has taken here is proving difficult, with many people claiming each of the above scenarios. It seems like Verge's lead developer isn't keen on rolling back, so option 2 isn't likely; equally because of the way the new coins were generated option 1 may not be possible, so option 3 to just let the attacker keep the coins may be the most likely.
DISCLAIMER: This site cannot substitute for professional investment or financial advice, or independent factual verification. This guide is provided for general informational purposes only. Anything Crypto is UK-based and not regulated by the FCA (Financial Conduct Authority). The group of individuals writing these guides are cryptocurrency enthusiasts and investors, not financial advisors. The ideas presented are our analysis, learning & opinions on a range of cryptocurrency topics. Trading or mining any form of cryptocurrency is very high risk, so never invest money you can't afford to lose - you should be prepared to sustain a total loss of all invested money.
This website is monetised through affiliate links. Where used, we will disclose this and make no attempt to hide it. We don't endorse any affiliate services we use - and will not be liable for any damage, expense or other loss you may suffer from using any of these. Don't rush into anything, do your own research. As we write new content, we will update this disclaimer to encompass it.
July 4th, 2018
What is Coinbase Custody, and why does it matter?
Never invest money you can't afford to lose.
All information on this website is for general informational purposes only, it is not intended to provide legal or financial advice. We encourage you to consult your own legal & financial advisors before making any cryptocurrency-related purchase.