Verge, a ”privacy coin” famed for the zealotry of its community, has fallen prey to a 51% attack. A malevolent miner gained majority control of the network hashrate, a feat that makes it possible for the controlling entity to modify transactions, calling the integrity of the entire blockchain into question. Around 250,000 verge were stolen by the attacker, forcing the project team to prepare a hard fork.
Also read: “I don’t want this” says Mt Gox CEO Mark Karpeles in Surprise ‘Ask-Me-Anything’
Accident-Prone Altcoin Has Another Bad Day
On Wednesday April 4, “ocminer”, a regular poster on the Bitcointalk forum, announced that verge (XVG) was experiencing a 51% attack. A bug in the altcoin’s code enabled the attacker to spoof timestamps and cause each new block to be produced using the same algorithm. Usually, a different algorithm must be used for each block to prevent any single miner or pool of miners from controlling the XVG hashrate. The verge community aren’t known for their tolerance of negative stories, and soon they’d piled into the Bitcointalk thread to dismiss the “fake news and FUD”. One fanboy mused:
The timing of this attack seems highly suspicious. Is it possible this was not an individual but an anti-crypto governmental organization that fears the huge deal that Verge is making? Way too much of a coincidence here. I’ve said for months that all it takes is one huge (legit) deal with an Amazon/Paypal class company and the market will quadruple overnight.
Using a number of exploits in the XVG code, the attacker was able to mine multiple blocks one second apart, all performed using the scrypt algorithm, a feat which ought to have been impossible. The attack relented after three hours, but by that time the attacker had confirmed hundreds of blocks, making a rollback of the blockchain necessary to undo the damage. Lead verge developer Justin posted an emergency commit to temporarily fix the problem and was successful – but only at the second attempt. A hard fork will now be initiated to remedy the matter once and for all.
Verge’s problems may only just be beginning though. The attacker taunted the team in a forum post, writing “Hey Verge Team, get some real developers and fix your code.
We have found another 2 exploits which can make quick hashes as well.” To compound the misery, at least one verge holder was then fooled by a Twitter scam, explaining:
I visited some hours ago the official Verge Twitter profile to read the news about the hash hack. While reading the tweet i noticed several messages offering a compensation for the attack by Verge. Send x Eth and you get some bonus back. Sounded legit to me as it was affilated to the hash attack and i suffered from it as well having had some hours only orphaned blocks on all my baikals, hence i fall victim to this damn scam on the official twitter page.
The 51% attack used the scrypt algorithm for each block, which ought to have been impossible
51% Attacks Are Ultra Rare
While often theorized, 51% attacks are extremely rare. To control the majority of bitcoin’s hashrate, for example, an attacker would require over 14 exahashes of power, which would be all but impossible. Altcoins have a much lower hashrate, but even so, it is unusual to witness such an attack in the wild. Interestingly, another Proof of Work (PoW) coin, electroneum, is believed to have succumbed to a 51% attack just three days ago. Reports are surfacing that the electroneum 51% attack has since resumed, with the same entity behind the verge attack believed to be responsible.
Rowan Stone, founder of cryptocurrency mining firm Alter Chain explains: “PoW coins [such as verge] are secured via decentralized consensus. This attack is a great example of what is possible when a single entity has enough hashpower to create their own consensus. The fact that the XVG code base had a fairly significant bug just made it easier for the attacker to pull this off.”
Problem? What Problem?
In typical fashion, the verge team tried to play down the severity of the attack, tweeting:
On the Bitcointalk forum, the damage control exercise was cranked higher still, with a verge team member disingenuously writing “we’re kinda glad this happened and that it wasn’t as bad as it could have been.” Verge also tried to shut down discussion of the “minor” incident in its Telegram channel. The reality was nothing of the sort: all verge wallets are out of sync as the blockchain snapshot is stuck at block at 2007364 and a hard fork is imminent. Verge claim that around 250,000 XVG were stolen by the rogue miner, but dissenters have claimed that as many as 3.9 million coins may have been taken.
One forum member wrote: “Based on what I see from the dev postings here it’s apparent that if ocminer had never brought this to everyone’s attention, the XVG team would have never admitted to or disclosed what happened. Trying to downplay and being flippant about the severity here is just pissing on the XVG faithful.” A verge developer tried to shrug off the magnitude of the attack, protesting “how much eth has been stolen this year? this is insignificant in contrast”.
XVG is down 16% in the last 24 hours, Wednesday’s attack only tempered by anticipation of a “big announcement” on April 16 that has caused verge to double in price in the past week. In 2018 alone, verge has shrugged off privacy leaks, its Twitter being hacked, developer doxed, the embarrassment of having to beg its community for $3 million, and now a 51% attack. The rest of the cryptocurrency world may be laughing, but XVG’s true believers remain unfazed.
Do you think the Verge team is guilty of minimizing the seriousness of this attack? Let us know in the comments section below.
Images courtesy of Shutterstock, Bitcointalk, Coincodex, and Twitter.
Need to calculate your bitcoin holdings? Check our tools section.