The reliability and integrity of Verge (XVG), an anonymous, secure and private cryptocurrency, was put under question by hackers who took advantage of bugs in the code to successfully capture the majority of mining power (network’s hashrate), dubbed as “51% attack.”. The hacker made 250,000 coins in a span of three hours. More importantly, the hacker left a message in one of the cryptocurrency forums saying there are still bugs left in Verge’s code, which can be easily exploited.
The hack was discovered and announced by “ocminer,” a poster on Bitcointalk forums. According to ocminer, the hacker exploited “several bugs” in Verge’s code to mine an extraordinarily large number of new blocks on Verge’s blockchain. This enabled the hacker to generate incredible returns in a short span of time. In particular, the hacker was able mine new blocks with spoofed timestamp using the same algorithm.
According to “ocminer,” the 51% attack was done as follows”
“Usually to successfully mine XVG blocks, every “next” block must be of a different algo.. so for example scrypt,then x17, then lyra etc”. Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algo was one hour ago.. Your next block, the subsequent block will then have the correct time.. And since it’s already an hour ago (at least that is what the network thinks) it will allow this block to be added to the main chain as well.”
Even though Verge uses five different cryptographic algos for mining and switches to a new one for every block, the hacker was able to mine using a single algorithm, after finding a way to fake the timestamps of his/her blocks. This enabled the hacker to gain control over the majority of the network’s mining power with minimal computing power.
Verge’s lead developer Justin temporarily halted the attack after a second attempt with an emergency commit post. However, by that time, the hacker had established hundreds of blocks, with no way to reverse it other than through a hardfork. The attack went on for a period of 3 hours.
Verge (XVG) coin lost 22%, following the news of the attack. The company, however, downplayed the attack, calling the breach a “small hash attack”. Notably, a few weeks before the twitter account of Verge was hacked.
We had a small hash attack that lasted about 3 hours earlier this morning, it’s been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam
— vergecurrency (@vergecurrency) April 4, 2018
The hacker also made fun of Verge’s developers by posting a sarcastic message on Bitcointalk forum.
“hey Verge Team, get some real developers and fix your code. We have found another 2 exploits which can make quick hashes as well.”
What is 51% attack?
A 51% attack is a potential attack on a blockchain network whereby an organization is somehow able to control the majority of the network mining power (hashrate). It is usually used to refer Bitcoin network. Bitcoin nodes look to each other to verify what they’re working on is the valid blockchain. If the majority of miners are controlled by a single entity, they would have the power to (at least attempt to) decide which transactions get approved or not. This would allow them to prevent other transactions, and allow their own coins to be spent multiple times – a process called double spending. However, hitting 51% network control is not a guarantee of success, just the point where success is likely.
Verge’s (XVG) algorithm
Verge implements highly advanced blockchain technology built on top of services such as Tor and I2P that hides your personal data, such as IP-addresses and geolocation. Verge uses five different cryptographic algorithms for mining, switching to a new one for every block. With the future implementation of RSK technology, Verge will offer smart contracts functionality, while maintaining total confidentiality of the users, thus being the only cryptocurrency on the market combining such features.
In general, crypto experts were of the belief that a blockchain network, which employs PoW cannot be easily compromised. However, the incident has shown that a coin backed by weak code can be overpowered by a hacker.