Verge (XVG) has seemingly been the victim of another attack, using a nearly identical attack as last time.
Verge is a privacy focused coin that made headlines when pornhub.com started accepting it as a payment method. However, previous to that announcement, its protocol was hacked, resulting in millions of dollars worth of Verge being created ahead of schedule and rewarded to the attacker.
Today, it appears a similar exploit is being used to do the same thing. Verge has three “features” that put it at risk of this exploit.
- Verge uses the Dark Gravity Wave difficulty adjustment algorithm. It adjusts the difficulty of mining Verge every block. For comparison, Bitcoin adjusts its difficulty every 2016 blocks.
- Verge uses multiple mining algorithms, splitting its hashrate security among them based on use.
- Verge allows incorrect time stamping, because getting correct time stamping is difficult in a decentralized system and giving miners some leeway helps alleviate that.
What the attacker did in the first attack was to submit multiple blocks with an incorrect timestamp, making it appear to the system that blocks weren’t coming in on time. That caused the algorithm to lower its difficulty massively (on the order of 99.999999%). Then, since Verge’s hashrate was split among the five algorithms, it was relatively trivial for the attacker to 51% attack one of those algorithms and reward all the coins to him/her/themselves.
Theabacus.io has a great write up on the original hack, if you are interested in learning more.
The key difference this time is that the hacker is attacking two algorithms, Scrypt and Lyra2re instead of one. Presumably this somehow gets around the fix the Verge team put into place.
As of this writing, $1.7 Million worth of XVG has been mined by the attacker. Users are reporting that the official blockchain explorer has been up and down. It is not clear if this is an attempt to obscure the attack from public view, or simply the code of the explorer having trouble keeping up with the new reality of so many generated blocks coming in so quickly.
We have reached out to the Verge team but have not heard back at press time.
The last Verge hack resulted in a hardfork that may or may not have been intentional. Somehow, the price of the coin and its subsequent acceptance on PornHub.com came after the attack occurred.
This attack, like the previous attack and the DAO attack before it, showcases the importance of proven code. Bitcoin has never been hacked. Its exchanges have been hacked, individuals holding bitcoin have been hacked, but the core protocol of bitcoin is extremely secure.
Dark Gravity Wave and some of the other innovations created by the Verge team were designed to address specific problems or perceived problems with Bitcoin. But those solutions have resulted in far worse issues than the one they were designed to solve. In addition, some in the community criticized the effectiveness of their fix. Without having the technical knowledge to investigate that myself, I’ll just say that it seems like their warnings are coming to fruition.