Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: Network Attack on XVG / VERGE
by
nrg_wolf
on 06/04/2018, 12:31:24 UTC
sharing this from grant hunter.... worth the read.

VERGE XVG ‘MINING ATTACK’ UPDATE:

This has just been shared with The Crypteia Program, and after a lengthy conversation with Michael Sloggett earlier, we all decided it was very important to release this to the wider community as part of a unified message.

This is the facts as much as we know them at this stage, it is up to you to DO YOUR OWN RESEARCH and plan accordingly.

In terms of trading, Verge XVG has been trading epically since the news about the upcoming industry partnership: It has a huge, dedicated following and gets the volume needed to trade and make serious gains. It’s been traded very technically; hitting the fibs, support, resistance and trend lines.

Unfortunately, this attack on Verge’s blockchain exploits a flaw in the code, so that the person who is attacking, has effectively taken over the blockchain, and made the original one obsolete for the time being.

As of this morning, the vulnerability is still there and there have been two main attacks:

1- Blocks 2007365 - 2010039 = 2674 blocks.
Rounded down to 2500 @ 1560 XVG per block = approx 3.9 million XVG
2- Blocks 2014060 - 2026196 = 12,136 blocks
Rounded down to 10k @ 1560 XVG per block = approx 15.6 million XVG

This gives a conservative estimate of 19.5 million XVG

As stated previously, this attack exploits a flaw in the code which XVG uses to switch between each one of the 5 algorithms it uses for mining. For every new block to be mined, the algorithm must be switched, and all 5 must be used in rotation. (This is something that other coins like Myriad and Digibyte use. They have also been attacked in a similar way in the past, and have fixed their issues - although they were experiencing much less volume at the time as what Verge is now).

The exploit itself is very smart. The attacker has used the flaws in Verge’s code to put an older timestamp on their fake blocks to trick the network into thinking that the fake chain is the real one, by having this broadcast to over 51% of the nodes. They have gained consensus, effectively taking control of the XVG chain. This has meant that the ‘real’ blocks being mined by legitimate miners, are seen as the false ones, and therefore are ignored (orphaned).

The reason why trading is still possible, is because the ‘fake’ chain is still verifying transactions so people can still trade the coin, however, the attacker is adding extra blocks and making extra free XVG for themselves.

This is a summary of events of how this situation has been handled by OCMINER and Sunerok of Verge during this situation:

1) OCMINER (Supernova Mining Pools) approached verge dev team in their discord group after noticing the issue in their pool.
2) This was unsuccessful, and nothing was taken further at that stage by the verge dev team.
3) OCMINER then posted details of the attack onto Bitcointalk.org, in order to alert the wider mining community of the attack.
3) Verge dev then got involved, and attacked OCMINER for advertising the issue and making the problem worse.
4) Verge dev then attempted to fix the issue by copying and pasting a fix for Peercoin into Verge.
5) This piece of code had a flaw which wasn’t picked up on and this caused the issues yesterday where wallets wouldn’t sync, and the real blocks were still be ignored by the chain.
6) A new fix was suggested by OCMINER to Verge Dev, which included:

- New code to fix the flaw (from DGB - which would need to be merged with Verge’s code in the correct places as they are slightly different).
- A method to blacklist the malicious addresses - meaning the attacker could no longer use the coins they falsely mined.

7) During this time there has been a private discussion between OCMINER and Sunerok, which was fairly heated at times, and saw no resolution between the two.

At this stage, there has been no fix implemented. The vulnerability is still open and the attacker still controls the longest chain.

FYI - Attacks, hacks and exploitations are very common. These have been going on since the late 70’s when UK and US intelligence agencies invented cryptography as a way to communicate secretly with each other. This situation should be seen as a good thing - simply for the advancement that it leads to. After every attack, the code is made stronger, however:

The most important part of this type of situation is how the dev team respond to it, because it has the potential to cause havoc. Both in terms of public perception (trust) of Cryptocurrency, and for Verge itself.

Remember there are two sides to this market - the facts and the PR. Verge is a PR machine, and its following is fanatical in its belief of the project. Up to now, the PR is working, and the price hasn’t been too negatively affected. One reason for this is that most of the comments about on this attack on Verge social media (twitter / reddit) are being censored by Verge, and the information being put out by Verge isn’t wholly accurate in terms of the seriousness of the matter.

With the upcoming announcement of the ‘new industry partnership’ being rumoured as being a German Bank, this issue if not resolved effectively, could lose them the partnership and reduce public trust in both crypto and Verge, simply because it will be seen as another failure.

In terms of the actual privacy of the coin, the maliciously mined coins can be tracked using a blockexplorer - bringing into question the legitimacy of the how private the blockchain currently is.

I have absolutely no idea which way this will go - either way it’s not good.

There is potential for it to be fixed and with the strength of the Verge community, the price of the coin could still maintain its action in the run up to the partnership announcement.

There is equally as much chance that this could implode bringing Verge to its knees and seeing a mass sell off of the coin, leaving many out of pocket.

My aim with posting this is to inform and give everyone the opportunity to look into this further themselves, make whatever decisions they want regarding any Verge XVG they currently hold.

This post is a summary of the thread linked below and all details of this situation are there, with all links to relevant sites to verify the information given. Please look into this further, and learn as much as you can, so you are as informed as you want to be: