Another day, another cryptocurrency hack.Image: Thomas Trutschel / Contributor / GettyImagesBy Stan Schroeder2018-04-05 15:02:38 UTC
Privacy-oriented cryptocurrency Verge (symbol: XVG) was apparently hacked Wednesday, with the attacker making off with around 250,000 coins with a value of roughly $15,000 (though some reports go as high as $1 million).
Compared to some recent crypto-related hacks, this attack was particularly nasty as it compromised the integrity of Verge’s blockchain.
The attack was discovered by ocminer, a poster on Bitcointalk forums (via Bitcoin.com), on Wednesday afternoon. According to him, a hacker used “several bugs” in Verge’s code to mine an extraordinarily large number of new blocks in Verge’s blockchain, thus rewarding himself with a lot of Verge coins.
Ocminer and several media outlets called this a “51% attack,” which is frightening as this type of attack is theoretically possible on other blockchains which rely on a proof-of-work (PoW) validation mechanism, including Bitcoin and Ethereum.
But even though this attacker technically managed to capture the majority of mining power on Verge’s network, this type of attack wouldn’t work on Bitcoin.
In plain terms: In PoW-based cryptocurrency systems, miners are people who use computing power to validate the transactions on the network and are awarded in new coins. These systems are typically quite robust, but if any one miner (or mining pool) should capture the majority (hence the 51%) of the network’s mining power, then they can do all sorts of bad things on the network, including spending coins that were already spent (this is called doublespending).
In Verge’s particular case, it’s a little more nuanced. Verge uses five different cryptographic algorithms for mining, switching to a new one for every block, but the attacker figured out a way to fake timestamps of his blocks and mined them all with one algorithm. In this way, he was able to capture the majority of the network’s mining power with far less computing power than he’d normally need.
Nevertheless, the attack is serious as it requires a hard fork (cryptocurrency lingo for a very big upgrade that leaves the old blockchain behind and requires all participants to switch to new software) to exclude the blocks the attacker had mined.
Verge’s official Twitter account tried to downplay the severity of the attack by calling it a “small hash attack” that’s been “cleared up now.”
We had a small hash attack that lasted about 3 hours earlier this morning, it’s been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam
— vergecurrency (@vergecurrency) April 4, 2018
But Reddit and some experts seem to disagree.
And a poster on the Bitcointalk forums called IDCToken, who claims he’s responsible for the attack, said there are two more exploits in the Verge’s code that could be used to perform a similar hack.
Verge’s price fell 14.6% to $0.0547 at the time of writing according to CoinMarketCap.
The attack on Verge follows a reported 51% attack on another cryptocurrency, Electroneum, though that one didn’t appear to result in much damage.
These attacks are notable as they show that even a seemingly foolproof PoW system can be tricked. Ethereum has already had one hack of large magnitude in its history while Bitcoin has mostly stood the test of time in its nine years of existence, but it’d be imprudent to completely brush off the possibility of this happening to any cryptocurrency, even the most thoroughly tested one.
Disclosure: The author of this article owns, or has recently owned, a number of cryptocurrencies, including BTC and ETH.