- Joined
- Jul 22, 2017
https://www.bleepingcomputer.com/ne...enerate-verge-cryptocurrency-out-of-thin-air/
supranova shuts down their XVG pools https://bitcointalk.org/index.php?topic=3256693.msg34004928#msg34004928 (https://archive.fo/D0aqW)
Hacker Uses Exploit to Generate Verge Cryptocurrency out of Thin Air
By
Catalin Cimpanu
- April 5, 2018
- 12:20 PM
An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air.
The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issueand revert the blockchain to a previous state before the attack to neutralize the hacker's gains.
Verge devs: Not a >51% attack
The incident took place yesterday, and initially, users thought it was a ">51% attack," an attack where a malicious actor takes control over the more than half of the network nodes, giving himself the power to forge transactions.
Rumors swirled around all day yesterday, as users feared the attacker might use his dominant network position to siphon funds from their accounts.
The Verge team eventually came out and clarified the details surrounding the incident, denouncing rumors of a 51% attack, but not revealing additional info about the real cause of the incident.
was not a 51% attack, and it only some blocks were affected during a 3 hour period, not 13 hours.
— vergecurrency (@vergecurrency) April 4, 2018
Nonetheless, users who looked into the suspicious network activity eventually tracked down what happened, revealing that a mysterious attacker had mined Verge coins at a near impossible speed of 1,560 Verge coins (XVG) per second, the equivalent of $78/s.
Under normal circumstances, a single miner wouldn't have ever been able to receive such a high reward for processing Verge blockchain computations.
Hash attack lasted only three hours
The malicious mining lasted only three hours, according to the Verge team, who promised to fix the bug in a hard-fork that's expected later today.
We had a small hash attack that lasted about 3 hours earlier this morning, it's been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam
— vergecurrency (@vergecurrency) April 4, 2018
According to unofficial estimations, some users who tracked the illegally mined funds on the Verge blockchain said the hacker appears to have made around 15.6 million Verge coins, which is around $780,000.
News of the hash attack and the fear of a sudden influx of new Verge coins led to a drop of between 7% and 8% in Verge's exchange rate. According to CoinMarketCap, Verge is today's 21st largest cryptocurrency based on market cap. This is the second security incident involving the Verge dev team, with a mysterious hack happening last fall. The Verge team did not respond to a request for comment before this article's publication.
supranova shuts down their XVG pools https://bitcointalk.org/index.php?topic=3256693.msg34004928#msg34004928 (https://archive.fo/D0aqW)
Okay guys, as the shit keep hitting the fan harder and harder here I need to take a few steps to actually end that drama for me:
Suprnova will not reopen any of it's XVG/Verge pools for mining whatsoever. You can mine it freely on any different pool if you like. Withdrawals are possible of course.
The background is that the "fix" promoted by the devs simply won't fix the problem. It will just make the timeframe smaller in which the blocks can be mined / spoofed and the attack
will still work, just be a bit slower.
Also the over 20 Million XVG which were instamined by the attacker won't be blacklisted, reverted, filtered or rolled-back in anyway according to the verge-dev, so in my opinion you all (the miners and investors) got betrayed about that 20 M coins .. For some it might be only a few coins, for some it might be a lot.. For some this might all be drama for them, I see you there of course..
Just to clarify a few last things:
1. The fix won't fix it. The problem is not alone the drifttime, but also the algo variance. You have to make sure that not X blocks get mined on one algo.
Myriad and digibyte had the same issues - they fixed it.
Here's a possible fix for the issues: https://github.com/digibyte/digibyte/pull/15
Please DON'T just merge the code like you see it in that commit, you need to actually find the right places in your code and merge it. It's a slightly different codebase, so it won't work
with just copy & paste, you actually have to understand and rewrite it to fit to your needs.
2. It's possible to blacklist certain addresses within the blockchain. So if you know on which addresses hacked funds reside, you can simply "blacklist" them directly in the codebase of the coin.
For example you know that the attacker has used address "123abc123acb123abc" as the root for his hacked funds. You can now - at anytime - update your wallet code and just say
"orphan all transactions with the root address "123abc123acb123abc". So even if the hacker moves the funds NOW or in one year, it won't happen as you've blacklisted the originating address.
This was done previously also, not on myriad but on another coin - I can also find that commit for you.
3. I was getting blamed for "judging" too early and posting this info publicly on bitcointalk. I've mixed feelings about this.. Yes, I could have spoken silently to the devs at first and tell them "hey,
something weird is going on on your blockchain" - however in the same time my miners were asking why the pool wasn't finding blocks and I already saw the first tweets about "skimming" and
stuff.. So.. What to do ? Keep the info about the hacker silent with the devs and wait 3-4 days for a (non-working) fix and get my reputation killed totally or just go for a public post about it
and shutdown the pools ? I know, it's a difficult decision and my decision might have been wrong, but hey, I'm neither the attacker nor am I the guy responsible for the coin.. Also I was a bit
astonished that I was actually the first to report the problem.. I was expecting devs watch their coin closely and come up with fixes upfront.. or at least know about what happend.
In my opinion the optimal handling for this problem probably would have been something like this:
1. Contact pools and exchanges to shutdown mining and trading
1a. Tweet/Inform miners about the problem and tell them it's been worked on but takes it's time.
2. Talk about possible problems and mitigation practices with devs/exchanges and pools.. Create a "conference room" for this for example and invite all necessary people there.
3. Find a resolution, roll back the chain or at least filter the malicious coins (as someone as a (big) advantage here which he shouldn't, or?? So some others have a big disadvantage, or not ?)
4. Go back online with the resolution and back to mining.
Least but not last here's a chatlog from a few moments ago, sorry for posting the drama but I just can't let it stand like it is at the moment.. If you don't want to read drama, just skip the part:
And yes, I might be a bit upset there as well, sorry, next time I'll be more precise and "nice"
...
[16:08:43] <vergeDEV> yes i put it in both branches
[16:10:11] ed__ (319465d0@gateway/web/freenode/ip) joined the channel
[16:12:43] <ocminer> hmm no filtering/rollback of the attackers coins ?
[16:12:55] <ocminer> thats over 20 mills for him...
[16:13:08] <vergeDEV> we dont do rollbacks.
[16:13:16] <vergeDEV> we roll forward
[16:13:17] <@Epsylon3> i imagine the mess :p
[16:13:31] <@Epsylon3> the only this you can do is tracking the coins
[16:13:38] <vergeDEV> ocminer, would have been great if you contacted someone from our team. by you putting this on bitcointalk, you invited a ton of other people to attack as well.
[16:13:39] <@Epsylon3> talking with exchanges
[16:14:01] <vergeDEV> also your quote The vergeDEV @ Discord says "everything is okay - there's nothing to fix"..
[16:14:03] <vergeDEV> thats bullshit.
[16:14:05] <vergeDEV> i never said that
[16:14:15] <vergeDEV> why are you quoting me saying something i never said?
[16:14:18] <ocminer> -.-
[16:14:25] <vergeDEV> i already talked to bittrex and binance, theyre updated
[16:14:55] <ocminer> you just don't understand what this is all about
[16:16:02] <vergeDEV> how so?
[16:16:14] <vergeDEV> i do understand. we are having blocks injected with spoofed timestamps.
[16:16:20] <@Epsylon3> what the amount mined per day ?
[16:16:22] <@Epsylon3> is*
[16:16:24] <vergeDEV> and i never said "everything is okay - there's nothing to fix"
[16:16:46] <@Epsylon3> i need to add a script command for that :p
[16:16:54] <ocminer> also your commit won't fix it
[16:16:57] <ocminer> but ..
[16:17:12] <ocminer> go ahead and "move forward"
[16:17:14] <vergeDEV> ~4mill/day
[16:17:17] <@Epsylon3> XVG: current block_time set in the db 0mn35 (35 sec)
[16:17:18] <@Epsylon3> XVG: avg time for the last 2048 blocks = 0mn13 (13 sec)
[16:17:18] <@Epsylon3> XVG: avg time for the last 1024 blocks = 0mn31 (31 sec)
[16:17:35] <@Epsylon3> my script dont go so far :p
[16:17:51] <ocminer> 12000 * 1560 = 18.7 mills already
[16:17:53] <@Epsylon3> XVG need 20x that :p
[16:18:30] <vergeDEV> yeah it wasnt that bad until ocminer posted it on bitcointalk, and then everyone and their mother joined in.
[16:18:51] <vergeDEV> and also misquoted me completely
[16:19:00] <ocminer> lol, now you're blaming me for an attack on your blockchain ? srsly ?
[16:19:07] <vergeDEV> did i blame you?
[16:19:09] <@Epsylon3> 2026860 now... 2000000 was 2018-04-01 17:39:37
[16:19:11] <vergeDEV> i said the attack wasnt as bad
[16:19:14] <ocminer> [16:18:30] <vergeDEV> yeah it wasnt that bad until ocminer posted it on bitcointalk, and then everyone and their mother joined in.
[16:19:15] <vergeDEV> it was worse after
[16:19:20] <@Epsylon3> 3 days..
[16:19:25] <@Epsylon3> 4
[16:19:27] <vergeDEV> yes that is correct. congrats, you got a quote correct
[16:20:03] <@Epsylon3> so yep, maybe not 12000 blocks
[16:20:14] <@Epsylon3> i may create a script to check :p
[16:20:49] <@Epsylon3> Height: 2010000
[16:20:49] <@Epsylon3> Time: 2018-04-04 14:22:01
[16:21:03] <@Epsylon3> after first hack so
[16:21:31] <@Epsylon3> will do the script, i like right numbers
[16:26:22] <ocminer> listen.. kid... you have a absolutely trashy shitcoin pumped in heaven through that tweet from john mcafee back in that day.. you probably made a lof of money by that idiot tweeting xvg to the moon.. you should have used the chance and invested some of that money and invest it into a decent dev team, as seriously, and everyone knows that, you have not the slightest idea of coding whatsoever... If you've had done that, you could have patched your
[16:26:22] <ocminer> super-old codebase already to a super-recent codebase like myriad or digibyte and wallets would't have memory leaks all over, wouldn't take >30 mins until they startup and also those two drama's with the earlier tor hardforks wouldn't have happen. I'm not the guy who "keeps bullshit silent" - when I see something is happening, I report it - immediately and from my POV your users/miners have been betrayed by over 20 M coins which were injected
[16:26:22] <ocminer> maliciously into the blockchain... This is not a kiddo script hack and my post didn't change anyhting but just revealing what is happening at the moment (as you didn't notice yourself until I came into your hostile discord) and it's not a bad thing to post that publicly. You know see me as your enemy or whatever - I don't care, if you want to continue with your coin, go ahead, surely without me, but this should be your utmost last warning - think
[16:26:22] <ocminer> about yourself, think about how you make decisions and maybe come down a bit from your emperor throne and get help from professionals if you can't handle it alone... You'll see what happens after your HF - nothing, guaranteed, because you don't fix the root cause of this.
[16:26:27] vergeDEV (~sunerok@unaffiliated/sunerok) left IRC (Ping timeout: 240 seconds)
[16:26:50] <ocminer> And Epsylon3 ... you
[16:27:04] <@Epsylon3> i slept
[16:27:09] <@Epsylon3> :p
[16:27:22] <phm87> Hi, sorry I come back late
[16:27:23] <ocminer> 're not much better than him.. only looking for the profits here.. .your miners also lost a lof of coins during the network was stalled and the 15k blocks mined...
[16:27:34] <phm87> I am running unimining where there is XVG
[16:27:36] <@Epsylon3> you are wrong
[16:27:38] <phm87> (on blake2s)
[16:27:39] <ocminer> if you'd be honest, you'd shutdown the pool and let him fix his shit up
[16:27:41] <@Epsylon3> i stopped the pool the whole day
[16:28:02] <@Epsylon3> and answered everyone why
[16:28:08] <ocminer> it's up and running already, without any fix for the malicious coins
[16:28:10] <@Epsylon3> lot of spam
[16:28:16] <@Epsylon3> took the whole day
[16:28:37] <@Epsylon3> i pasted the fix i made this morning
[16:28:38] <phm87> sorry I will read what you said few minutes ago, I am late but I'll shut the pool if coin dev say so then I can explain to my miners that I follow coin dev orders
[16:28:52] <phm87> when a coin explodes randomly and coin dev don't care then I delist it
[16:28:58] <@Epsylon3> which is the commit, with proper knowledge and amount of seconds
[16:29:04] <phm87> but XVG risk is high for Uni so I may delist it
[16:29:07] <ocminer> that fix from him is just bullshit, it changes nothing, just the timespan of which they do the attacks.. .they will be slowed down a bit, but that's all
....
This will be my last dealing with XVG. I don't like to get cheated and blamed. As a miner myself I care for what I mine and I care for others as well - you can take it or leave it.
Rest assured there will be lots of pools you can still mine on, no problem at all will occur.
Also Congratulations to the Hacker - you've chosen the right coin for your hack (which was invented in 2014 btw) - don't buy too many Lambos with your > 20M Verge... so what.. About 1 Million $ now ?
