Hacker mines up to $1 million in Verge after exploiting major bug

Earlier this week, investors in the popular privacy-oriented Verge (XVG) cryptocurrency received disquieting news.

According to a forum post, a malicious miner appeared to have found a way to subject Verge to a widely-hypothesised blockchain takeover called a “51% attack”.

In layman’s terms, someone was exploiting the majority of the mining power of the blockchain, potentially gaining power over its currency generation.

Theoretically, this could happen if a single miner suddenly acquired lots of computing power to ramp up its hashrate (equivalent to its currency-generating horsepower) but this time it appeared the reason was simpler – the attacker had found bugs in Verge’s software:

According to someone called OCminer:

Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block, as a malicious miner or pool, you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algorithm was one hour ago.

Your next block, the subsequent block, will then have the correct time. And since it’s already an hour ago – at least that is what the network thinks – it will allow this block to be added to the main chain as well.

Because Verge uses five different algorithms for successive mined blocks, this shouldn’t be possible. However, the time stamp spoofing bug had allowed the attacker to mine the currency using only one, Scrypt, at a greatly accelerated rate.

With anxiety rising, Verge’s official Twitter feed claimed that this was not a dreaded 51% attack after all:

Equally, others pointed out, this “small attack” had allowed the attacker to generate 1,560 Verge per second ($80 per second) which, depending on how long this rate was sustained, could represent anything from a few thousand dollars to approaching a million.

Inconveniently, fixing the issue would require what amounted to a hard fork in Verge, a major upgrade requiring all miners to upgrade to a new protocol and blockchain.

Verge experienced metamorphosis before when it emerged from a rebranding of a currency called DogeCoinDark in 2016, itself an earlier hard fork of the cultish Dogecoin.

The Verge community has been left arguing about what this fork achieved as a defence mechanism, with some describing it as botched.

Argued one analysis:

The XVG team erroneously forked their entire network to ‘undo’ the exploited blocks, but this resulted in the entire network being unable to sync.

Meanwhile, it looks as if the attacker will keep the Verge mined during the attack.

This isn’t the first time a software bug in a cryptocurrency blockchain has created money out of thin air – a less serious issue allowed something like this to happen to Coinbase last month.

What will seem extraordinary to outsiders is the confusion surrounding what did or didn’t happen to Verge during this attack, let alone the fact it happened at all.

To sceptics, it’s another warning that blockchains are not the infallible concept some have claimed.