The Verge Blockchain Has Been Compromised and the Developers Have No Clue What to Do About It

Interested in access more free crypto analysis, resources and information like this? Check out these platforms:

Telegram — t.me/CoinEducation

Twitter — www.twitter.com/cryptomedicated

This may come off as relatively surprising news since this issue has stayed largely under wraps, but recently there was a relatively substantial attack on Verge’s protocol that was successful.

Now, normally this in itself would be cause for panic. But the kicker of this situation is that it also exposed the fact that the lead dev on the project has no clue what he’s doing.

Let’s take it back to the beginning of this fiasco for a second.

What the Hell Happened?

It all started with this message on the bitcointalk forums:

URL: https://bitcointalk.org/index.php?topic=3256693.msg33924018#msg33924018

Keep that URL (https://bitcointalk.org/index.php?topic=3256693.msg33924018#msg3392401) ^ above in mind because it’s going to be the one that all these bitcointalk thread links will be posted from.

The poster of this thread on bitcointalk is a user named ‘ocminer’ and they run a mining pool that mines on Verge.

For those that are unable to read the screenshots above, the main body of the post says:

“Posted here for reference as the other Topic is self-moderated and this will probably get deleted.

There’s currently a >515 attack going on on XVG which exploits a bug in retargeting in the XVG code.

Usually to successfully mine XVG blocks, every “next” block must be of a different algo…so for example Scrypt, then x17, then Lyra etc.

Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp.

When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algo was one hour ago…Your next block, the subsequent block will then have the correct time.. And since it’s already an hour ago (or at least that is what the network thinks) allow this block to be added to the main chain as well.

This is what is going on since about 06:00 UTC of 04.04.2018.”

The user (ocminer) was also careful to provide some wallet addresses that they personally traced the hacker’s illicit transactions going to:

https://verge-blockchain.info/address/DKE3tKrXJJ2s7nCPYtE5vntBKBZKGLb2kB

https://verge-blockchain.info/address/DBbZgu2eeZfxdUiqtf1dbG3H5kExDTqzCM

https://verge-blockchain.info/address/DTnxUQ476HWeSqm5hct2astEp2EB8BQBMD

https://verge-blockchain.info/address/DMK8aqjFGUNVQibv7i3qu4pyUyXcnSHHcC

https://verge-blockchain.info/address/DN4rx2gKm7Lepa6kyZx62zJtWVLAxNBc15

https://verge-blockchain.info/address/DFSnNgjEyYkfDVJGR8BG2LdFLYbJgdtFRa

https://verge-blockchain.info/address/DAf5YdtmvTaq2gySAPtfPzv86jC9nGY1RR

https://verge-blockchain.info/address/DUCtin38xfPWvLvkAtWMJoUDefg3mu1rYQ

https://verge-blockchain.info/address/D5Gz63joDNteuMJSMuiD153hQHPN626ryw

They then follow up by saying, “From what I see there are a lot more.”

Also, at the end of the post, there is an additional edit notifying the community that they observed the 51% attack continue.

“EDIT: On 05. April the attacker started again and mined about 12k blocks again:

I skimmed the logs and saw the attacker started the new attack at around block 2014060 and stopped just now at block 2026196

..

12k blocks this time…”

Since the coinbase reward for every block mined on the Verge protocol is 1,560 coins and the attacker mined approximately 12,000 consecutive blocks (there are small block times on Verge’s protocol) — the attacker was able to successfully mine approximately 18.72 million Verge coins today alone.

At their current market price (.06 cents) as of writing this, the hacker has stolen over $1 million USD from the blockchain via these attacks.

While this number doesn’t compare to some of the larger exchange hacks we’ve seen in the cryptocommunity in the past, this attack is staggering because it’s an attack on an actual blockchain, not a centralized exchange.

The purpose of cryptocurrency was to avoid such events like this one from happening. Otherwise, crypto has no inherent advantage to regular fiat currency. Thus, it is crucial that the blockchain ledger remain immutable.

Perhaps what’s most troubling is the amount of censorship that has been reported by users in the Verge community regarding this issue.

Censorship and Purposeful Suppression of Information by the Verge Team

The Verge Team Has Willfully and Deliberately Taken Every Measure Possible to Suppress Information About This From Getting Out

A few threads on bitcointalk and other areas where Verge didn’t have control over the flow of information stood out as well.

This post, in specific, looks like it has credence:

But just to make sure, I decided to find Verge’s Telegram and see what would happen if I tried to blow the lid off of this.

Above is what I initially posted.

At the time of writing, this issue still has not been solved in the least bit and the panic is beginning to swell in the community.

Rather than actually dealing with the problem head on, the admins of all chat within the Verge protocol are suppressing all information of the hack in order to ensure that it does not become public. That is one of the main reasons for me writing this article and making sure that it gets disseminated.

Perhaps what was more disconcerting was that the prevailing opinion within the Verge Telegram channel was that these were all ‘lies’, even though the hack is very well documented and has happened as recently as a few hours before the time of writing.

The Developers on Verge Have Absolutely No Clue What They’re Doing

Below you can see the LEAD DEVELOPER of Verge “accidentally” pushing a hard fork to the entire network

This was perhaps the most disconcerting message sent in the entire thread of conversation that was started by ‘ocminer’ on bitcointalkforums (https://bitcointalk.org/index.php?topic=3256693.80 )

If you can’t read what was said, dogedarkdev (lead developer of Verge), stated, “yep.. we pushed a quick fix and most pools have already updated.. we’re already working on a whole new block verification process. We’re kinda glad this happened and that it wasn’t as bad as it could have been.”

Essentially, the lead developer of Verge just offhandedly stated that he initiated a hard fork on the Verge protocol without even issuing so much as an announcement to the community or even to the people within the thread that he was doing so.

In fact, it seems as though the lead developer of Verge was blissfully unaware of the fact that this constituted a hard fork.

Not only that, but the “update” failed to actually solve the problem.

As noted earlier in the article, this attack continued throughout the morning on April 5th and resulted in an additional 18.7 million Verge coins being illicitly mined through the chain. At the time of writing, the hacker still has not been stopped and the Verge team has been all but mum on the issue.

It seems at this point in time that their primary concern is ensuring that the word does not get out to the general public rather than actually solving the issue itself.

Here’s the response that ocminer gave to the dev that insisted that they could merely ‘push’ an update to the entire network (which never ended up working anyway):

For those that are unable to read the text of the screenshot above, ‘ocminer’ replied to the ‘dogecoindevs’ response to the issue with the following:

“Hmm, you guys are aware that the ‘fix’ you pushed actually IS a hardfork ? So your blockchain snapshot is not valid anymore, the wallet’s [sp] won’t sync up from scratch anymore and the current chain is simply not usable anymore with that new ‘fix’?

Your change simply disagrees with the attackers blocks, the first block I see from the attacker was 2007365 — so the wallets will stop syncing there and simply not progress any further.

I remember your first forking dramas when trying to fork into Tor which failed 2 times IIRC.

You should immediately refrain from that “fix” and set a proper fork-height (at least 28h) and the chain up until the fork block MUST accept blocks with the old timestamps and blocks after that fork block then only with the new timestamp.”

The advice that the miner was giving was very appropriate given the situation. However, it seems like the lead developers on Verge were simply lay people with little to no real experience in coding and replies to the thread by miners like the one below expose that:

The post above says, “U can’t fix it through time… Why wouldn’t u fix it through the prefix of current readable algorithm? I don’t know how hard is it to realise, but (1) u may call each reachable algorithm with the new block with the prefix. Like for the SHA-256–00A-, DH — 00B-, Crypt — 00C-, NightCrypt — 01N-, Keccak — 01K-, Lyra — 012-, X11–00D-, X15–01D-, Blake — 01B-, Quibit — 00Q-, Quark — 01Q-… etc
(2) Randomise it. (3) Implement Not-in-a-row accessable algorythm. Done. Too hard? — skip (1)”

After completely ignoring all of the responses and criticisms leveled in the thread, the lead developer then states:

“we are not doing a rollback and we are preparing a fork to patch this up.”

This post above was the very next reply in the thread that confirmed the claim by ocminer that the ‘patch’ or hard fork update that Verge tried to push essentially resulted in the entire chain being halted for those that had upgraded to that software. So, this more or less would knock anyone off of the network.

The lead developer comes onto the thread once more to state:

“we’re putting out an update, and it will fix it. that’s what we can do. it’s the best we can do. no, they did not 13 hours of coins. it was some blocks during a 3 hour period.

something around ~250k coins, and the attack probably cost alot more than that, luckily.

we are glad this was brought to our attention, and we are already working on a sophisticated block verification routine.”

As noted in the beginning of this article, the total of “250k coins” is a gross underestimation. There were at least 18 million XVG coins stolen according to the blockexplorer’s data and known malicious wallets that were receiving the currency.

The user ‘ocminer’ also attempted to correct the lead developer in an immediate response:

Here he states, “Sorry this is not true, the attack started on block 2007365 and ended on block 2010039 = 2674 blocks, okay lets say 2500 blocks…

One Block makes about 1560 coins, so you have 2500 * 1560 = 3.900.000 “extra” coins generated (at least!) ….

I’ve listed a few of the attackers addresses in the first post.. Just check them, check the balance and if you’re curious, just go through all the blocks during that timespan and sum them up.. It’s actually easy when you have a blockexplorer database running.. You can do it via SQL query.”

In response to a user requesting that the mods cease censorship of the hack, the Verge lead developer merely says that it has “already been addressed in both places.”

Based on the screenshot that I provided above when I came into the Verge Telegram, it appears that there’s actually still a good portion of the community that is blissfully unaware that such an event occurred and is still a major systemic threat to the blockchain itself.

More responses like this one by the lead developer show the gross incompetence, unprofessionalism, and callous indifference to a major exploit in the blockchain:

Above, you can see that a user asked the lead developer, “Looking at the block explorer some of the new blocks are still out of order according to the time stamps. Doesn’t that suggest the exploit is still being used? I’m just having a hard time trying to figure out why you believe it only happened for 3 hours. What’s to stop the exploit from being used for the rest of the night, therefore stealing more than 250k coins?”

Rather than actually addressing the user’s questions, they stated, “nothing, until we release the updated wallets. the way i see it, is this attack has a cost, and will end when we push the update. you aren’t invested in verge though, so why are you so concerned?”

What makes the situation sadder is that we can see that the lead developer was beginning to flagrantly lie to people about the chain.

The lead developer stated: “not all blocks during that time were mined by them, i checked. it was much less than half from what i saw across the other pools.”

Ocminer, the original poster (OP) then responded by stating, “Well.. I checked it as well, in fact I’ve got the logfiles and started working through them but I have other things todo instead of going through logfiles.. From what I see 95% of the blocks during that time went to “them”.. And i’m pretty certain about that..

Okay, lets say they STILL don’t have ALL of the blocks (which is wrong), there were STILL almost 3000 blocks generated during a very short time, so over 3.900.000 coins (at least) were extra-generated… Where did they go ? I don’t see those blocks on the “big” pools…”

Everything that he said in response is a verifiable fact and more than enough evidence, information, links, and other leads had been posted in the thread to corroborate as much by multiple users.

The lead dev chose instead to ignore all this information and lie willingly to all those about what’s going on.

Conclusion

This issue is still ongoing at the time of writing and the chance that the developer(s) of Verge actually come up with an adequate fix that’s going to solve this issue seems to be zilch to none at this point. During this entire situation, the lead developer of the damn project was consistently exposed for his lack of knowledge regarding general blockchain developer practices and had to be schooled numerous times on things that intuitively would/wouldn’t work in attempting to solve a problem like this. The lead developer was even given some potential solutions to fix the problem, but has refused to implement any of them thus far.

Instead, there has already been a hard fork of the Verge currency, which was ‘rolled back’, then there was another hard fork that was announced for the chain a short while later, but the nature of that hard fork is still unknown as of this point.

The lead developer for Verge has been shown on record consistently lying about the issue and attempting to downplay the situation to a much greater extent than what it was. The attacker has thoroughly exploited the blockchain to the point where they are the only ones producing any credible mining activity on the network. All other mining pools have refrained from activity on the network until a hard fork is conjured.

This situation seems like something that would reasonably take longer than a day to come up with an adequate fix and give the network enough time to upgrade without being 100% compromised by the hacker.

Protip: If you’re invested in Verge right now and haven’t sold every single Verge coin you have, what the fuck are you waiting for?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.