News reaching Ethereum World News indicate that popular privacy coin Verge (XVG), is currently the victim of an ongoing hack that is exploiting vulnerabilities to print out $1,000 worth of XVG by the minute. In the report, the bug in the software is similar to the on that was exploited only last month. The bug at the time was given the name ‘Time Malleability’ and was being exploited by hackers playing around with the timestamp during mining.
All the miner had to do (last month) was to provide a ‘spoofed’ timestamp on the block that was an hour earlier than the actual time. The XVG protocol would then think that the last block mined on that algo was one hour ago. In the subsequent block with the current time, the protocol would allow this ‘fake’ block to be added to the main chain as well.
It was in effect creating new coins out of thin air by playing around with the timestamp of the blocks. The XVG team rushed to fix this bug which has since been described as a ‘Band Aid’ by users on BitcoinTalk.org who had this to say about the past and now occurring hack still minting XVG out of thin air:
Since nothing really was done about the previous attacks (only a band-aid), the attackers now simply use two algos to fork the chain for their own use and are gaining millions.
Both algos, scrypt and lyra2re can be rented easily for a few bucks at nicehash, they simply send one block scrypt, after that a block lyra2re and so on and all with manipulated timestamps thus lowering diff to lowest possible mining several blocks per minute like this
The worrying part of this news is that the activity is still ongoing at the moment of Ethereum World News receiving the news. Reddit user Flenst had this to say with respect to the amount of XVG being minted by the minute.
Earliest block I found as a starting point is 2,155,913. https://prohashing.com/explorer/Verge/ still shows the current growth of the blockchain at around 25 blocks per minute resulting in 18250XVG or 950$ per minute for the attacker.
Currently sitting at around 650.000$ worth of XVG.
The reddit post would later be updated as follows:
Oficial block explorer is back online, with a WAY higher blockheight, 2.205.900 is one of the last blocks from the attacker. Roughly 50.000 blocks were possibly mined from the attacker resulting in around 1.900.000$. Still not sure what to think of this sudden stop on the official explorer, will have an eye on it.
It seems the attack is over, 35.000.000 XVG were generated in a few hours. But this also means there is still no fix and this is possible at any time again. Meanwhile the only official info out there is “mining pools are DDoS’d”.
What now that worries a lot of crypto-enthusiasts, and in particular the XVG community, is the following:
- Is XVG code really ‘solid’ and secure?
- How will the possibly newly minted coins affect the value of XVG in the markets?
- Will the hacker sell all to pump and dump?
- Is the Verge Team aware or even working on the bug fix?
Current market analysis indicate that XVG is currently down 6.37% in 24 hours and currently trading at $0.0512. This is in tandem with the current market dip being experienced by the entire market.