A so-called 51 percent attack allowed malicious miners to rake in much as $1 million worth of Verge (XVG) before the cryptocurrency’s developers managed to fix the bugs allowing the miners to attack. The solution was an ‘accidental’ hard fork.
Verge had been under attack for three hours when a post on the BitcoinTalk forum appeared. The post was published by Supernova mining pool’s admin OCminer. In it, OCminer reported the attack on Verge’s blockchain, as he recognized the 51 percent attack.
According to OCminer, the attack was possible because of bugs in Verge’s code. He explained:
“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algo was one hour ago.”
The result were roughly 10,000 new blocks produced on the cryptocurrency’s blockchain, all using the same algorithm. The attack supposedly stopped soon after OCMiner’s post, but by that time, the attacker had already managed to mine around $1 million in XVG.
Upon noticing the attack, Verge’s developers attempted to use a “quick fix” that, according to OCminer, turned out to be a hard fork on the cryptocurrency’s network. The fix, according to the forum member, won’t work either way:
“The background is that the ‘fix’ promoted by the devs simply won’t fix the problem. It will just make the timeframe smaller in which the blocks can be mined / spoofed and the attack will still work, just be a bit slower.”
Verge then published a tweet, stating that the attack was nothing serious. In fact, the team behind it even described it as a "small hash attack".
We had a small hash attack that lasted about 3 hours earlier this morning, it's been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam— vergecurrency (@vergecurrency) April 4, 2018
While Verge’s team claimed the attack lasted three hours, OCminer claimed it was actually 13. The altcoin mining pool operator noted that it will no longer allow Supernova’s users to mine XVG.
More details on the attack later emerged on Reddit, where the user by the name of "Variable 42" stated that the attack wasn’t minor at all. The Redditor provided information on the payout the malicious miner managed to get away with, and blamed Verge’s team for the breach.
The final twist to this story came from the supposed attacker himself. On the forum, using the same thread OCminer created, a user claiming to be the attacker stated that there are even more exploits out there, and that Verge needs to up its game.
The attack came at a time in which Verge’s community expects a mysterious partnership to be revealed on April 16. The partnership, according to the cryptocurrency’s team, will be “the largest cryptocurrency collaboration to hit the market.”