Hackers Exploit Verge Flaw Again to Steal $1.7m of XVG

Avi Rosten
  • Exploiting the same flaw as a similar attack in April, it seems hackers have stolen even more of the cryptocurrency
  • Posting on Bitcointalk.org - user Ocminer showed how 35 million XVG has been taken

Verge appears to have been hacked for a second time in two months - with the anonymous cryptocurrency again exploited by hackers to steal a substantial amount of XVG.

In an attack very similar to that of April, the attack that lasted a few hours has apparently stolen 35 million XVG - worth more than $1.78 million according to CryptoCompare.

As per the Bitcointalk.org user Ocminer - Supernova mining pool’s admin - the same user who pointed out the attack in April, the new attack exploited exactly the same glitch as the previous attack - only this time far more was stolen.

Last month, Ocminer explained that weaknesses in Verge’s code allow for such attacks:

"Usually to successfully mine XVG blocks, every "next" block must be of a different algo.. so for example scrypt,then x17, then lyra etc. Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then "think" the last block mined on that algo was one hour ago.. Your next block, the subsequent blockwill then have the correct time.. And since it's already an hour ago (at least that is what the network thinks) it will allow this block to be added to the main chain as well."

Ocminer

In this way, malicious users were able to mine thousands of blocks only seconds apart and earn hundreds of thousands of XVG - and this time - millions - in a very short space of time.

In response to the previous attack, Verge implemented a hard-fork designed to rectify the flaw on the 4th of April:

What is interesting however, is that Redditors at the time pointed out that the measures did not actually eradicate the vulnerability - a flaw which seems very much to have been borne out by this latest attack.

As of the time of writing, Verge seem not to have acknowledged the scale or nature of the attack - and have instead attributed it to a DDos (denial of service attack) against some XVG mining pools: