Verge appears to have been hacked for a second time in two months - with the anonymous cryptocurrency again exploited by hackers to steal a substantial amount of XVG.
As per the Bitcointalk.org user Ocminer - Supernova mining pool’s admin - the same user who pointed out the attack in April, the new attack exploited exactly the same glitch as the previous attack - only this time far more was stolen.
Last month, Ocminer explained that weaknesses in Verge’s code allow for such attacks:
"Usually to successfully mine XVG blocks, every "next" block must be of a different algo.. so for example scrypt,then x17, then lyra etc. Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then "think" the last block mined on that algo was one hour ago.. Your next block, the subsequent blockwill then have the correct time.. And since it's already an hour ago (at least that is what the network thinks) it will allow this block to be added to the main chain as well."
In this way, malicious users were able to mine thousands of blocks only seconds apart and earn hundreds of thousands of XVG - and this time - millions - in a very short space of time.
In response to the previous attack, Verge implemented a hard-fork designed to rectify the flaw on the 4th of April:
We had a small hash attack that lasted about 3 hours earlier this morning, it's been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam— vergecurrency (@vergecurrency) April 4, 2018
What is interesting however, is that Redditors at the time pointed out that the measures did not actually eradicate the vulnerability - a flaw which seems very much to have been borne out by this latest attack.
As of the time of writing, Verge seem not to have acknowledged the scale or nature of the attack - and have instead attributed it to a DDos (denial of service attack) against some XVG mining pools:
it appears some mining pools are under ddos attack, and we are experiencing a delay in our blocks, we are working to resolve this.— vergecurrency (@vergecurrency) May 22, 2018