Verge Hacked, Non-Fix Causes Fork, Dev Goes Bed, Solution? Tomorrow!
Verge (XVG) has been hacked. “To successfully mine XVG blocks, every ‘next’ block must be of a different algo.. so for example scrypt,then x17, then lyra etc.,” OCminer, from Suprnova pool that mines countless of cryptos including Verge, says before further adding:
“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp.
When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algo was one hour ago.
Your next block, the subsequent block will then have the correct time.. And since it’s already an hour ago (at least that is what the network thinks) it will allow this block to be added to the main chain as well.”
That’s in effect creating coins out of thin air through exploiting the very easily changeable time-stamp. The devs therefore rushed a fix to close that window. See if you can spot a difference:
Copy-paste, some are shouting, because the only difference is that Peercoin fixed it some three years ago, but 15 minutes might perhaps be too long considering the Verge blocks average 30 seconds.
In any event, it seems the dev did not realize this was a hard-fork. Updated clients that incorporated this “fix” just stopped working. The hero verge needs, OCminer, said:
“You guys are aware that the ‘fix’ you pushed actually IS a hardfork? So your blockchain snapshot is not valid anymore, the wallet’s won’t sync up from scratch anymore and the current chain is simply not usable anymore with that new ‘fix’?”
No problem. Remove the ‘fix.’ Dev got to sleep now though, so keep the attack running, we sort this out tmrw. Dev says:
“Yeah we removed that, and we’re doing a full fork update with extra block verifications. Will be ready by tmrw =]”
There will be no roll-back, yet Sunerok, or Justinforvendetta, Verge’s seemingly pseudo-anonymous developer who says he’s from deep-space in his social profiles, stated:
“Mobile wallets are not affected. Tomorrow just the qt wallets will need to be replaced with a new version.”
Tomorrow! Apparently all is fine though because loads of eth have been stolen too. Yet none, as far as we are aware, have been stolen from protocol bugs.
And when eth had a way more benign attack back in 2016 that was just a DDoS of sorts, an army of eth devs stayed up all night then went to the Devcon conference the next morning.
While here we have a protocol bug exploit that prints money out of thin air, a developer that apparently can’t even fix it, and when he makes a mess trying to fix it throws in the towel and just goes to bed.
This all for a currency with a market-cap of around one billion dollars. Which has as a selling point the claim that tor is somehow incorporated, because of course you can’t just run your bitcoin node through tor (you can).