Shortly after its official Twitter account was hijacked by rogue actors, Verge has now apparently suffered a network attack that saw over 12,000 empty blocks created.
The attack was first noted by Bitcoin forum user ocminer, an attacker reportedly leveraged a vulnerability in Verge’s code which necessitates that each block is mined with a different algorithm, wherein Verge’s protocol checks a preceding block to confirm the algorithm that was used.
ocminer revealed that the attacker was successful in mining an initial block (2007365) with a false timestamp set to one hour prior, and subsequent blocks are accordingly accepted and added to the blockchain using the same mining algorithm, Scrypt.
ocminer’s analysis reveals that the exploit effectively enabled the rogue attacker to mine one block per second starting at 12:17:47 PM, and ending at 13:51:05 on April 4th.
The attacker once again resumed operations on April 5th, and leveraged the same exploit starting at block 2014060 and ending at block 2026196.
The total sum equates to a theft of some 250,000 XVG as claimed by Verge’s development team, while community members have instead claimed that up to 3.9 million tokens could have been stolen.
While Verge’s algorithm change was designed to effectively prevent any miner or mining pool from controlling the cryptocurrency’s hashrate, the rogue miner efficiently usurped the network’s processing power for more than an hour.
After becoming aware of the incident, Verge’s lead developer – going by the handle justinvforvendetta – posted an emergency commit to Verge’s codebase to reduce the network’s maximum clock drift (where a clock “drifts apart” or desynchronizes from another clock) from two hours to just thirty seconds.
Notably, GitHub users noticed an error in calculation, where the commit was only successfully implemented after a second attempt.
The apparent attacker returned on forums to taunt the team behind Verge, quipping:
“Hey Verge Team,
get some real developers and fix your code.
We have found another 2 exploits which can make quick hashes aswell.
The (soon) Bits Team.”
The Verge team has subsequently downplayed the move, tweeting that ‘even more redundancy checks’ would be implemented in the near future.
We had a small hash attack that lasted about 3 hours earlier this morning, it’s been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam
— vergecurrency (@vergecurrency) April 4, 2018
In the wake of the attack, numerous fraudulent Verge accounts have tailgated replies to the cryptocurrency’s official Twitter account, offering both Bitcoin and Ethereum ‘giveaways’ as a form of ‘apology’.
It remains unclear as to how Verge’s development team would proceed – the team’s choice implement its emergency fix essentially introduces a hard fork which would see consumers’ wallets cease syncing.
It remains to be seen if Verge’s development team would proceed to introduce a hard fork to rectify its blockchain’s vulnerabilities once-and-for-all.
We’ve reached out to Verge’s development team for comment, and will update this article accordingly should we receive feedback.