Verge's Blockchain Attacks Are Worth a Sober Second Look

Published on by Coindesk | Published on

Verge, a privacy-oriented cryptocurrency recently propelled into the limelight by a partnership with popular adult entertainment site Pornhub, suffered two hacks perpetrated through 51-percent attacks that saw the attackers absconding with millions of dollars-worth of its native cryptocurrency, XVG. During the first attack in April, the hacker was able to get away with 250,000 XVG. And during the latest in mid-May, an attacker was able to exploit $1.7 million-worth of the cryptocurrency from the protocol.

Sure, verge developers were only trying to design a better cryptocurrency for payments, but by tweaking small parameters, such as the length of time a block can be valid, the group has opened its blockchain up to attacks.

"Things obviously don't look good," said Daniel Goldman, the CTO of cryptocurrency analysis site The Abacus who's been tracking the attacks.

Since veteran blockchain developers, including litecoin creator Charlie Lee and monero lead developer Riccardo Spagni, have long argued the kinds of adjustments the platform made have obvious downsides, such naysayers - who have been readily attacked by a group of enthusiasts calling themselves the "Verge Army" - are feeling vindicated.

Because there is some information asymmetry in blockchain systems since nodes are spread out across the globe, the attacker was able "Spoof" timestamps tied to blocks without some noticing, according to the widely-circulated post by Goldman.

Or said another way, the attacker cleverly mined blocks with fake timestamps, forcing the cryptocurrency's difficulty to adjust down more quickly - making it easier for the attacker to mine even more XVG. When the first attack happened, verge developers quickly released a patch, stopping the attacker from printing more money.

With the attack last month, it seems the patch only went so far and the attacker found another way to execute the same hack, displaying how difficult it can be to architect a distributed system that isn't vulnerable to attacks.

After a period of little communication from verge's developers, CryptoRekt, the pseudonymous author of the verge "Blackpaper" took to Reddit on May 31, saying, that all of the verge team would "Never intentionally do anything to besmirch or hurt this project."

Still, this attack looks poorly, not only on verge itself, but also on organizations that have partnered with the verge team, Pornhub included.

While 51-percent attacks have typically been viewed as hard to execute, Liquidity Network's Gervais argued that new data appears to show that it's easier than many previously thought.