Verge (XVG) cryptocurrency destroyed in historic 51% attack
The Verge cryptocurrency has been effectively destroyed after a malicious player took over its network.
A cryptocurrency called Verge (XVG) has come under a fascinating and somewhat historic attack. It's the first time a major cryptocurrency (Verge is/was in the top 25 by market cap) has been successfully taken down by a fabled "51% attack". This is when a single party manages to claim more than half of the computing power on a network and take control of it. From there they can then work it like a puppet.
In this case, the network takeover was helped along by some bugs in the Verge system which allowed the attackers to essentially just take over the blockchain.
Update: 6 April 2018: The attack is still continuing despite attempted fixes. The programmer who noticed the exploit originally described it as a 51% attack, but it might simply be an ingenious exploit with a similar result, rather than a true 51% attack.
Here the attackers decided to make it spit money into their laps. The attack was first reported about 24 hours ago at the time of writing and was still continuing at the initial time of writing.
This is what it looks like.
You might be able to see it live for yourself at the Verge block explorer here. If it looks like this when you do, it means the attack is still happening.
What am I looking at?
The picture above shows a small handful of recently mined blocks on the Verge blockchain, numbered on the left-hand side. The 1,560 "Amount (XVG)" is the mining reward that should typically be dispensed to miners. At recent Verge prices of US$0.05 per XVG, each of those lots of 1,560 XVG is worth US$78. This is all more or less normal.
However, the "Timestamp" column shows that things have gone very wrong. Notice the two different timelines in the column. They are 90 minutes apart and alternating with each other. The real timeline is the later one, while the earlier one is a fake timestamp that the attacker put on some of the blocks.
The trick is that they stamped the fake time onto blocks while having more than half of the network's mining power. This tricked the Verge network into thinking that it was the real time. They combined this with a few programming holes in Verge's mining algorithm to essentially bounce the network between the past and the present, and shake new blocks out of it.
These new blocks all delivered the full 1,560 XVG mining reward and popped out at a rate of about 1 per second, rather than the more usual 1 per 30 seconds.
The attacker has about $78 worth of XVG popping out of the network every second, for a pay rate of $280,800 per hour. The attack was reported about 24 hours ago and has been running for hours, but it also took a break here and there and wasn't running consistently.
Either way, their earnings are well into the millions of dollars worth of XVG.
Now the challenge for the attackers is to dispose of that XVG in the most profitable way. They can't dump it all at once without abruptly tanking the XVG price, but there's only a short amount of time before word gets around that the Verge network may be compromised, which could tank its price anyway.
The most profitable strategy for the attackers, and the only real way to walk away with millions of dollars of real money, is to hope that the incident is downplayed enough to buy them enough time to sell off their coins.
What will happen to Verge?
Verge died today, but might continue showing some signs of life. The developers have already started downplaying the incident which is good for the attackers who can profit much more from a slower decline.
A successful 51% attack in which an attacker manages to overpower the network through sheer mining power might render the Verge coin functionally useless and effectively destroy it. But it's not entirely clear whether that's what happened, or how fixable the problems in the Verge network are.
At the same time, the bizarre mystery partnership announcement set for 16 April, coupled with the sunk cost fallacy and good old fashioned brand loyalty, means Verge prices will take an enormous hit, but almost certainly won't drop to zero.
Things are still up in the air, but the developers have supposedly announced plans for a hard fork in the near future to patch the specific vulnerability exploited in this particular 51% attack. There will probably be no rollback, which means the attackers will get to keep their coins on the new network as well.
The hard fork might do little to solve Verge's underlying vulnerability to other 51% attacks, but patching up this particular exploit could ease some nerves, while easing the prices into a more leisurely death spiral.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VEN, XLM, BTC, XRB
- Cryptocurrency: Commodified currency as a new category of consumer product
- Binance marks Australian expansion with 0% fees when buying BTC with POLipay
- Fluffypony steps down as Monero lead to “further decentralise” it, work on Tari
- World’s largest solar battery maker joins Australian blockchain virtual power plant
- Kraken buys Circle Trade OTC desk, Circle to focus on USDC stablecoin