☠️Verge Hacked Again 💀Bitcoin Gold Hacked — Cryptos for the Rest of Us

I didn’t end up publishing last weeks due to the GDPR confirmations/updates. Apologies for the delay!


☠️ Verge Hacked Again

What’s the Story?

Verge was hit by a double spend attack that allowed hackers to make off with at least USD1.7 million. This attack follows a similar vulnerability that cost the network USD1 million in April.

How Did This Happen?

It’s a little technical but here are the key points;

1. In blockchains, every block created has a timestamp. Since copying completed blocks across a chain takes time, many blockchains allow some leeway for block timestamps to be unordered. In Verge’s case, it’s roughly 2 hours. This is how the attacker started — they flooded the network with blocks containing a timestamp an hour behind.

2. Verge dynamically adjusts the difficulty of mining blocks, aiming for block creation to be made every 30 seconds. This contrasts with Bitcoin which adjust difficulty every 2016 blocks. Because of [1], the algorithm thought there were no blocks being created and dropped the mining difficulty dramatically.

3. Verge runs 5 separate mining algorithms. This is done to prevent concentration of mining power. This contrasts with most tokens like Bitcoin which only run one mining algorithm. Using [2], the hacker lowered the difficulty for 2 of the 5 Verge algorithms. This made it easy to control over 51% of the individual algorithms mining power. While it’s been called a 51% attack, in reality, the attacker required control of less than 10% of the total network’s nodes.

Difficulty of 2 algorithms dropped dramatically

4. Once the hacker had control of the network, they started a double-spending attack. They would send Verge to multiple exchange accounts and withdraw it immediately. While the exchange confirmed the transfers, the hacker rewrote the chain. This meant that for every 1 XVG they sent, they received multiple copies of the same token back from multiple exchanges. Effectively multiplying their holdings at the expense of the exchanges.

It’s important to understand that [4] works because of the way blockchain confirmations are made. Typically participants like exchanges will wait for transactions to be a few blocks deep in the chain before considering it ‘complete’. This is because the more blocks are on the chain, the harder it is to rewrite those historic blocks. It requires miner consensus to ‘rewrite’ the chain, which is virtually impossible without malicious collusion — or control over the majority of the network.

If you’d like a more in-depth explanation just let me know and I’ll expand on the above points.

Why Should I Care?

This follows a previous hack that occurred in April that cost the network USD1,000,000. This attack follows a similar pattern to the previous one. Losses from the previous hack were recovered by a hard fork that some think was triggered accidentally by the developers. Many are criticising Verge for their poor technology implementations.

No doubt, the Verge team started the project with good intentions. The time-based target block creation and use of 5 different mining algorithms require unique and designed to solve particular problems that exist in other cryptos.

Like most technologies, a robust solution can only come after repeated iterations. However, it seems like this particular implementation has significant risks.

💀Bitcoin Gold Hacked

What’s the Story?

Bitcoin Gold was hit by a 51% attack that allowed hackers to make off with at least USD18 million.

How Did This Happen?

Like the Verge attack, the hackers made money using a double spend attack. Unlike the Verge attack, the hackers actually gained control of 51% of the nodes. This is no small feat and would have required significant resource to pull off.

What Does This Mean?

This type of attack is costly to maintain. This means that the hackers target exchanges as they stand to make the most of them. While it’s not targeted at individuals, if such attacks push exchanges to bankruptcy, customer deposits could be affected.

The Bitcoin Gold team have advised exchanges to increase their required number of blocks before transactions are confirmed. It’s likely that confirmation times will rise across the board as fears of similar attacks grow. It’s been suggested that these hackers have unsuccessfully attempted a similar attack on Bitcoin before too.

These hacks also highlight some of the weaknesses in Proof-of-Work mining. The smaller the number of nodes, the more susceptible the token is to such attacks, although the commensurate rewards for the hackers are lower too. While it’s not entirely accurate, here are estimated costs for mounting a 51% attack on various PoW tokens.