The Verge Hack: Is mining safe?
Recently, Verge fell victim to a hack for the second time in as many months. Within a short time, the hacker managed to take advantage of a vulnerability on the Verge blockchain and fraudulently mine coins at an extortionate rate.
How did this happen?
Ushering the phrase “51% attack” in the crypto community usually instils fear into those invested in the space. This attack is performed on PoW (Proof of Work) blockchains by acquiring minimum 51% of the network’s hashing power to control what is broadcast via the consensus mechanism. By doing so, the attacker can manipulate the blockchain. This attack can prevent other transactions from gaining any confirmations and prevents other miners from mining valid blocks.
Furthermore, this allows for a “double spend” attack to be performed. This is where coins can be sent to an address on the blockchain, then the network is moved to a different copy of the blockchain by broadcasting a version where the coins, apparently, were never spent. This way the consensus mechanism can be tricked and a record of the transaction will not exist on the new blockchain.
However, misleadingly, the recent Verge attack has been labelled as a 51% attack — this is not strictly true. In fact, the hacker was estimated to have controlled lower than 1% of the network’s hash rate. The first time round, the attacker found an exploit where he could irrefutably lower the mining difficulty on the Verge blockchain. This was done by exploiting one of Verge’s hashing algorithms and submitting blocks with incorrect timestamps. These are features exclusive to Verge; the protocol has five hashing algorithms instead of one and allows the miners to timestamp the blocks individually.
By submitting blocks with timestamps from the past and exploiting one of the five algorithms, the attacker needed very little hash power to secure the network. By entering the incorrect times in the blocks, the hacker tricked the consensus mechanism into believing that the mining difficulty was too high and the block time equilibrium was not being reached quickly enough. Thus, the mining adjustment lowered the difficulty to allow for more blocks to be submitted in a short amount of time. Moreover, by continuously submitting blocks with invalid timestamps — the difficulty continued to lower by over 99% allowing the hacker to mine over 1500 XVG per second.
Verge developers patched this issue by ensuring that sequential, previous blocks could not all by mined by the same algorithm. However, timestamps and mining difficulty were left unchanged. Cleverly, the savvy hacker then used two algorithms instead of one to mine blocks in intervals and repeat the same exploit with a minor difference.
But I thought blockchain protected against hacks?
By design, PoW blockchains do protect against these sorts of attacks, unless they reach 51% consensus or if a hacker finds fundamental flaws with the protocol. This has never been a major concern for a cryptocurrency like Bitcoin. However for smaller currencies using PoW, it can create issues.
Such attacks can even happen without obtaining at least half of the network’s hashpower, but this would be much harder without majority consensus.
Is PoW safe then?
Yes and no. To hack a blockchain and reach 51% consensus is very costly and only affects present or future blocks that are minted. It will not reverse other people’s transactions, prevent transactions from being sent or send coins that aren’t on the hacker’s wallet. It merely allows for the system to be duped. Alternatively, finding core and exploitable issues with the protocol is less expensive but far more difficult to carry out should the attack surface be reduced via a patch.
Any hack will implicitly have a negative impact on the future coin price and the credibility of the developers.
What can be done?
One way that attacks can be mitigated is by using a different consensus mechanism, Proof of Stake (PoS).
All 51% attacks have been done exclusively to PoW blockchains because there is no collateral involved. In a PoS model, in order to enter the ecosystem, one must stake their collateralised coins in escrow in order to become a masternode on the network.
Because of this, anyone who had access to these inner workings of the ecosystem would have to be truly invested in the currency to even get to a position where they could perform an attack like this. If anyone with a serious stake in a PoS system attacked the blockchain, the attack would potentially drop the price of the coin and devalue their investment.
Will PoW be phased out?
It is unlikely that PoW systems will be phased out in the near future, as Bitcoin is still the largest blockchain by some way. Yet this latest attack on Verge gives credence to the theory that PoS has superiorities.
51% attacks can frequently be prevented for PoW blockchains, but with cryptocurrencies like Ethereum considering migrating to a PoS system in its Casper update, there may not be a need to.
Moving forward
Three consecutive scandals this year have shaken the Verge community. The coin price and market cap have taken a severe hit and the developers have shown incompetence throughout this debacle. Although other PoW blockchains like Bitcoin are big enough to protect themselves against 51% attacks, alt coins with smaller market caps could be considered as vulnerable — as is the case with Bitcoin Gold and Monacoin, both of which have been targeted.
With the introduction of PoS and masternode based blockchains, this risk is mitigated, as a hack is disincentivised by design.
With regulation around the corner and many tokens looking more likely to be classed as security tokens than utility tokens, PoS blockchains are set to be more secure as the space continues to develop.
