Privacy-centric cryptocurrency Verge (XVG) has adopted an emergency hard fork to address a bug that allowed a malicious miner to exploit the network’s mining algorithm for a seven-figure payday.
The attack appears to have first been discovered by BitcoinTalk user ocminer — the operator of altcoin mining pool Suprnova — who posted a thread on the forum alleging that an attacker was exploiting a bug in the Verge code that allowed miners to set false timestamps on blocks, tricking the network into adding them to the main chain.
Go ahead and read the whole thread about how Verge's #Verge $XVG entire blockchain has been compromised at this point and still is. Shoutout ocminer (legendary) for exposing this: https://t.co/XemPu8F1m3 pic.twitter.com/78C3xHL3F3
— CryptoMed (@CryptoMedicated) April 5, 2018
According to ocminer, the attack persisted for more than 13 hours on Wednesday before being resumed again on Thursday. The attacker appears to have made off with more than 20 million XVG, worth more than $1.1 million at the present exchange rate. Verge’s developers, meanwhile, claim that it only lasted three hours.
The response of Dogedarkdev — Verge’s lead developer — raised eyebrows, as the pseudonymous developer made a series of statements that attempted to downplay the severity of the situation.
Dogedarkdev said on BitcoinTalk:
“we’re kinda glad this happened and that it wasn’t as bad as it could have been,”
The developer wrote elsewhere in the thread:
“i love seeing so many people who aren’t even involved in verge talking about it though ;],”
He added that the amount of funds stolen was “insignificant” compared to the amount of Ether that has been stolen this year.
The developers released what they termed a “quick fix” for the bug, though the update was actually a hard fork. Even so, ocminer claims that the fork will not fix the problem.
“The background is that the ‘fix’ promoted by the devs simply won’t fix the problem. It will just make the timeframe smaller in which the blocks can be mined / spoofed and the attack will still work, just be a bit slower,”
Ocminer added that Suprnova will no longer allow its users to mine XVG.
Not surprisingly, the Verge price has tanked by around 25 percent over the past two days in response to the attack. XVG currently ranks as the 22nd-largest cryptocurrency, with a circulating market cap of $810 million.