Forensic Evaluation of the Verge Cryptocurrency Hack

In less than two months, Verge suffered two high profile cryptocurrency hacks.

In April it was revealed that hackers had commanded the network, successfully compromised the system, and received all block mining rewards within a certain period of time. After the hack, the development team created some patches for the network protocol and performed a hard fork.

Many XVG enthusiasts would have liked to believe the worst was over. However, in May, hackers used a slightly modified version of the technique that was previously used to hack the blockchain in order to commit another major heist. For most crypto enthusiasts, the situation with Verge is a serious issue that needs to be addressed.

It seems that some mining pools are under attack by ddos ​​and we are seeing a lag in our blocks. We are working to fix this.

– vergecurrency (@vergecurrency) May 22, 2018

The general narrative is that blockchains cannot be hacked. No consideration of blockchain characteristics is ever considered complete without mentioning the fact that blockchain networks are tamper-proof. The whole premise of the emerging technology’s claim to be able to disrupt the global business process is that it is based on robust security protocols. The question that arises when things like the Verge hack happen is whether blockchains are hackproof.

As with most other concepts in the emerging industry, it takes a little nuance to answer the question in a way that only takes into account the facts. The following is an attempt at a thorough examination of the April and May 2018 Verge hack.

Short background

In April, a Bitcointalk user named “Ocminer” alerted the crypto community to a hacker’s activity on the Verge blockchain.

Between April 4 and April 6, the hacker was able to gain control of the blockchain and break down blocks of transactions much faster than would have been possible. The hacker received 1,560 XVG tokens per second during the exploit and eventually carted away $ 1 million worth of Verge coins.

Fast forward to more than a month later and Verge was back in the news when a hacker took control of the network using almost the same approach as the April attack.

This time the hacker mined blocks at a rate of 18,250 XVG tokens per minute. By the time the hack stopped, around 35 million $ 1.8 million XVG tokens had been carted away at the time of the hack.

Time malleability attacks

How did the hacker do it? It appears that the attackers are being used – time malleability attacks.

The pioneers of the decentralized technology framework built heavily on the work of Stuart Haber and W. Scott Stornetta to add timestamp documents. When a transaction block is created, it is given a digital timestamp. Remember that there are many nodes in a blockchain network, each of which operates independently, but all must come to the same conclusion, or at least a larger majority. This conclusion is known as “consensus”. There is also no hierarchy, so no node has any special distribution over any other node.

While this approach works in theory, there are some problems in practice. One of these is that not all nodes are operating at the same capacity, so the order of the blocks may not be synchronized across the network. Remember that there must always be a mutually agreed general ledger for the network. So blockchains provide a time window in which these disputes can be resolved. With the Verge blockchain, the time window is two hours. Without such a time window, the network would stall every second due to a lack of consensus.

In order for a block to be classified as authorized in the network, it must be created within the two-hour window. This became the entry point for the attack as the hacker created blocks with fake timestamps and inserted them into the blockchain. These fake timestamps showed that the blocks were from an earlier time. Since the network error is corrected every two hours, they have been added to the chain for review.

However, creating blocks of transactions is not enough for the hacker to compromise the system. The attacker still has to command the mining protocol, whereby he receives the block reward for the “fake transactions”.

Bypass mining difficulty

In addition to creating new coins, mining helps secure blockchains. Hence, the Verge hack seems to be more devastating as it attacks the core of the Verge security apparatus. Returning to the previous discussion of how blockchains work and the numerous nodes that work independently, blockchains must specify a target block time, which is the time interval between the creation of each block.

For Verge, the target blocking time is 30 seconds. Enforcing the target block time constraint is known as mining. Without mining, nodes would be sending blocks to the network for better or for worse. However, in order to send a valid block, the cryptographic problem it contains must be resolved and the solution must be accepted by much of the blockchain.

This cryptographic problem difficulty is adjusted based on the rate at which blocks are mined. As the rate increases, the difficulty increases and vice versa. A blockchain continuously adapts the mining difficulty to the current status of the network. In the Verge blockchain, an algorithm called “Dark Gravity Wave” is responsible for controlling the mining difficulty.

By creating a deluge of transaction blocks with forged timestamps from an earlier time, the difficulty control algorithm is led to believe that not enough blocks are being mined because the difficulty setting is too high. This drastically reduces the difficulty of mining.

During the April attack, mining difficulties were reported to have decreased from 1,393,093.39131 to 0.00024414. As a result, the hacker could send a block of transactions every second. Decreasing the difficulty level is still not enough to gain control of the system as everyone on the blockchain should enjoy the reduced difficulty level in mining. In order to take over a blockchain, an attacker theoretically needs at least 51 percent of the hashing power. How did the hackers do it? The answer lies in the fact that Verge uses five different mining algorithms.

Single or multiple algorithms

The standard protocol for most blockchains that use proof-of-work mining is to use a mining algorithm, usually the SHA-256. Some critics of this system point out that it creates centralized mining monopolies, which they believe contradict the philosophy of the blockchain.

Therefore, blockchains like Verge use an amalgam of five different algorithms. Those who support a multi-algorithm mining protocol agree that it is immune to ASIC dominance.

For a single algorithm blockchain, an attacker would need 51 percent of the network’s hashing power to successfully hack the blockchain. For a blockchain with multiple algorithms, the attacker only needs half the hashing power of an algorithm. This means that the hacker only has to command one algorithm.

Because of the way Verge set up multiple algorithms, the difficulty of each algorithm is adjusted independently of the others. The April hacker only needed ten percent of an algorithm that turned out to be Scrypt. The other algorithms are blake2s, X17, Lyra2rev2 and myr-groestl.

At the time of this writing, details of the Mai attack have still been filtered out, but there is concrete evidence that the hacker has taken control of two algorithms this time around. The difficulty of both the encryption and Lyra2rev2 algorithms was several orders of magnitude less than that of the other three algorithms.

Summary

Why was the hack possible?

Either through human error or the deliberate action of some people, the Verge cryptocurrency architecture has been poorly designed.

Both hacks followed the same process. First, they created blocks with fake timestamps, which drastically reduced the difficulty of mining. The hackers then took control of one / two of the mining algorithms and essentially printed money.

If lessons have been learned from the first hack, they do not appear to have been properly implemented. After the initial attack, the price of XVG rose 30 percent and Verge became an accepted form of payment by Pornhub, the largest porn website on the internet. The coming days will tell what the future is for Verge.

One thing is for sure, some blockchains are not hackproof. The question now is which one?

Like BTCMANAGER? Send us a tip!

Our Bitcoin address: 3AbQrAyRsdM5NX5BQh8qWYePEpGjCYLCy4

Comments are closed.