Verge (XVG) has seemingly been the victim of another attack, using a nearly identical attack as last time.
Verge is a privacy focused coin that made headlines when pornhub.com started accepting it as a payment method[1]. However, previous to that announcement, its protocol was hacked, resulting in millions of dollars worth of Verge being created ahead of schedule and rewarded to the attacker.
Today, it appears a similar exploit is being used to do the same thing. Verge has three “features” that put it at risk of this exploit.
- Verge uses the Dark Gravity Wave difficulty adjustment algorithm. It adjusts the difficulty of mining Verge every block. For comparison, Bitcoin adjusts its difficulty every 2016 blocks.
- Verge uses multiple mining algorithms, splitting its hashrate security among them based on use.
- Verge allows incorrect time stamping, because getting correct time stamping is difficult in a decentralized system and giving miners some leeway helps alleviate that.
What the attacker did in the first attack was to submit multiple blocks with an incorrect timestamp, making it appear to the system that blocks weren’t coming in on time. That caused the algorithm to lower its difficulty massively (on the order of 99.999999%). Then, since Verge’s hashrate was split among the five algorithms, it was relatively trivial for the attacker to 51% attack one of those algorithms and reward all the coins to him/her/themselves.
Theabacus.io has a great write up[2] on the original hack, if you are interested in learning more.
The key difference this time is that the hacker is attacking two algorithms, Scrypt and Lyra2re instead of one. Presumably this somehow gets around the fix the Verge team put into place.
As of this writing, $1.7 Million worth of XVG has been mined by the attacker. Users
