Verge (XVG) Hacked Again, Scrypt Mining Takes Over Entire Network

Another mining exploit also showed signs of a 51% attack, selecting an algorithm suitable for ASIC mining.

For all the talk of security and immutability, Verge (XVG) has seen another serious attack shake down credibility. Another hacking exploit accelerated mining on May 22, withdrawing significant XVG rewards to the hackers’ wallets, even after the reward halving.

What the project revealed was merely a DDOS attack. But there are reports the faults with XVG go much deeper.

The belief is that the Verge network saw another time warp exploit, minting 35 million coins ahead of schedule, on very low difficulty. Some believe the multi-algorithm mining approach for XVG may be to blame.

The crypto community is starting to see Verge as potentially a defunct project, unless the vulnerability is fixed. Even a hypothetical danger of transaction reversals defeats the purpose of a crypto coin.

After the new mining exploit, XVG market prices slid again by 12% overnight, to $0.046, and the price drop may just be starting.

How the Hack Worked

The Verge network accepts blocks with a timestamp of up to 2 hours away from the latest block time. The hacker was submitting blocks with a fake timestamp, older by one hour. However, the mining adjustment algorithm only takes into account recent blocks. This made difficulty fall to very low levels, sliding by 99.99% - and when the hackers caught up, they managed to mine weeks’ worth of coins within two hours.

But the more worrying part is that a malicious entity was able to take over the whole network and produce blocks with only one of the five algorithms - Scrypt. This mining approach, used also in Litecoin (LTC), is so common that an ASIC has been around for a long time. And while other workers on the Verge network were mining with consumer electronics, only a few ASIC could have taken over the entire hashing power of the network, taking the block rewards.

For now, XVG difficulty has recovered, but remains low compared to previous months. Despite the de facto 51% attack, there are no complaints of transactions rolled back, although that would be possible in theory. Instead, the aim was the mining bounty, estimated at $1.7 million if sold at market prices.