The cryptocurrency Verge — which prides itself on “security/anonymity/privacy” — was hacked yesterday. In a short period of time, the attacker made off with around 250,000 coins.
The hack was discovered by “ocminer,” a poster on Bitcointalk forums, yesterday afternoon. According to ocminer, the attacker took advantage of “several bugs” in Verge’s code to mine an extraordinarily large number of new blocks on Verge’s blockchain, in turn rewarding him/herself with a large number of coins over a very short period of time.
Despite registering large gains as of late, the cryptocurrency experienced what’s been dubbed a “51% attack” which wiped more than 22% of its value. The company came to its defense, calling the breach a “small hash attack” that has been “cleared up now” on Twitter. This isn’t the first time the coin developers have been in hot water. Just a few weeks ago their official Twitter account was hacked.
Ocminer and several media outlets called this a 51% attack, which is notable because this type of attack is theoretically possible on other blockchains which rely on proof-of-work (PoW) validation mechanisms. That said, even though this attacker technically managed to capture the majority of mining power on Verge’s network, this type of attack is unlikely to work with Bitcoin.
Typically, PoW-based cryptocurrency systems are quite robust. The problem is that if one miner (or mining pool) were to capture the majority of the network’s mining power — as has happened with Verge — they can have a huge impact on the network, including spending coins that were already spent in what’s called double spending.
Verge uses five different cryptographic algorithms for mining, switching to a new one for every block, but the attacker figured out a way to fake the timestamps of his/her blocks, permitting them to be mined all with one algorithm. Because of this, he/she was able to capture the majority of the network’s mining power with far less computing power than would normally be required.
The attack is particularly serious as it requires a hard fork to exclude the blocks the attacker has mined. It’s also notable because it shows that even a seemingly foolproof PoW system can be compromised. Ethereum has already had one hack of large magnitude in its history, while Bitcoin, on the other hand, has mostly stood the test of time through its nine years of existence.