'

Verge blockchain comes under attack, again

It seems the same attack vector used to steal cryptocurrency reserves only just over a month ago is at fault.

screen-shot-2018-05-23-at-11-58-18.jpg
Max Pixel

Verge, a cryptocurrency service attempting to bring back anonymity to trading, has once again reportedly become the victim of a hack through the firm's blockchain.

The Next Web reports that a threat actor was able to exploit vulnerabilities present in Verge's backbone blockchain infrastructure to steal approximately 35 million Verge coins (XVG).

At the time of the alleged attack, the XVG was worth over $1.7 million. At the time of writing, the price of the coin has plummeted by 14.6 percent to $0.04.

To make matters worse, it appears that the same bugs which caused Verge to suffer a similar 51 percent cyberattack just over a month ago may be at fault. In the previous case, 250,000 XVG was stolen.

According to Bitcointalk.org user "Ocminer," the alleged attackers were able to modify their attack to once again plunder the blockchain.

Ocminer disclosed the first attack in addition to Verge's latest situation.

The first attack utilized one algorithm to fork the Verge chain and build multiple mining blocks rapidly. However, in a bolder move, the second utilized two algorithms which led to the generation of millions in XRG through the same method in only a few hours.

The vulnerability at fault is a timing "warp" issue in the blockchain which allows attackers to dominate a network and effectively create 'counterfeit' cryptocurrency.

As described in an analysis of the first hack, as decentralized networks do not issue any third-parties special privileges, this can lead to block timestamps becoming out-of-sequence.

"Given the unpredictable variance in the time it takes for data to propagate through the peer-to-peer network, it's entirely possible for block times to appear "out of order," even when all parties are being perfectly honest," analyst Daniel Goodman says. "In other words, it's only fair to allow some degree of flexibility; in the case of Verge (before the hack, anyway), the protocol allowed nodes to "disagree" about the current time by a window of, at most, two hours."

This allowed the attacker to spoof timestamps which would appear to be from the past within the two-hour window.

See also: SEC launches spoof cryptocurrency ICO scam website

Once these blocks were accepted, the attacker was able to confuse the chain's mining adjustment algorithm, which sequentially lowered the difficulty of mining -- and multiple blocks over a short space of time were able to be submitted, blocking legitimate mining operations at the same time.

Verge has not commented on the reported attack beyond a statement on Twitter which claims there "appears some mining pools are under DDoS attack, and we are experiencing a delay in our blocks, we are working to resolve this."

ZDNet has reached out to Verge and will update if we hear back.

Previous and related coverage