Network Attack on XVG / VERGE

[callback]

Lol mods in your telegram don't even know it's still going on. I showed one of them proof and he said and I quote "I'm just an admin, I don't know anything". Do you also keep your admins in the dark?

Not taking any sides but trying to be just, being a moderator/admin at a forum/channel is about ensuring proper behavior of the members. Thinking similarly, an office administrator of a software company would not necessarily know about a security breach in one of the company's software products. Might as well not even have the knowledge to understand it

Yeah, thats the kind of logic coming with this project.
Same like "the lead dev mustn't be fully understanding the flawed code he copied and pasted".

[1714039337]

1714039337

[1714039337]

1714039337

[1714039337]

1714039337

[1714039337]

1714039337

[Dogedarkdev]

Lol mods in your telegram don't even know it's still going on. I showed one of them proof and he said and I quote "I'm just an admin, I don't know anything". Do you also keep your admins in the dark?

Not taking any sides but trying to be just, being a moderator/admin at a forum/channel is about ensuring proper behavior of the members. Thinking similarly, an office administrator of a software company would not necessarily know about a security breach in one of the company's software products. Might as well not even have the knowledge to understand it

From first ocmines warning passed 2 days. Verge dev say they fixed issue,but it continues today as well,but nothing about today,just digging into that was 2 days back.
Problem still here and likely be for other days as well.

By then it was ~`20mil.coins stolen/produced illegaly,how much is for today? Another 20mil.? Soon will be reached XVG cap.

Are you making anything to fix this(to Verge dev)?

of course.

[tenmoi]

I’ve got 600 xvgs. I’m not going to sell them. They mean nothing to me as you are, the verg team. I’ve stopped mining xvg. A good project has been destroyed by a group of disgusting thieves. I’m refraining so hard from swearing and cursing and name calling.

[mantor84]

I've mined some XVG and holding a few ... just to see if the partnership and the talk was true and big as it was mentioned.

But to be honest...I'm glad and proud to be a strong DGB holder after seeing all of this. Even if there marketing isnt that great right now and they don't hype anything they do.
It's by far the best coin outside and far ahead of all other... with the time people will realize that professional work will always take the best results.

Just wait and believe, 2018 is the year of DGB.

[THELOSTONE]

Well this escalated very quickly. I had an encounter with Vergedev a while back and he alone kept me from holding XVG. I bought enough to ride the pump but got the hell off because I was sure the future would not have been bright.

[cminor]

I’ve got 600 xvgs. I’m not going to sell them. They mean nothing to me as you are, the verg team. I’ve stopped mining xvg. A good project has been destroyed by a group of disgusting thieves. I’m refraining so hard from swearing and cursing and name calling.

If you leave your door open and thieves come in and steal everything from your house, who is really at fault there..? I'm inclined to say that the responsibility is shared between you and the thieves. Thieves shouldn't exist, but they do. You were aware of their existence and you did nothing to prevent them from coming in.

In software industry there always going to be someone trying to find/exploit vulnerabilities, and someone trying to counter them. You will never be 100% secure because the solutions made by humans are by nature imperfect. The best thing we can do is become aware of the known weaknesses and try to patch them.

And here is where I challenge you:
In a project that concerns money, investments, trading and so forth. What exactly where the measures taken to assess the security of it..? You as a consumer/user of this project, what facts did you investigate and use to convince you of the security aspect of the project..? Thats the thing.. You talk about a good project, in what aspect..? Did you really investigate that it was a "good" project..? Today you read about a vulnerability that was there for 4 years. Of course this can happen (and it has) in the best companies and products. But those companies do regular security pen tests, hire security experts to do research and offer security bounties to communities. For every single vulnerability someone may find, you can be sure the companies have already found and patched a 1000 more of them.

Why don't you ask the team of your good project, to demonstrate to you, the actions they have taken in the last 4 years to assess the security status of the project..? Ask them to share with you the reports of the security assessments, to show you which security experts they invited/hired/asked for help to assess the code base. To show you how their development process exactly is, how regularly the codebase is assessed for security vulnerabilities, how and with what mechanisms do they ensure the quality of the process..?

But then again you shouldn't ask for them, that info should be publicly available right..? Or else you wouldn't put your hard earned money in a project that you are not sure if its secured "enough" (for your needs).

[bisti]

It seems to me they have NOTHING yet

that's why they slowed down blocks

I see no other explanation

Everyone normal (if had solution) would stop this ASAP

And they are deleting posts on reddit, which they obviously can't here.

[bododk]

many coins still have this issue in them.

really ? can you elaborate please ?

[nrg_wolf]

sharing this from grant hunter.... worth the read.

VERGE XVG ‘MINING ATTACK’ UPDATE:

This has just been shared with The Crypteia Program, and after a lengthy conversation with Michael Sloggett earlier, we all decided it was very important to release this to the wider community as part of a unified message.

This is the facts as much as we know them at this stage, it is up to you to DO YOUR OWN RESEARCH and plan accordingly.

In terms of trading, Verge XVG has been trading epically since the news about the upcoming industry partnership: It has a huge, dedicated following and gets the volume needed to trade and make serious gains. It’s been traded very technically; hitting the fibs, support, resistance and trend lines.

Unfortunately, this attack on Verge’s blockchain exploits a flaw in the code, so that the person who is attacking, has effectively taken over the blockchain, and made the original one obsolete for the time being.

As of this morning, the vulnerability is still there and there have been two main attacks:

1- Blocks 2007365 - 2010039 = 2674 blocks.
Rounded down to 2500 @ 1560 XVG per block = approx 3.9 million XVG
2- Blocks 2014060 - 2026196 = 12,136 blocks
Rounded down to 10k @ 1560 XVG per block = approx 15.6 million XVG

This gives a conservative estimate of 19.5 million XVG

As stated previously, this attack exploits a flaw in the code which XVG uses to switch between each one of the 5 algorithms it uses for mining. For every new block to be mined, the algorithm must be switched, and all 5 must be used in rotation. (This is something that other coins like Myriad and Digibyte use. They have also been attacked in a similar way in the past, and have fixed their issues - although they were experiencing much less volume at the time as what Verge is now).

The exploit itself is very smart. The attacker has used the flaws in Verge’s code to put an older timestamp on their fake blocks to trick the network into thinking that the fake chain is the real one, by having this broadcast to over 51% of the nodes. They have gained consensus, effectively taking control of the XVG chain. This has meant that the ‘real’ blocks being mined by legitimate miners, are seen as the false ones, and therefore are ignored (orphaned).

The reason why trading is still possible, is because the ‘fake’ chain is still verifying transactions so people can still trade the coin, however, the attacker is adding extra blocks and making extra free XVG for themselves.

This is a summary of events of how this situation has been handled by OCMINER and Sunerok of Verge during this situation:

1) OCMINER (Supernova Mining Pools) approached verge dev team in their discord group after noticing the issue in their pool.
2) This was unsuccessful, and nothing was taken further at that stage by the verge dev team.
3) OCMINER then posted details of the attack onto Bitcointalk.org, in order to alert the wider mining community of the attack.
3) Verge dev then got involved, and attacked OCMINER for advertising the issue and making the problem worse.
4) Verge dev then attempted to fix the issue by copying and pasting a fix for Peercoin into Verge.
5) This piece of code had a flaw which wasn’t picked up on and this caused the issues yesterday where wallets wouldn’t sync, and the real blocks were still be ignored by the chain.
6) A new fix was suggested by OCMINER to Verge Dev, which included:

- New code to fix the flaw (from DGB - which would need to be merged with Verge’s code in the correct places as they are slightly different).
- A method to blacklist the malicious addresses - meaning the attacker could no longer use the coins they falsely mined.

7) During this time there has been a private discussion between OCMINER and Sunerok, which was fairly heated at times, and saw no resolution between the two.

At this stage, there has been no fix implemented. The vulnerability is still open and the attacker still controls the longest chain.

FYI - Attacks, hacks and exploitations are very common. These have been going on since the late 70’s when UK and US intelligence agencies invented cryptography as a way to communicate secretly with each other. This situation should be seen as a good thing - simply for the advancement that it leads to. After every attack, the code is made stronger, however:

The most important part of this type of situation is how the dev team respond to it, because it has the potential to cause havoc. Both in terms of public perception (trust) of Cryptocurrency, and for Verge itself.

Remember there are two sides to this market - the facts and the PR. Verge is a PR machine, and its following is fanatical in its belief of the project. Up to now, the PR is working, and the price hasn’t been too negatively affected. One reason for this is that most of the comments about on this attack on Verge social media (twitter / reddit) are being censored by Verge, and the information being put out by Verge isn’t wholly accurate in terms of the seriousness of the matter.

With the upcoming announcement of the ‘new industry partnership’ being rumoured as being a German Bank, this issue if not resolved effectively, could lose them the partnership and reduce public trust in both crypto and Verge, simply because it will be seen as another failure.

In terms of the actual privacy of the coin, the maliciously mined coins can be tracked using a blockexplorer - bringing into question the legitimacy of the how private the blockchain currently is.

I have absolutely no idea which way this will go - either way it’s not good.

There is potential for it to be fixed and with the strength of the Verge community, the price of the coin could still maintain its action in the run up to the partnership announcement.

There is equally as much chance that this could implode bringing Verge to its knees and seeing a mass sell off of the coin, leaving many out of pocket.

My aim with posting this is to inform and give everyone the opportunity to look into this further themselves, make whatever decisions they want regarding any Verge XVG they currently hold.

This post is a summary of the thread linked below and all details of this situation are there, with all links to relevant sites to verify the information given. Please look into this further, and learn as much as you can, so you are as informed as you want to be:

[mpapageo]

While not a good situation for verge and those invested, you people realize that all companies living on the net have had to deal with hacks at some point or another right??? Verge team will learn from this I'm sure and they will fix it in short order.

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.

it actually has nothing to do with libraries/dependencies verge uses. this issue was brought up in peercoin, but thought to not be a threat. many coins still have this issue in them.

Yes I have gone thru GH and found other coins with the issue, as you correctly call it ,unlike those peercoin folks who dismissed it. However I did not find a coin of significance like XVG still using the code, that I could tell. This doesn't mean they aren't out there, of course.

To be clear, the issue was brought up in peercoin and it was thought to not be a threat by some, thought to be a threat by others, and it was never tested afaik. That you call it an issue confirms what I said above, people need to be checking this stuff; that other coins have this problem is unimportant, the vergefam's skin is in this game.

[nrg_wolf]

I've mined some XVG and holding a few ... just to see if the partnership and the talk was true and big as it was mentioned.

But to be honest...I'm glad and proud to be a strong DGB holder after seeing all of this. Even if there marketing isnt that great right now and they don't hype anything they do.
It's by far the best coin outside and far ahead of all other... with the time people will realize that professional work will always take the best results.

Just wait and believe, 2018 is the year of DGB.

please enough with the DGB shills lol... so many shills everywhere

oh as a side note, dgb went through the same kind of attack once upon a time.

[iluvbitcoins]

Just registered to back OCMiner on a technical level. He is correct on all counts, and you should listen to him.

Sunerok doesn't know a thing about engineering; he would not be able to land a job in this sector. He is a fraud, a phony, and gives the rest of us (professionals) a bad reputation.

This will catch up to him, for now, I advise you to reach out to SEC and file a complaint. I just spoke to the NY division, and while they will not comment on the status of the ongoing investigation; I can assure you that he will see his time in court.

https://www.sec.gov/oiea/Complaint.html
https://www.sec.gov/page/sec-new-york-regional-office

Protect the eco-system and get rid of the fraud. There is no sense in talking to him; the federal agents will put him in his place.

Ughh, what?
I don't think Sunerok is liable for anything

Besides, even if he was, this would be a shit move.

While not a good situation for verge and those invested, you people realize that all companies living on the net have had to deal with hacks at some point or another right??? Verge team will learn from this I'm sure and they will fix it in short order.

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.

it actually has nothing to do with libraries/dependencies verge uses. this issue was brought up in peercoin, but thought to not be a threat. many coins still have this issue in them.

This is no excuse.

You should be better than other coins if you want to go to TOP 3, as you've stated.

[platinum4]

Should add a gravity well or blackhole to sluff off excessive low-diff scrypt-only blocks when they are solved in succession like this.  The behavior displayed by the miner should be easy enough to isolate then if they are all low-diff scrypt-only at diff 0 or under 1 then let that diff increase exponentially until it matches the network diff within 1 minute.

Be sure to push all patches hot and in production, so you get to see real world results without ever testing anything.

[BitPotus]

sharing this from grant hunter.... worth the read.

VERGE XVG ‘MINING ATTACK’ UPDATE:

This has just been shared with The Crypteia Program, and after a lengthy conversation with Michael Sloggett earlier, we all decided it was very important to release this to the wider community as part of a unified message.

This is the facts as much as we know them at this stage, it is up to you to DO YOUR OWN RESEARCH and plan accordingly.

In terms of trading, Verge XVG has been trading epically since the news about the upcoming industry partnership: It has a huge, dedicated following and gets the volume needed to trade and make serious gains. It’s been traded very technically; hitting the fibs, support, resistance and trend lines.

Unfortunately, this attack on Verge’s blockchain exploits a flaw in the code, so that the person who is attacking, has effectively taken over the blockchain, and made the original one obsolete for the time being.

As of this morning, the vulnerability is still there and there have been two main attacks:

1- Blocks 2007365 - 2010039 = 2674 blocks.
Rounded down to 2500 @ 1560 XVG per block = approx 3.9 million XVG
2- Blocks 2014060 - 2026196 = 12,136 blocks
Rounded down to 10k @ 1560 XVG per block = approx 15.6 million XVG

This gives a conservative estimate of 19.5 million XVG

As stated previously, this attack exploits a flaw in the code which XVG uses to switch between each one of the 5 algorithms it uses for mining. For every new block to be mined, the algorithm must be switched, and all 5 must be used in rotation. (This is something that other coins like Myriad and Digibyte use. They have also been attacked in a similar way in the past, and have fixed their issues - although they were experiencing much less volume at the time as what Verge is now).

The exploit itself is very smart. The attacker has used the flaws in Verge’s code to put an older timestamp on their fake blocks to trick the network into thinking that the fake chain is the real one, by having this broadcast to over 51% of the nodes. They have gained consensus, effectively taking control of the XVG chain. This has meant that the ‘real’ blocks being mined by legitimate miners, are seen as the false ones, and therefore are ignored (orphaned).

The reason why trading is still possible, is because the ‘fake’ chain is still verifying transactions so people can still trade the coin, however, the attacker is adding extra blocks and making extra free XVG for themselves.

This is a summary of events of how this situation has been handled by OCMINER and Sunerok of Verge during this situation:

1) OCMINER (Supernova Mining Pools) approached verge dev team in their discord group after noticing the issue in their pool.
2) This was unsuccessful, and nothing was taken further at that stage by the verge dev team.
3) OCMINER then posted details of the attack onto Bitcointalk.org, in order to alert the wider mining community of the attack.
3) Verge dev then got involved, and attacked OCMINER for advertising the issue and making the problem worse.
4) Verge dev then attempted to fix the issue by copying and pasting a fix for Peercoin into Verge.
5) This piece of code had a flaw which wasn’t picked up on and this caused the issues yesterday where wallets wouldn’t sync, and the real blocks were still be ignored by the chain.
6) A new fix was suggested by OCMINER to Verge Dev, which included:

- New code to fix the flaw (from DGB - which would need to be merged with Verge’s code in the correct places as they are slightly different).
- A method to blacklist the malicious addresses - meaning the attacker could no longer use the coins they falsely mined.

7) During this time there has been a private discussion between OCMINER and Sunerok, which was fairly heated at times, and saw no resolution between the two.

At this stage, there has been no fix implemented. The vulnerability is still open and the attacker still controls the longest chain.

FYI - Attacks, hacks and exploitations are very common. These have been going on since the late 70’s when UK and US intelligence agencies invented cryptography as a way to communicate secretly with each other. This situation should be seen as a good thing - simply for the advancement that it leads to. After every attack, the code is made stronger, however:

The most important part of this type of situation is how the dev team respond to it, because it has the potential to cause havoc. Both in terms of public perception (trust) of Cryptocurrency, and for Verge itself.

Remember there are two sides to this market - the facts and the PR. Verge is a PR machine, and its following is fanatical in its belief of the project. Up to now, the PR is working, and the price hasn’t been too negatively affected. One reason for this is that most of the comments about on this attack on Verge social media (twitter / reddit) are being censored by Verge, and the information being put out by Verge isn’t wholly accurate in terms of the seriousness of the matter.

With the upcoming announcement of the ‘new industry partnership’ being rumoured as being a German Bank, this issue if not resolved effectively, could lose them the partnership and reduce public trust in both crypto and Verge, simply because it will be seen as another failure.

In terms of the actual privacy of the coin, the maliciously mined coins can be tracked using a blockexplorer - bringing into question the legitimacy of the how private the blockchain currently is.

I have absolutely no idea which way this will go - either way it’s not good.

There is potential for it to be fixed and with the strength of the Verge community, the price of the coin could still maintain its action in the run up to the partnership announcement.

There is equally as much chance that this could implode bringing Verge to its knees and seeing a mass sell off of the coin, leaving many out of pocket.

My aim with posting this is to inform and give everyone the opportunity to look into this further themselves, make whatever decisions they want regarding any Verge XVG they currently hold.

This post is a summary of the thread linked below and all details of this situation are there, with all links to relevant sites to verify the information given. Please look into this further, and learn as much as you can, so you are as informed as you want to be:

thanks for sharing that.

[WoW_Fishmonger]

First off, let me preface by saying that I read all 30+ pages from start to finish last night after being tipped by a post on reddit.

They say crypto is like the "wild west" right now, and I can fully agree. We've had coins come and go, we've had great marketing teams and we've had car salesman [Bitconneeeeeeeecctt!] and we have had some very knowledgeable, professional figures enter the space, as well as script kiddies looking to make a quick buck.

If you can't distinguish between the two based purely on the context posted in this thread, then you really shouldn't be investing large sums of money in crypto.

This world is filled with innovators and duplicators. In the end, who do you really think will succeed?.

[BitPotus]

First off, let me preface by saying that I read all 30+ pages from start to finish last night after being tipped by a post on reddit.

They say crypto is like the "wild west" right now, and I can fully agree. We've had coins come and go, we've had great marketing teams and we've had car salesman [Bitconneeeeeeeecctt!] and we have had some very knowledgeable, professional figures enter the space, as well as script kiddies looking to make a quick buck.

If you can't distinguish between the two based purely on the context posted in this thread, then you really shouldn't be investing large sums of money in crypto.

This world is filled with innovators and duplicators. In the end, who do you really think will succeed?.

Quite frankly, given the iq of the current generation and of the state of the planet in general, i have to say with a lot of regret that the duplicators are

the ones that will be succeeding.

You guys should watch Idiocracy http://www.imdb.com/title/tt0387808/

I really think it's a documentary made by someone who's trying to warn us that we need to get our affairs in order.

¯\_(ツ)_/¯

[BillionDollarMan]

First off, let me preface by saying that I read all 30+ pages from start to finish last night after being tipped by a post on reddit.

They say crypto is like the "wild west" right now, and I can fully agree. We've had coins come and go, we've had great marketing teams and we've had car salesman [Bitconneeeeeeeecctt!] and we have had some very knowledgeable, professional figures enter the space, as well as script kiddies looking to make a quick buck.

If you can't distinguish between the two based purely on the context posted in this thread, then you really shouldn't be investing large sums of money in crypto.

This world is filled with innovators and duplicators. In the end, who do you really think will succeed?.

Quite frankly, given the iq of the current generation and of the state of the planet in general, i have to say with a lot of regret that the duplicators are

the ones that will be succeeding.

You guys should watch Idiocracy http://www.imdb.com/title/tt0387808/

I really think it's a documentary made by someone who's trying to warn us that we need to get our affairs in order.

¯\_(ツ)_/¯

Agreed, I have seen that "documentary" in action during recent ICO's. Tron,XVG,XRP,Credits etc will lead the army of morons to moon.

[fly001]

i won'T read the whole thread: are some new news out there for a working fix? Thanks!

[MrChologno]

If you can't distinguish between the two based purely on the context posted in this thread, then you really shouldn't be investing large sums of money in crypto.

I strongly disagree with that sentence. If something is clearer more than ever after all these events is that at this point in time and I would argue that in the future too, technical fundamentals don't matter when it comes to investments. Price of XVG didn't flicker because markets don't give a f*** about fundamentals.

You can invest money in Shit™, and be sure that if Shit™ has a good marketing team and Shit™ is on an exchange where it can be traded, Shit™ will eventually go up in price and people will make money of it.

[nrg_wolf]

I've mined some XVG and holding a few ... just to see if the partnership and the talk was true and big as it was mentioned.

But to be honest...I'm glad and proud to be a strong DGB holder after seeing all of this. Even if there marketing isnt that great right now and they don't hype anything they do.
It's by far the best coin outside and far ahead of all other... with the time people will realize that professional work will always take the best results.

Just wait and believe, 2018 is the year of DGB.

please enough with the DGB shills lol... so many shills everywhere

oh as a side note, dgb went through the same kind of attack once upon a time.

Fuck other coins, great time to be shilling here... but usually things are handled more professionally. Cmon, This has happened before. Why is this handled poorly? No real feedback from dcd dev? wtf. Ocminer was probably your best chance dude. Shows how incompetent you are, trying to hush things up... you so much believe in privacy/Decentralization/freedom of speech etc. (banning people because they question your code shouldn’t be part of that)  full of shit mate. All for the dollar, obviously.

one your a newbie so i take your "words" with a literal grain of sand, and do i look like the dev to you lmao?

this is not the place to be shilling other coins, its to discuss the issue currently surrounding verge, but like usual seems to have brought all the cancer out into the open, which i am not surprised about.