Network Attack on XVG / VERGE

[aciddude]

bumping for awareness

The XVG exploit has still not been patched.  

https://github.com/vergecurrency/VERGE/commits/master

The XVG fanboys in here claiming "FUD" simply do not develop or know anything about how blockchains work.

Meenwhile the lead Dev has compared XVG to ETH ?  - this was by far the most stupid thing i've read.  

ETH goes through hundreds of man hours of testing before they release code.

The Lead dev royally fucked up the update by first coding in nMaxClockDrift  = 15 seconds  instead of 15 mins.....   After this was corrected..
the "fix" caused any newly built clients to fork or not sync.

The lead dev then reverted the "fix"   - leaving XVG exploitable again.........

This is an absolute joke from a coin with a Mktcap of almost $855 Million

[MiCoSa]

OMG, this coin will drop like a stone, and well deserved. The devs are complete idiots. Even after the bug was discovered, they commit a fix where you can clearly see that they lack basic mathematics knowledge. They are stuck at multiplication hahaha. Now imagine them when they have to work on something more complicated.

I am quite sure, you would be able to solve the problem in three minutes... If you dont want to help, why not just shut up?

[promomei]

crazy first dev asking for donation
now this attack activated

very fishy - its still my mind guys  

[Merratzz]

Nice love this new coin, Perfect announce +1

me too i was there from the beginning dogecoinDa. ..it`s a nice coin with a lot potential, i love it.

Our scrypt pool is back online but pay attention...i think the code is now back as it was. So whe don't now what happend today..  https://xvg.mastermining.net/

[FaucetKING]

I think that XVG blockchain have alot of troubles in the wallet itself and the blockchain. The developers should work to change the situation and enhance the situation otherwise the concept will fail and the coin will get a lot of damage. never used it and after these problems.. i wont even try.

[Merratzz]

I think that XVG blockchain have alot of troubles in the wallet itself and the blockchain. The developers should work to change the situation and enhance the situation otherwise the concept will fail and the coin will get a lot of damage. never used it and after these problems.. i wont even try.

Hope the best and watch to future, dev is working hard for solution.

[Motngay2002]

XVG mining pool nanopool not open

[mine_phun]

Erased.

*erased and solved.

[jl777B]

Let us know if there's anything we can do to help, our coin was also recently attacked, by individuals who then tried to explain how mining exploits aren't really attacks, and the attacker "deserves" the blocks lol (even if they've taken over 100% of the network).

All I can say when this stuff happens is relax, be calm, let the devs do their jobs, and give them the time to do it right.   You want a good fix that will last, and one that can be shared with the open source community so that we can all learn from to be better.

I personally have a lot of faith in verge and have followed them closely.   The better you become, the more of a target you become.   And with each attack and adversity faced, the better still you become.

Coins that claim to have not been attacked ever are mostly either not paying attention or covering up.

Verge will get this sorted and the whole crypto community will be better for it if it's done right.   And they will be remembered not for the attack, but for how they handled it.

We are all learning and getting better.

Good luck!


http://safecoin.org

Did the attacker stop after 0.0001% of the way
go into the verge slack to explain what happened and how to fix it
proactively deployed a fix to undo what was done
and wait for community to make a proper fix?

It seems you are still claiming what happened to unSAFE was an attack, contrary to what you agreed. You also didnt fix all the issues in unSAFE yet.

[Merratzz]

XVG mining pool nanopool not open

https://xvg.mastermining.net/index.php?page=statistics&action=pool  is OPEN

For sake ... will you please stop advertising your pool in this thread ... that is really sad.

You probably don't even know what is going on, if you are on the (right) blockchain and also you don't know that the mined blocks are later going to be invalidated. Lot's of threads to advertise in ( i do myself to ) ... but let's keep this one clean please and don't trick people in things they will regret later.

Ok relax men/women... I delete the post for advertising MM. But please understand if somebody write here that and that pool is down! And i sitting on my master and do work to help verge running..but i delete ;-)

[AnabolicRampage]

XVG mining pool nanopool not open

https://xvg.mastermining.net/index.php?page=statistics&action=pool  is OPEN

For sake ... will you please stop advertising your pool in this thread ... that is really sad.

You probably don't even know what is going on, if you are on the (right) blockchain and also you don't know that the mined blocks are later going to be invalidated. Lot's of threads to advertise in ( i do myself to ) ... but let's keep this one clean please and don't trick people in things they will regret later.

Ok relax men/women... I delete the post for advertising MM. But please understand if somebody write here that and that pool is down! And i sitting on my master and do work to help verge running..but i delete ;-)

sorry sir but those blocks can not be invalidated and are not orphan blocks. 1506 is being mined every second and sent to wallets. 132 million coins....

[awreeoh]

true that. props to ocminer for being everywhere

When Ocminer tells you that Shit hit the Fan, Shit hit the fucking fan.

Verge fanbois better listen the fuck up.

[MundaneGatt]

CryptoRekt - Today at 4:38 AM
@COLDSHOCK1 people thinking its a big deal are idiots.
10001
let them mine the coins
let them drop them on the market

CryptoRekt - Today at 4:53 AM
can't mine anymore?
Good

CryptoRekt - Today at 4:54 AM
"herp derp lets make a public post"
Dumbass


That is how the mod reply about the 51% attack and the million of coins robbed  

BTW before someone asks me I do own 410.000 XVG but I lucky sold it at 1035 Sats

some of these problems like twitter scams happen, scams happen all the time. and it seems some other currencies have had similar attacks. but NO COIN has had the epic arrogance, indifference, level of unprofessional-ism, the out right middle finger to anyone who tries to help have the issue addressed by raising them as the Verge TeaM AND Sunerok. it doesn't matter who you are partnering with when u tell ur potential investors to go f themselves and ban/abuse/censor anyone who bring up LEGITIMATE PROBLEMS WITH UR SHIT
the biggest flaw in XVG has been exposed in this attack, and its not the coin, or the algo, its the devs and the team

[nagobinga]

a large enough fund for XVG and can buy what the manager wants and I hope to see further changes to their will but I will wait for that information.

[sxott72]

Yes but not sure how this attack works because it showed I was still earning. Just no payment happening.

The attack works like this:

The attacker replaces the legit blockchain, with legit high difficulty blocks, with his low diff blocks, invalidating all legit blocks (orphans).

That means no coins can be moved but his... He's not accepting any other transactions...

He'd need to stop in order to get the coins moved again.

The rest of the details is in post 1

much respect for explanation

namaste

Yes Ty

[CoinNews]

Too much newbies in this thread, Verge keyboard warriors

[luckydoky]

It baffles me how staight up facts with proofs, logs and everything are instantly discarded by fanboys as FUD. Reminds me of politics at it worse...

[Mojo_LB]

I'm still amazed how come an old and established blockchain, which is actively updated, fail so catastrophically.

Don't get me wrong, I like Verge; It's just amazes me (in a bad way) how this happened...

A lot of coins are suffering same thing, with different algorithms, protocols, and PoW.

On the other hand, I see a new coin like Dero successfully fending off 3 attacks, the last of which we didn't even feel until the devs told us after it ended. And our daemons proved it.

Here's what I'm talking about:
https://www.reddit.com/r/DeroProject/comments/89xwyw/dero_the_most_resilient_blockchain/

[lnoir]

I have a few thousand XVG, and have been interested in Verge for some time. I share this so that you realise I'm not a troll. But neither am I a "fanboy", and I can't help but be disappointed about the way this situation has been handled. ocminer kindly shared concrete evidence that there was an issue but the attitude towards it (from what I can tell) was somewhat dismissive and/or nonchalant.

I'm a developer by trade, and understand that the likelihood that software is bug-free quickly diminishes as complexity increases. The problem for me isn't that there was a bug in the code that was exploitable — we can be thankful that it has been brought to the attention of the team and will be fixed. The problem for me is that this thread and situation highlights some serious issues.

First, it indicates that the team isn't fully aware of what they're doing. This statement is not an attack, it's just based on the evidence:

Wonder when they are going to hardfork it

why would we do that? we just made a quick simple update and most pools have already updated...

we are now working on a higher level of redundancy checking as well.

the attack only lasted 3 hours, and not all coins produced during that period were intercepted.

After the "quick simple update" (which actually appeared to be botched), it took for ocminer to point out their error:

nice a new version of the famed timewarp attack.. very interesting.

yep.. we pushed a quick fix and most pools have already updated.. we're already working on a whole new block verification process.

we're kinda glad this happened and that it wasn't as bad as it could have been.

Hmm, you guys are aware that the "fix" you pushed actually IS a hardfork ? So your blockchain snapshot is not valid anymore, the wallet's won't sync up from scratch anymore and the current chain is simply not usable anymore with that new "fix" ?

Your change simply disagrees with the attackers blocks, the first block I see from the attacker was 2007365 - so the wallets will stop syncing there and simply not progress any further.

I remember your first forking dramas when trying to fork into Tor which failed 2 times IIRC.

You should immediately refrain from that "fix" and set a proper fork-height (at least 48h) and the chain up until the fork block MUST accept blocks with the old timestamps and blocks after that fork block then only with the new timestamp.

Maybe conversations have happened privately between Dogedarkdev and ocminer, but I would expect at least a "thanks" or some kind of acknowledgement of his contribution. Instead, the next comment from Dogedarkdev is:

we are not doing a rollback and we are preparing a fork to patch this up.

The second problem seems to be one common to many projects: communication. There are a number of things the Verge team could have done which it doesn't seem they did, or if they did, didn't do soon enough.

• On first report, notify the community via the various channels (BitcoinTalk, Twitter, Telegram, Discord) that a potential problem has been reported and that it is being investigate (perhaps linking to a BitcoinTalk thread)
• Work closely with the person who reported the issue to confirm (or reject) its validity
• Notify the community (again) once the report is confirmed or rejected and explain what will happen next (if anything) and ETA
• Keep the community updated and thank them for patience and support

Communication is vital if you want to maintain the confidence of your community in your product. As of this post, the last Tweet from @vergecurrency is from 17h ago stating the problem is fixed:
https://twitter.com/vergecurrency/status/981578693062610950

Obviously it is not. On top of that, the top tweet when looking at the responses is from a fake Verge account (@vergekscurrency). Now, I know from this thread that people have already been duped, and yes they should have done their due diligence, or just used common sense and not send money unless purchasing or donating. But still, a simple Tweet to warn people about it wouldn't hurt.

Now, all this said, I understand that if the team is small there might not be resources and there for time fulfil all of the above during a time of crisis (which we can consider this to be, seeing as the hack is resulting in a hard-fork). Even more reason to make the limited communication count. Reassure your community, let them know you're on top of it and taking potential threats seriously.

I've got plenty more to say about it, but I've got things to do and besides, I'm a nobody on here. It's just my two cents.

[jl777B]

I have a few thousand XVG, and have been interested in Verge for some time. I share this so that you realise I'm not a troll. But neither am I a "fanboy", and I can't help but be disappointed about the way this situation has been handled. ocminer kindly shared concrete evidence that there was an issue but the attitude towards it (from what I can tell) was somewhat dismissive and/or nonchalant.

I'm a developer by trade, and understand that the likelihood that software is bug-free quickly diminishes as complexity increases. The problem for me isn't that there was a bug in the code that was exploitable — we can be thankful that it has been brought to the attention of the team and will be fixed. The problem for me is that this thread and situation highlights some serious issues.

First, it indicates that the team isn't fully aware of what they're doing. This statement is not an attack, it's just based on the evidence:

Wonder when they are going to hardfork it

why would we do that? we just made a quick simple update and most pools have already updated...

we are now working on a higher level of redundancy checking as well.

the attack only lasted 3 hours, and not all coins produced during that period were intercepted.

After the "quick simple update" (which actually appeared to be botched), it took for ocminer to point out their error:

nice a new version of the famed timewarp attack.. very interesting.

yep.. we pushed a quick fix and most pools have already updated.. we're already working on a whole new block verification process.

we're kinda glad this happened and that it wasn't as bad as it could have been.

Hmm, you guys are aware that the "fix" you pushed actually IS a hardfork ? So your blockchain snapshot is not valid anymore, the wallet's won't sync up from scratch anymore and the current chain is simply not usable anymore with that new "fix" ?

Your change simply disagrees with the attackers blocks, the first block I see from the attacker was 2007365 - so the wallets will stop syncing there and simply not progress any further.

I remember your first forking dramas when trying to fork into Tor which failed 2 times IIRC.

You should immediately refrain from that "fix" and set a proper fork-height (at least 48h) and the chain up until the fork block MUST accept blocks with the old timestamps and blocks after that fork block then only with the new timestamp.

Maybe conversations have happened privately between Dogedarkdev and ocminer, but I would expect at least a "thanks" or some kind of acknowledgement of his contribution. Instead, the next comment from Dogedarkdev is:

we are not doing a rollback and we are preparing a fork to patch this up.

The second problem seems to be one common to many projects: communication. There are a number of things the Verge team could have done which it doesn't seem they did, or if they did, didn't do soon enough.

• On first report, notify the community via the various channels (BitcoinTalk, Twitter, Telegram, Discord) that a potential problem has been reported and that it is being investigate (perhaps linking to a BitcoinTalk thread)
• Work closely with the person who reported the issue to confirm (or reject) its validity
• Notify the community (again) once the report is confirmed or rejected and explain what will happen next (if anything) and ETA
• Keep the community updated and thank them for patience and support

Communication is vital if you want to maintain the confidence of your community in your product. As of this post, the last Tweet from @vergecurrency is from 17h ago stating the problem is fixed:
https://twitter.com/vergecurrency/status/981578693062610950

Obviously it is not. On top of that, the top tweet when looking at the responses is from a fake Verge account (@vergekscurrency). Now, I know from this thread that people have already been duped, and yes they should have done their due diligence, or just used common sense and not send money unless purchasing or donating. But still, a simple Tweet to warn people about it wouldn't hurt.

Now, all this said, I understand that if the team is small there might not be resources and there for time fulfil all of the above during a time of crisis (which we can consider this to be, seeing as the hack is resulting in a hard-fork). Even more reason to make the limited communication count. Reassure your community, let them know you're on top of it and taking potential threats seriously.

I've got plenty more to say about it, but I've got things to do and besides, I'm a nobody on here. It's just my two cents.

all cut and paste projects run the very real risk of a broken port, regardless of the parent codebase. when a cut and paste dev misses any single important thing, a "simple" change can easily lead to a broken chain

to be fair, even projects with large active devteams still run into exploits/bugs, etc. the danger with cut and pasted coins is that the new team wont be able to properly fix things if any troubles are encountered.