Network Attack on XVG / VERGE

[lnoir]

Looks like suprnova xvg pool is back online now. Will it remain up?

If that is the case, I don't think it will remain up for long. XVG has already been removed from the site: https://www.suprnova.cc

[1714907518]

1714907518

[1714907518]

1714907518

[Premiermine]

Following the whole thread and having read really every message and post on it i would like to share my personal opinion:

- great thx to ocminer. I personally see that every technical post he made makes absolutly sense and has its obvious logic. Too bad that there are too many arrogant people here. The Verge devs should have listened to him from beginning and i'am pretty sure the issue would have not gone that way.

- again great thx to ocminer for posting it and making XVG miners aware what happens. I think miners and other pool owners should have the right to know whats going on with a coin they are mining. At least, we XVG miners are part of XVG as well, maybe something that Verge has forgotten allready.

- even one more thx to ocminer for his stance in this case and taking the side of the miners. At least for me, suprnova is now a 1st class pool i thrust and whenever possible i will use it. 1% donation to show and honor such open discussion and defending the miners point of view and interest.

About Verge/XVG:

- Until today i was a Verge fan, Verge miner, Verge holder (with about 200k XVG, not a whale but still), Verge hoper because it was an underdog in my opinion and i like underdogs that make it up.

- This whole issue (and some others) has shown to me that the Verge team is not really interested in its miners, followers, holders, investors, you call it .... They write off some 20m+ XVG as it was nothing. About the legit miners that mined over hours only orphaned blocks, nothing. I guess the pool owners as well are in the negative with these "hacked" blocks.

- Than the noobish fix, backroll, you have read about it all the pages bevor, no need to comment it again. Seriously, this is not the approach i want by a coin i like and have hope in. Absolutly not. Its the approach of a Noob team that just has made a coin, not more and not less. Not even anymore sure if its really such privacy coin as it pretends to be.

- Than again thinking about it. What to await from a team that even does not manage to have a working email on its homepage? Whats left for some skilled programming?

- Here again a point that just makes it clear how you actually threat your followers: Huge amount of followers get scammed on your twitter threads. Scammed users cry for some ad/banner/warning to have others warned. Only thing you comment is " we get alot of messages about it, but seeing as there is absolutely nothing we can do about it right now, those messages are not a priority." Seriously? You can  not add a simple warning message on your twitter messages? Spare me the "other coins have the same problem", as we talk here about XVG. So having daily your followers nonstop scammed is not one of your priorities?? Adding a simple warning message which takes about 2s is not possible? It isn't even more about the scam, its about you are unwilling to do the very least someone of you team could do to prevent YOUR followers to get scammed, but 0 interest in it.

- Than the chat with ocminer. The only thing you worried about was that he made it public, again 0 interest in fixing actually the problem and hack. You Verge guys really make me believe that you are not interested in fixing whatever. Only in this thread i have seen at least 4 - 5 high level technical experts you could have taken good advice from. You even give shit about some of the best pools around, again evidience that you do not care about your base and people involved in XVG as pools and miners are the backbone of your currency, at least imo.

- Verges only luck seems to be a lot of desperate XVG holders that hope some day to make a fortune holding that 0.03 - 0.05$ coin raising to US$ 1 (this would be at least by market cap #4). The question is if it is possible that a coin really can make it up based on luck and day dreamers?! Time will show. I personally will follow ocminer and get my hands of XVG, selling my little XVG holding and not mining it anymore. Sometimes in life principles should be stronger than just profit thinking. I just do not feel good supporting anymore a project that gives shit about its followers, miners, pools, investors, believers, ......

Just my 2 cents and satoshis

+10

[m a d r a]

...Sorry for derailing the original topic a bit but this topic was my only chance to get someone from verge after nobody answered on twitter for hours...

Sorry you got scammed and all that.

But all your contribution to this post has done is to announce to the world that you're ignorant of how Twitter works –namely that anyone can reply to anyone else's Tweet– and this does not mean that these replies are in any way endorsed by or connected to the original Tweeter's account. About one nanosecond of looking at the thousands of [often abusive] replies posted on anyone remotely high profile's timeline would have shown you that.


So why keep banging on about it, like it's Verge's fault or Twitter's fault that you got scammed by someone on Twitter?  It's no-one else's fault but your own. Learn from your mistake, move on and stop casting about for someone else to blame.  

[mpapageo]

While not a good situation for verge and those invested, you people realize that all companies living on the net have had to deal with hacks at some point or another right??? Verge team will learn from this I'm sure and they will fix it in short order.

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.

[BillionDollarMan]

While not a good situation for verge and those invested, you people realize that all companies living on the net have had to deal with hacks at some point or another right??? Verge team will learn from this I'm sure and they will fix it in short order.

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.

Wow, could be a team member lol

[cminor]

Hello all,

For a moment please set aside the fact that my account is new. I registered here because I was inspired by the post of OCminer.
I would like to point out that he sets very good examples and we should support and promote such actions. Being a developer myself (professionally), I would like to give my point of view and also clear up some confusion that was introduced by some people, probably due to lack of experience or knowledge.


1. It was mentioned on this thread that OCminer shouldn't have posted about the issue here. This was based on some people knowledge/experience with software security.
    You can safely ignore those posts. Security through obscurity is a very well known anti-pattern to any professional security researcher. Quoting from wikipedia https://en.wikipedia.org/wiki/Security_through_obscurity

In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.

In short, OCminer did the right thing.

2. Verge developer sunerok commits code that is copy pasted from other projects that he does not understand and sometimes includes bugs. This is true and anyone that can examine the source code that is available publicly on github can verify it. This is not the first time this happens, more like the Nth time. Examples of this are the feature of stealth addresses that was copy pasted from 3year old OpalCoin code that included the actual names of OpalCoin. Imagine using your Verge wallet and suddenly you get an error message saying your OpalCoin address is invalid.. https://github.com/vergecurrency/VERGE/commit/e3612923a51016fc78e470d9e15a744d6ad64cb5#diff-e75eff0ce0dde388eddbe3173db85bd4L1779
Other examples where someone gathered many references to copy pasted code: https://github.com/vergecurrency/VERGE/issues/304. Every single time the Verge developer and the fanatic community was either blocking/bashing on/banning the people that would report this. In Software Development and all professional circles and companies this is exactly what is called a Junior or inexperienced developer. Developers that do this usually are not allowed to commit to the mission critical products of a company, due to the damage they can cause. Instead they are assigned more senior developers as mentors and other devs review every single line they write to prevent "accidental issues"..

3. Verge marketing team are trying their best to market a faulty product, trusting their lead dev but they also are as inexperienced as him. More specifically I've shown above and it was already known to most of you that code from OpalCoin was included in Verge source code. The ignorants would say that this is how open-source works. Those people however are the ones that do not understand Licenses which every open source software is accompanied with, and not every open-source software comes with a "free to copy paste" license. In fact OpalCoin as shown here https://github.com/OpalCoin/OpalCoin/blob/master/LICENSE#L13 comes with a license that specifically says

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Opalcoin Developers.

Of course you never saw any of this in the marketing material of Verge.

4. Mcaffee. I don't know why this guy is still called a security expert. It saddens me that people will follow anything they will hear from "accredited" persons without investigating the legitimacy of it. For a Proof of Concept I decided to follow one of Mcaffes's leads for an ICO, specifically Bezop tokens, to see what I can get out of it. When I opened an account during their ICO sale, I immediately noticed the security flaws of their platform. The flaws where so big, that you could access identity cards, passports, driving licenses and other PII, as well as being able to add tokens to your wallet. I immediately reported this to the company but did not receive any response. I tried to contact them in their LinkedIn accounts and again got no response. 2 days later someone writes a blog post on Medium about the same flaw however mentioning half of the vulnerabilities. When I found that post it was already editted, now containing only 2 lines saying that he got in touch with the company, the issues were fixed, and there is nothing to worry about. (note: Thanks to google cached content I was able to find the original post that included the vulnerabilities). I tested again my PoC and the vulnerabilities were still there, nothing was fixed at all. This is not an uncommon incident in software security. Sadly when the responsible people only care about money, we get to pay the price..

A few last words and I'm sorry for the long post:

Once a colleague of mine told me that if we were to build an in house solution for X feature instead of using an open source existing solution, this would have been way more secure. I replied to him "How many security experts does our team have..? Do you think those few minds are much greater and have more time than the huge community of hundreds of security experts & hackers?"
Open source world has helped a lot in making software more secure. People actively trying to find vulnerabilities and the community actively trying to patch those vulnerabilities is what creates more secure software. We learn from our mistakes so that we don't repeat them in the future. But we need to be aware of our mistakes; we cant fix something we don't know about. If we care about our users/customers we need to be open and transparent. And if we don't care we also need to be open and transparent, so that anyone that will use our product knows the risks of doing so, instead of being lured by false marketing claims of "privacy and security".
 
Btw does anyone have a link to the pen-test reports/security audits of Verge..? I remember some months ago there were talks about security audits being scheduled.. I haven't followed up on this, any news..?

[lnoir]

I have a few thousand XVG, and have been interested in Verge for some time. I share this so that you realise I'm not a troll. But neither am I a "fanboy", and I can't help but be disappointed about the way this situation has been handled. ocminer kindly shared concrete evidence that there was an issue but the attitude towards it (from what I can tell) was somewhat dismissive and/or nonchalant.

I'm a developer by trade, and understand that the likelihood that software is bug-free quickly diminishes as complexity increases. The problem for me isn't that there was a bug in the code that was exploitable — we can be thankful that it has been brought to the attention of the team and will be fixed. The problem for me is that this thread and situation highlights some serious issues.

First, it indicates that the team isn't fully aware of what they're doing. This statement is not an attack, it's just based on the evidence:

Wonder when they are going to hardfork it

why would we do that? we just made a quick simple update and most pools have already updated...

we are now working on a higher level of redundancy checking as well.

the attack only lasted 3 hours, and not all coins produced during that period were intercepted.

After the "quick simple update" (which actually appeared to be botched), it took for ocminer to point out their error:

nice a new version of the famed timewarp attack.. very interesting.

yep.. we pushed a quick fix and most pools have already updated.. we're already working on a whole new block verification process.

we're kinda glad this happened and that it wasn't as bad as it could have been.

Hmm, you guys are aware that the "fix" you pushed actually IS a hardfork ? So your blockchain snapshot is not valid anymore, the wallet's won't sync up from scratch anymore and the current chain is simply not usable anymore with that new "fix" ?

Your change simply disagrees with the attackers blocks, the first block I see from the attacker was 2007365 - so the wallets will stop syncing there and simply not progress any further.

I remember your first forking dramas when trying to fork into Tor which failed 2 times IIRC.

You should immediately refrain from that "fix" and set a proper fork-height (at least 48h) and the chain up until the fork block MUST accept blocks with the old timestamps and blocks after that fork block then only with the new timestamp.

Maybe conversations have happened privately between Dogedarkdev and ocminer, but I would expect at least a "thanks" or some kind of acknowledgement of his contribution. Instead, the next comment from Dogedarkdev is:

we are not doing a rollback and we are preparing a fork to patch this up.

The second problem seems to be one common to many projects: communication. There are a number of things the Verge team could have done which it doesn't seem they did, or if they did, didn't do soon enough.

• On first report, notify the community via the various channels (BitcoinTalk, Twitter, Telegram, Discord) that a potential problem has been reported and that it is being investigate (perhaps linking to a BitcoinTalk thread)
• Work closely with the person who reported the issue to confirm (or reject) its validity
• Notify the community (again) once the report is confirmed or rejected and explain what will happen next (if anything) and ETA
• Keep the community updated and thank them for patience and support

Communication is vital if you want to maintain the confidence of your community in your product. As of this post, the last Tweet from @vergecurrency is from 17h ago stating the problem is fixed:
https://twitter.com/vergecurrency/status/981578693062610950

Obviously it is not. On top of that, the top tweet when looking at the responses is from a fake Verge account (@vergekscurrency). Now, I know from this thread that people have already been duped, and yes they should have done their due diligence, or just used common sense and not send money unless purchasing or donating. But still, a simple Tweet to warn people about it wouldn't hurt.

Now, all this said, I understand that if the team is small there might not be resources and there for time fulfil all of the above during a time of crisis (which we can consider this to be, seeing as the hack is resulting in a hard-fork). Even more reason to make the limited communication count. Reassure your community, let them know you're on top of it and taking potential threats seriously.

I've got plenty more to say about it, but I've got things to do and besides, I'm a nobody on here. It's just my two cents.

all cut and paste projects run the very real risk of a broken port, regardless of the parent codebase. when a cut and paste dev misses any single important thing, a "simple" change can easily lead to a broken chain

to be fair, even projects with large active devteams still run into exploits/bugs, etc. the danger with cut and pasted coins is that the new team wont be able to properly fix things if any troubles are encountered.

I've had to salvage projects that had clearly been cobbled together from various snippets of (untested) code, so trust me, I've experienced the nightmarish nature of these cut & paste projects. And yes, projects with large teams can still "run into exploits/bugs", that's the nature of software development. As I said:

...the likelihood that software is bug-free quickly diminishes as complexity increases.

Or to put it more generally: no software is bug-free. At least, this is the attitude that developers should have. Assuming you're not lazy or reckless, thinking this way makes you more proactive in your approach to weeding out the bugs, using various software testing methodologies (e.g. unit-, vulnerability- and generative testing).

The evidence of inexperience and/or incompetence in the Verge dev team in this situation — not to mention the downplaying of the significance of what's happening, and the lack of humility — has obliterated my enthusiasm for the Verge project. I believe in the right to privacy and anonymity, but there are other coins that can provide these things. From what I've seen, the Verge team isn't fit to deliver a secure and reliable solution, so I'm bailing out.

Any faithful Verge fam wanna buy my XVG?

[bitcoinexplorer]

This is an open invitation from Team of Dero, to try to attack Dero network/Blockchain

Dero has already successfully fended off 3 attacks, and is challenging XVG attackers to move their operations to Dero blockchain instead

p.s. I'm not a team member.

i wonder if that's a good idea, given they are a fork of masari, which is a fork of old monero...

Hello
I know ocminer is insane in past he also did rumored wrong about me for which members condemned him.

Can you please tell me where i can continue mining Verge on Myriad Gorestl ?

Please guide.
Thanks.

If the majority of people (99.99%) of people sing ocminer's praises and I am one of them, then you most probably deserved to be called out for being a fucking dickhead.

so how about you stop bitching like a little girl and you man up for once in your life.

 

Its you who is bitching like a coward, if you dont have faith get the hell out of Verge and move your dumb self.
I told you ocminer have either blood pressure issue or is childish.

I dumped in your face you faggot.

Now am just watching retards like yourself get REKT.

 

i am not your baby sitter, go eat your dump.
You are a shit who just use fool language when you dont have any right answer.

[bitcoinexplorer]

Hello all,

For a moment please set aside the fact that my account is new. I registered here because I was inspired by the post of OCminer.
I would like to point out that he sets very good examples and we should support and promote such actions. Being a developer myself (professionally), I would like to give my point of view and also clear up some confusion that was introduced by some people, probably due to lack of experience or knowledge.

Btw does anyone have a link to the pen-test reports/security audits of Verge..? I remember some months ago there were talks about security audits being scheduled.. I haven't followed up on this, any news..?

Here comes OCMiner with a fake newbie id 

[mpapageo]

While not a good situation for verge and those invested, you people realize that all companies living on the net have had to deal with hacks at some point or another right??? Verge team will learn from this I'm sure and they will fix it in short order.

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.

Wow, could be a team member lol

I'd prefer not to speculate in public about that rabbit hole.

[BillionDollarMan]

Hello all,

For a moment please set aside the fact that my account is new. I registered here because I was inspired by the post of OCminer.
I would like to point out that he sets very good examples and we should support and promote such actions. Being a developer myself (professionally), I would like to give my point of view and also clear up some confusion that was introduced by some people, probably due to lack of experience or knowledge.

Btw does anyone have a link to the pen-test reports/security audits of Verge..? I remember some months ago there were talks about security audits being scheduled.. I haven't followed up on this, any news..?

Here comes OCMiner with a fake newbie id 

Bag holder spotted.

[BillionDollarMan]

While not a good situation for verge and those invested, you people realize that all companies living on the net have had to deal with hacks at some point or another right??? Verge team will learn from this I'm sure and they will fix it in short order.

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.

Wow, could be a team member lol

I'd prefer not to speculate in public about that rabbit hole.

I really don't hate XVG scam like bitconnect scam,XRP scam or other scamforks of bitcoin which claim themselves as real bitcoin. I wish many moons and lambo to XVG scam.

[aciddude]

I wish there was a way BitcoinTalk could block or limit the posts of the new shitposters

It's shocking as it's very blaytent XVG has a payroll to fund shilling and trolling.

--
It's so easy


1 - Look at verge code on GitHub - look at their master branch
2 - Look at the fixes they've attempted and the fuckups of copying and pasting code they dont understand
3 - Mark  XVG as a shitcoin and move on


---
OCMiner has tried multiple times to point out where they need to make the changes and they still dont listen.


Everything I can see says the code is still exploitable, the attacker will just get less money in the long run.

--

What's worse there's been no apology from verge.  What they have done is tried as hard as possible to censor this attack in the hopes that no one will notice...


The longer this goes on the more it looks like an inside job....but this is wild speculation now.

[Hakamura]

The strange thing is that during this period, the rate of this coin is not much fluctuated and reached almost 1000 Satoshi,large volumes were trading so it interested me. But I never thought there was a hacker attack.

[Dogedarkdev]

While not a good situation for verge and those invested, you people realize that all companies living on the net have had to deal with hacks at some point or another right??? Verge team will learn from this I'm sure and they will fix it in short order.

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.

it actually has nothing to do with libraries/dependencies verge uses. this issue was brought up in peercoin, but thought to not be a threat. many coins still have this issue in them.

[Dogedarkdev]

I wish there was a way BitcoinTalk could block or limit the posts of the new shitposters

It's shocking as it's very blaytent XVG has a payroll to fund shilling and trolling.

--
It's so easy


1 - Look at verge code on GitHub - look at their master branch
2 - Look at the fixes they've attempted and the fuckups of copying and pasting code they dont understand
3 - Mark  XVG as a shitcoin and move on


---
OCMiner has tried multiple times to point out where they need to make the changes and they still dont listen.


Everything I can see says the code is still exploitable, the attacker will just get less money in the long run.

--

What's worse there's been no apology from verge.  What they have done is tried as hard as possible to censor this attack in the hopes that no one will notice...


The longer this goes on the more it looks like an inside job....but this is wild speculation now.

it's certainly not an "inside job" and there is no censoring of it, we just dont need 1000 duplicate posts about it.

[siege3967]

I wish there was a way BitcoinTalk could block or limit the posts of the new shitposters

It's shocking as it's very blaytent XVG has a payroll to fund shilling and trolling.

--
It's so easy


1 - Look at verge code on GitHub - look at their master branch
2 - Look at the fixes they've attempted and the fuckups of copying and pasting code they dont understand
3 - Mark  XVG as a shitcoin and move on


---
OCMiner has tried multiple times to point out where they need to make the changes and they still dont listen.


Everything I can see says the code is still exploitable, the attacker will just get less money in the long run.

--

What's worse there's been no apology from verge.  What they have done is tried as hard as possible to censor this attack in the hopes that no one will notice...


The longer this goes on the more it looks like an inside job....but this is wild speculation now.

it's certainly not an "inside job" and there is no censoring of it, we just dont need 1000 duplicate posts about it.

Lol mods in your telegram don't even know it's still going on. I showed one of them proof and he said and I quote "I'm just an admin, I don't know anything". Do you also keep your admins in the dark?

[cminor]

Lol mods in your telegram don't even know it's still going on. I showed one of them proof and he said and I quote "I'm just an admin, I don't know anything". Do you also keep your admins in the dark?

Not taking any sides but trying to be just, being a moderator/admin at a forum/channel is about ensuring proper behavior of the members. Thinking similarly, an office administrator of a software company would not necessarily know about a security breach in one of the company's software products. Might as well not even have the knowledge to understand it

[aciddude]

Lol mods in your telegram don't even know it's still going on. I showed one of them proof and he said and I quote "I'm just an admin, I don't know anything". Do you also keep your admins in the dark?

Not taking any sides but trying to be just, being a moderator/admin at a forum/channel is about ensuring proper behavior of the members. Thinking similarly, an office administrator of a software company would not necessarily know about a security breach in one of the company's software products. Might as well not even have the knowledge to understand it

I agree with you here.  But professionally run outfits/coins/companies will notify their admins or senior members in order to mitigate the volume of new user requests and questions.

Verge didn't do this.  They did not update their admins and tried to keep this all as secret as possible.


Binance have also haulted deposits and withdrawals.


the XVG code is still vulnerable for the next  ~3 days  - and I'm pretty sure there will be another attack.

except we wont have heros like  OCminer to warn us.

[noicyminer]

Lol mods in your telegram don't even know it's still going on. I showed one of them proof and he said and I quote "I'm just an admin, I don't know anything". Do you also keep your admins in the dark?

Not taking any sides but trying to be just, being a moderator/admin at a forum/channel is about ensuring proper behavior of the members. Thinking similarly, an office administrator of a software company would not necessarily know about a security breach in one of the company's software products. Might as well not even have the knowledge to understand it

From first ocmines warning passed 2 days. Verge dev say they fixed issue,but it continues today as well,but nothing about today,just digging into that was 2 days back.
Problem still here and likely be for other days as well.

By then it was ~`20mil.coins stolen/produced illegaly,how much is for today? Another 20mil.? Soon will be reached XVG cap.

Are you making anything to fix this(to Verge dev)?