Network Attack on XVG / VERGE

[tenmoi]

I’ve got 600 xvgs. I’m not going to sell them. They mean nothing to me as you are, the verg team. I’ve stopped mining xvg. A good project has been destroyed by a group of disgusting thieves. I’m refraining so hard from swearing and cursing and name calling.

If you leave your door open and thieves come in and steal everything from your house, who is really at fault there..? I'm inclined to say that the responsibility is shared between you and the thieves. Thieves shouldn't exist, but they do. You were aware of their existence and you did nothing to prevent them from coming in.

In software industry there always going to be someone trying to find/exploit vulnerabilities, and someone trying to counter them. You will never be 100% secure because the solutions made by humans are by nature imperfect. The best thing we can do is become aware of the known weaknesses and try to patch them.

And here is where I challenge you:
In a project that concerns money, investments, trading and so forth. What exactly where the measures taken to assess the security of it..? You as a consumer/user of this project, what facts did you investigate and use to convince you of the security aspect of the project..? Thats the thing.. You talk about a good project, in what aspect..? Did you really investigate that it was a "good" project..? Today you read about a vulnerability that was there for 4 years. Of course this can happen (and it has) in the best companies and products. But those companies do regular security pen tests, hire security experts to do research and offer security bounties to communities. For every single vulnerability someone may find, you can be sure the companies have already found and patched a 1000 more of them.

Why don't you ask the team of your good project, to demonstrate to you, the actions they have taken in the last 4 years to assess the security status of the project..? Ask them to share with you the reports of the security assessments, to show you which security experts they invited/hired/asked for help to assess the code base. To show you how their development process exactly is, how regularly the codebase is assessed for security vulnerabilities, how and with what mechanisms do they ensure the quality of the process..?

But then again you shouldn't ask for them, that info should be publicly available right..? Or else you wouldn't put your hard earned money in a project that you are not sure if its secured "enough" (for your needs).

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

[1715367663]

1715367663

[1715367663]

1715367663

[1715367663]

1715367663

[cminor]

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

[PikachuYou]

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

cough cough

https://en.wikipedia.org/wiki/Flying_fish

 

[cryptotum88]

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

Calling a dev a junior only because uses part of code from others dev makes you the junior here.

I'm a dev too and I honestly do the same to release something faster. If you understand what other devs have done in their code is legit to use it (under proper licence).

[ktru19]

whats holding the prices of xvg? why hasnt it plummeted after all this? even exchanges are not accepting deposits
i was waiting to buy some for a low price since page 1 of this thread!

[cryptotum88]

whats holding the prices of xvg? why hasnt it plummeted after all this? even exchanges are not accepting deposits
i was waiting to buy some for a low price since page 1 of this thread!

It has! To do a normal retrace, now is clearly in accumulation phase before next wave up so I think this is the perfect time to buy.

[bisti]

FUN FACT:

1) they collected 75 million coins in donations for "partnership" and my first thought was: if they need money for partnership, whats gonna happend when they cash out 75 mil coins into real money for that partnership

2) suddenly "hacker" takes over 50 mil (latest number someone mentioned couple of hours ago)

let mw guess next step: "we are sorry FOR THE HUGE DUMP "OF HACKER"  but since xvg is untraceable we couldnr do anything

I guess thats one way to cash partnership money

[ktru19]

whats holding the prices of xvg? why hasnt it plummeted after all this? even exchanges are not accepting deposits
i was waiting to buy some for a low price since page 1 of this thread!

It has! To do a normal retrace, now is clearly in accumulation phase before next wave up so I think this is the perfect time to buy.

im looking to buy but not at its current price 0.055 wanting it to drop to last weeks prices of 0.035
was thinking it was gonna go lower than that with the news of a attack but it seems to be holding pretty good

[jambo110]

Oh dear, what a shit show.

[sunc]

The price really pleases, despite the problems that arose

[cminor]

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

Calling a dev a junior only because uses part of code from others dev makes you the junior here.

I'm a dev too and I honestly do the same to release something faster. If you understand what other devs have done in their code is legit to use it (under proper licence).

Then you might have miss-understood me, as if you read on this thread you will also see examples of copy-pasted code that contained bugs that should have been fixed before committing that code. Or other examples that I personally encountered such as commiting "OpalCoin" error messages in your code while your coin is called Verge. Don't you think these are something a medior/senior would never do..? The whole point is that these are old examples, and to date you would expect a "lead" dev to have a proper QA process in place able to catch those rookie mistakes, and also prevent accidental mistakes.. But here we are talking about another fiasco.. Its not about releasing fast. Its about doing the mistake once, then putting in place a process that will alarm you for the same mistakes in the future.. Thats what experience is about.

[BitPotus]

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

Calling a dev a junior only because uses part of code from others dev makes you the junior here.

I'm a dev too and I honestly do the same to release something faster. If you understand what other devs have done in their code is legit to use it (under proper licence).

Then you might have miss-understood me, as if you read on this thread you will also see examples of copy-pasted code that contained bugs that should have been fixed before committing that code. Or other examples that I personally encountered such as commiting "OpalCoin" error messages in your code while your coin is called Verge. Don't you think these are something a medior/senior would never do..? The whole point is that these are old examples, and to date you would expect a "lead" dev to have a proper QA process in place able to catch those rookie mistakes, and also prevent accidental mistakes.. But here we are talking about another fiasco.. Its not about releasing fast. Its about doing the mistake once, then putting in place a process that will alarm you for the same mistakes in the future.. Thats what experience is about.

[MinerDwarf]

I was mining XVG when this attack started. I noticed that the pool was all of a sudden no longer solving new blocks. Thought it might just be really bad luck at the time. However, this continued and I checked suprnova's twitter and found this post. Been following it ever since.

I just want to say that I appreciate ocminer's post and attempts to notify the mining community and XVG devs about what was going on. What's really sad though is how XVG devs have responded to this. A mix of arrogance, suppression, finger-pointing and incompetence have been on magnificent display throughout this fiasco. This has just about shattered my faith in their coin. If the exchanges start accepting XVG again, pretty sure I'll be selling out what I didn't already have on the exchange (which i already sold).

[cryptotum88]

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

Calling a dev a junior only because uses part of code from others dev makes you the junior here.

I'm a dev too and I honestly do the same to release something faster. If you understand what other devs have done in their code is legit to use it (under proper licence).

Then you might have miss-understood me, as if you read on this thread you will also see examples of copy-pasted code that contained bugs that should have been fixed before committing that code. Or other examples that I personally encountered such as commiting "OpalCoin" error messages in your code while your coin is called Verge. Don't you think these are something a medior/senior would never do..? The whole point is that these are old examples, and to date you would expect a "lead" dev to have a proper QA process in place able to catch those rookie mistakes, and also prevent accidental mistakes.. But here we are talking about another fiasco.. Its not about releasing fast. Its about doing the mistake once, then putting in place a process that will alarm you for the same mistakes in the future.. Thats what experience is about.

A wrong word in a comment that not change the meaning of the comment is not a bug it's a distraction and even senior can do it.

Yours big mistake is thinking that 2/3 devs are working like a company or are a company.

Yeah in a real company you have the lead dev, QA, testers, code reviews etc ... but they are just trying to make this coin go "viral" to help ALL the cryptocommunity.

This is what you(people) don't understand, make other crypto fails impact ALL the market.

So why all this hate against Verge? If Verge can bring a REAL use for crypto then be it and BTC ETH LTC will do the same.

Error can be fixed, devs can grow from their errors...

Ps: @BitPotus you can take that finger and put it in your a...  

[iluvbitcoins]

I really hope Sunerok is going to read through this and realize it's better to have someone help him work on the code.
The community is going to be happy if you do this.

This time the bug was exploited for 0.1% of the supply, but what if it was 10%?
Next time, maybe we won't be as lucky if there's a different exploit.
We need 1 more dev.

[ultrametric]

Thank you for the long and detailed post.
You know what? I am calling the verge team thieves. They are stealing xvgs and no one else whosoever!!!!!  They can do what ocminer advised but they have closed their fucking ears. Do they have ears? I highly doubt. I didn't do enough research. But I didn't lose much money. I just only lost hope.
Fuck them. They will burn in hell with their loots.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

Calling a dev a junior only because uses part of code from others dev makes you the junior here.

I'm a dev too and I honestly do the same to release something faster. If you understand what other devs have done in their code is legit to use it (under proper licence).

Such a person is a retard, and not a developer at all! To illustrate what has happened.

- The retard Verge dude "justinvforvendetta" used the browser !!!THE BROWSER!!! to modify the !!!MAIN BRANCH!!! !!!WITHOUT TESTING!!! !!!OF A MULTI BILLION!!! project.
- That code that the retard Verge dude changes was copy and paste, he failed to do some basic math, really really basic math.

Please do not insult junior developers, by comparing such to the verge retard.

-> My post is in general, not on what the person I quoted wrote. But in general, the verge retard with the nick justinvforvendetta shall not be called a developer, not even a junior dev.

[rocky3xr]

If the 17th BIG partnership announcement is still in play, the problem is bigger than what we see, that's why (I think) they are handling in this way

[Slemicek]

sharing this from grant hunter.... worth the read.

VERGE XVG ‘MINING ATTACK’ UPDATE:

This has just been shared with The Crypteia Program, and after a lengthy conversation with Michael Sloggett earlier, we all decided it was very important to release this to the wider community as part of a unified message.

This is the facts as much as we know them at this stage, it is up to you to DO YOUR OWN RESEARCH and plan accordingly.

In terms of trading, Verge XVG has been trading epically since the news about the upcoming industry partnership: It has a huge, dedicated following and gets the volume needed to trade and make serious gains. It’s been traded very technically; hitting the fibs, support, resistance and trend lines.

Unfortunately, this attack on Verge’s blockchain exploits a flaw in the code, so that the person who is attacking, has effectively taken over the blockchain, and made the original one obsolete for the time being.

As of this morning, the vulnerability is still there and there have been two main attacks:

1- Blocks 2007365 - 2010039 = 2674 blocks.
Rounded down to 2500 @ 1560 XVG per block = approx 3.9 million XVG
2- Blocks 2014060 - 2026196 = 12,136 blocks
Rounded down to 10k @ 1560 XVG per block = approx 15.6 million XVG

This gives a conservative estimate of 19.5 million XVG

As stated previously, this attack exploits a flaw in the code which XVG uses to switch between each one of the 5 algorithms it uses for mining. For every new block to be mined, the algorithm must be switched, and all 5 must be used in rotation. (This is something that other coins like Myriad and Digibyte use. They have also been attacked in a similar way in the past, and have fixed their issues - although they were experiencing much less volume at the time as what Verge is now).

The exploit itself is very smart. The attacker has used the flaws in Verge’s code to put an older timestamp on their fake blocks to trick the network into thinking that the fake chain is the real one, by having this broadcast to over 51% of the nodes. They have gained consensus, effectively taking control of the XVG chain. This has meant that the ‘real’ blocks being mined by legitimate miners, are seen as the false ones, and therefore are ignored (orphaned).

The reason why trading is still possible, is because the ‘fake’ chain is still verifying transactions so people can still trade the coin, however, the attacker is adding extra blocks and making extra free XVG for themselves.

This is a summary of events of how this situation has been handled by OCMINER and Sunerok of Verge during this situation:

1) OCMINER (Supernova Mining Pools) approached verge dev team in their discord group after noticing the issue in their pool.
2) This was unsuccessful, and nothing was taken further at that stage by the verge dev team.
3) OCMINER then posted details of the attack onto Bitcointalk.org, in order to alert the wider mining community of the attack.
3) Verge dev then got involved, and attacked OCMINER for advertising the issue and making the problem worse.
4) Verge dev then attempted to fix the issue by copying and pasting a fix for Peercoin into Verge.
5) This piece of code had a flaw which wasn’t picked up on and this caused the issues yesterday where wallets wouldn’t sync, and the real blocks were still be ignored by the chain.
6) A new fix was suggested by OCMINER to Verge Dev, which included:

- New code to fix the flaw (from DGB - which would need to be merged with Verge’s code in the correct places as they are slightly different).
- A method to blacklist the malicious addresses - meaning the attacker could no longer use the coins they falsely mined.

7) During this time there has been a private discussion between OCMINER and Sunerok, which was fairly heated at times, and saw no resolution between the two.

At this stage, there has been no fix implemented. The vulnerability is still open and the attacker still controls the longest chain.

FYI - Attacks, hacks and exploitations are very common. These have been going on since the late 70’s when UK and US intelligence agencies invented cryptography as a way to communicate secretly with each other. This situation should be seen as a good thing - simply for the advancement that it leads to. After every attack, the code is made stronger, however:

The most important part of this type of situation is how the dev team respond to it, because it has the potential to cause havoc. Both in terms of public perception (trust) of Cryptocurrency, and for Verge itself.

Remember there are two sides to this market - the facts and the PR. Verge is a PR machine, and its following is fanatical in its belief of the project. Up to now, the PR is working, and the price hasn’t been too negatively affected. One reason for this is that most of the comments about on this attack on Verge social media (twitter / reddit) are being censored by Verge, and the information being put out by Verge isn’t wholly accurate in terms of the seriousness of the matter.

With the upcoming announcement of the ‘new industry partnership’ being rumoured as being a German Bank, this issue if not resolved effectively, could lose them the partnership and reduce public trust in both crypto and Verge, simply because it will be seen as another failure.

In terms of the actual privacy of the coin, the maliciously mined coins can be tracked using a blockexplorer - bringing into question the legitimacy of the how private the blockchain currently is.

I have absolutely no idea which way this will go - either way it’s not good.

There is potential for it to be fixed and with the strength of the Verge community, the price of the coin could still maintain its action in the run up to the partnership announcement.

There is equally as much chance that this could implode bringing Verge to its knees and seeing a mass sell off of the coin, leaving many out of pocket.

My aim with posting this is to inform and give everyone the opportunity to look into this further themselves, make whatever decisions they want regarding any Verge XVG they currently hold.

This post is a summary of the thread linked below and all details of this situation are there, with all links to relevant sites to verify the information given. Please look into this further, and learn as much as you can, so you are as informed as you want to be:

Thx for summup. I think every one can make his own picture now.

[Procrastinater]

This has drawn me thinking how this thing could have been better unfolded.

I am a programmer but have zero exposure to block-chain tech at all, so I would say I am just a speculator when I am putting money in cryptos.
I viewed on Youtube an interview to Sunerok and Pivx guys. I have am impression Sunerok is a confident knowing guy thus XVG is sort of worth a try.

I am thinking if I were Sunerok, what's happened to XVG since McAfee boasted it has been so dramatic but the same time kind of landing both huge responsibility and hope onto my shoulder.  Be noticed I am simply a guy who is pursuing my own vision about how crypto should be and I had never expected it all of sudden reached such a level of position in the list of all blockchain projects.
However, without significant investment, I could only continue and focus the project how it has been going. That's why a partnership with a big business may immediately improve this project from all aspects.

I reviewed some of the conversation (didn't go through all), in which I didn't find anything out of XVG dev is extremely disrespectful, though most their response are short (maybe that is as much as can be done at this point of time).

Now, If i were Cminer, I would have tried to talk Verge to publish the incident themselves (maybe Cminer did). I had all the right to make it public but I would mind the sequence.

I think, for investors, XVG has become a tool for people to make money by trading, it's already marked its position there. For long term hodlers, we will just believe in the vision.

[Ramon1]

sharing this from grant hunter.... worth the read.

The exploit itself is very smart. The attacker has used the flaws in Verge’s code to put an older timestamp on their fake blocks to trick the network into thinking that the fake chain is the real one, by having this broadcast to over 51% of the nodes. They have gained consensus, effectively taking control of the XVG chain. This has meant that the ‘real’ blocks being mined by legitimate miners, are seen as the false ones, and therefore are ignored (orphaned).

The reason why trading is still possible, is because the ‘fake’ chain is still verifying transactions so people can still trade the coin, however, the attacker is adding extra blocks and making extra free XVG for themselves.

No matter how much they try to PR spin their way around this, if what you say is true and the attacker basically gained control of the blockchain to the point they are printing and trading coins by themselves and for themselves, XVG as it is now is ruined. Instead of being so incredibly arrogant, the dev(s) should've shut it down until they could hardfork.

Great write up summing the course of events, it should be posted other places for visibility. As you well say, people oughta get as informed as they can be.