Topic: Network Attack on XVG / VERGE (Read 29438 times)

 This means the code has not been fixed until today.
"nActualTimeInterval" - it can still take a value less than 0.

It took about seven to twelve days to generate 560,000 blocks.

I only know about difficulty algorithms and timestamps. This lets us know the attacker spent less than $1 to get the 567,000 blocks. The important question remains. Why were nodes rejecting the public chain for the attacker's chain that had less work?  Simply saying the attacker spun up a lot of nodes for a Sybil attack is not sufficient. The whole point of POW is to prevent that kind of problem.  What did Verge change in BTC's node communications or most-work tip selection that makes this attack possible?

Final analysis is in here:

https://ocminer.medium.com/the-xvg-verge-attack-74c6d64e621

and in here

https://github.com/zawy12/difficulty-algorithms/issues/68


Thanks @ zawy for second opinion and thoroughly examination of the log

My point about the Sybil attack on peer time is that if the attacker used it to corrupt node databases, then their own chain can get mined on top of by miners who do not have another option, even though the attacker's chain has less work. The attacker's chain seemed to have very little work because the difficulties I saw were like 0.000044 for most of them instead of 50,000 or something. A simple attack would start back in July like they did because they can fake a long time between block timestamps to get difficulty really low in a small number of blocks, then just assign timestamps 1 normal block time apart so difficulty does not increase. So a 1% hashrate miner might be able to get 560k blocks in only 1 day. A more advanced attack would use what I call the "timespan limit attack" (the nTargetTimespan/3 stuff above) that does not need to go back to July and could advance the chain a large number of blocks with a really low difficulty. That would also take a small miner maybe a day. In both cases, they normally only work if the attacker has >51% HR. So the peer time attack (or something similar) would have to be used for a smaller miner to succeed.

Wondering who or what has the hashing power to free lunch mine this non stop for half a year...

The attack yesterday was a massive reorganization of about 560k blocks.

3 years ago it was already a known vulnerability which could have been fixed as the massive chain reorganisation depth could have been simply limited in the code itself or a komodo-like
dPow could have used to secure the chain.

Nothing of all has happened so the attacks went along over the years and this massive reorg now was so big that many users and miners suffered empty wallets.

Instead of fixing this, just a new version number was set in the code today and people asked to update:

https://github.com/vergecurrency/verge/commit/13d052c6049816ff4fc926c90ae527b6e47e9797




However not even the minimum version requirement in the code was changed - so that new nodes would ignore the old ones, no, it's just a new version where all nodes would connect to, the vulnerability hasn't changed at all, the code is still the same, it just has a new version number.




One of the vulnerabilites was even posted in the "Issues" Section of github:

https://github.com/vergecurrency/verge/issues/1058

However the devs refuse the fix as they think it's only working on testnet which is not the case as you look through the code.





So as of now - there's a new version 6.0.3, which still allows old peers to connect to it and it also actively connects itself to other "old" nodes because the minimum peer version requirements
hasn't been changed in the code, which still wouldn't fix anything as the vulnerability itself hasn't been fixed.

Instead of getting to work the devs now start a twitter campaign against pools and people telling those are actively supporting the attack or are the attackers themselves.  Such an attack wouldn't help Pools or Exchanges because old transactions would get invalid i.e. mined blocks in a pool would become orphaned ending up in pools wouldn't be able to pay their miners as the mined blocks all become zero value.

I've posted two small fixed for their issues in the appropriate section on github:



So... Make your own decision here if you want to invest ;-)

3 years later, same story

https://twitter.com/LucasNuzzi/status/1361392168989036545

Hi everone, i invested 9 BTC in verge back in April 2018 when it was 600 satoshi... now that that's consistently under 50 satoshi... does it have any future?
What do you guys think of the coin's future?

Im super hurt by my loss. Any help would be appreaciated.

Well, I don't know, if it's the most profitable currency to mine, you could mine it and sell it as quickly as possible. XVG is a pretty liquid market and even while the attacks were occuring, it didn't drop by as much as it could have. I just wouldn't let it lie around for too long in the hope of it gaining more value over time. But I think for miners, this is generally good advise, especially when they are not the greatest of traders.

I agree that it's a shitcoin with no real substance and if you are ideologically involved in crypto and buy into the whole new paradigm thing, you should stay the hell away from it, but if you're ok with making an extra buck or two and it's the best choice, why not.

I see mate, looks that the only reasonable choice it's to stay away!

With my brand new DaYun Zig Z1 I'm currently testing NiceHash and some multi-pools such as Zerg, that still include XVG.

Thanks for your worthy point of view!
/E

No one can tell you if there'll be another hack or not. The thing is that the dev team has been proved untrustworthy in my eyes.
What's important though is that there were already a lot of coins which were hacked and probably no one can know for sure if they have been dumped yet or not. If they have not, then the price could plunge any moment.

But in either case, would you like to support a coin and a team which was so easily hacked twice? Are you happy with the way they handled it? I had expected them to notice the problem immediately and rollback the blockchain and the hacked coins.

So... your choice.

hi guys

does anybody knows if we can mine XVG safely at this time?

I'm awaiting a brand new Dayun Zig Z1 landing today...
I'm trying to figure out what's the best coin/pool to get the highest stable yield.

Thanks for any advice!
/E

PUre Gold!

Do you remember coinpouchapp xvg hack for 160 millions of xvg. Now things are getting funny. https://twitter.com/MinerChief5Six/status/1017520349628522496?s=19

No @Thecryptohero, can it still be heard somewhere? I would like to hear what they said. Thank you!

anybody heard the interview of verge yesterday on cryptoradio?

Even marketing strategies play a big role in cryto exchange, it is inevitable for developers to aid problems regarding their platform's malfunction/s. I think the team were doing all their best, maybe wait a little more time? 

I think that the problem is the lack of concern that the project has received, focusing only on marketing and tweets.

Not sure about that one. I didn't see such problems at Digibyte for example, but only at XVG

The problem with having multiple algos like this in a coin is that nobody cares too much about any particular one. Then this happens.