Topic: Network Attack on XVG / VERGE - page 58. (Read 29513 times)

I’ve got 600 xvgs. I’m not going to sell them. They mean nothing to me as you are, the verg team. I’ve stopped mining xvg. A good project has been destroyed by a group of disgusting thieves. I’m refraining so hard from swearing and cursing and name calling.

of course.

Yeah, thats the kind of logic coming with this project.
Same like "the lead dev mustn't be fully understanding the flawed code he copied and pasted".

From first ocmines warning passed 2 days. Verge dev say they fixed issue,but it continues today as well,but nothing about today,just digging into that was 2 days back.
Problem still here and likely be for other days as well.

By then it was ~`20mil.coins stolen/produced illegaly,how much is for today? Another 20mil.? Soon will be reached XVG cap.

Are you making anything to fix this(to Verge dev)?

I agree with you here.  But professionally run outfits/coins/companies will notify their admins or senior members in order to mitigate the volume of new user requests and questions.

Verge didn't do this.  They did not update their admins and tried to keep this all as secret as possible.


Binance have also haulted deposits and withdrawals.


the XVG code is still vulnerable for the next  ~3 days  - and I'm pretty sure there will be another attack.

except we wont have heros like  OCminer to warn us.

Not taking any sides but trying to be just, being a moderator/admin at a forum/channel is about ensuring proper behavior of the members. Thinking similarly, an office administrator of a software company would not necessarily know about a security breach in one of the company's software products. Might as well not even have the knowledge to understand it

Lol mods in your telegram don't even know it's still going on. I showed one of them proof and he said and I quote "I'm just an admin, I don't know anything". Do you also keep your admins in the dark?

it's certainly not an "inside job" and there is no censoring of it, we just dont need 1000 duplicate posts about it.

it actually has nothing to do with libraries/dependencies verge uses. this issue was brought up in peercoin, but thought to not be a threat. many coins still have this issue in them.

The strange thing is that during this period, the rate of this coin is not much fluctuated and reached almost 1000 Satoshi,large volumes were trading so it interested me. But I never thought there was a hacker attack.

I wish there was a way BitcoinTalk could block or limit the posts of the new shitposters

It's shocking as it's very blaytent XVG has a payroll to fund shilling and trolling.

--
It's so easy


1 - Look at verge code on GitHub - look at their master branch
2 - Look at the fixes they've attempted and the fuckups of copying and pasting code they dont understand
3 - Mark  XVG as a shitcoin and move on


---
OCMiner has tried multiple times to point out where they need to make the changes and they still dont listen.


Everything I can see says the code is still exploitable, the attacker will just get less money in the long run.

--

What's worse there's been no apology from verge.  What they have done is tried as hard as possible to censor this attack in the hopes that no one will notice...


The longer this goes on the more it looks like an inside job....but this is wild speculation now.

I really don't hate XVG scam like bitconnect scam,XRP scam or other scamforks of bitcoin which claim themselves as real bitcoin. I wish many moons and lambo to XVG scam.

Bag holder spotted.

I'd prefer not to speculate in public about that rabbit hole.

Here comes OCMiner with a fake newbie id 

i am not your baby sitter, go eat your dump.
You are a shit who just use fool language when you dont have any right answer.

I've had to salvage projects that had clearly been cobbled together from various snippets of (untested) code, so trust me, I've experienced the nightmarish nature of these cut & paste projects. And yes, projects with large teams can still "run into exploits/bugs", that's the nature of software development. As I said:



Or to put it more generally: no software is bug-free. At least, this is the attitude that developers should have. Assuming you're not lazy or reckless, thinking this way makes you more proactive in your approach to weeding out the bugs, using various software testing methodologies (e.g. unit-, vulnerability- and generative testing).

The evidence of inexperience and/or incompetence in the Verge dev team in this situation — not to mention the downplaying of the significance of what's happening, and the lack of humility — has obliterated my enthusiasm for the Verge project. I believe in the right to privacy and anonymity, but there are other coins that can provide these things. From what I've seen, the Verge team isn't fit to deliver a secure and reliable solution, so I'm bailing out.

Any faithful Verge fam wanna buy my XVG?

Hello all,

For a moment please set aside the fact that my account is new. I registered here because I was inspired by the post of OCminer.
I would like to point out that he sets very good examples and we should support and promote such actions. Being a developer myself (professionally), I would like to give my point of view and also clear up some confusion that was introduced by some people, probably due to lack of experience or knowledge.


1. It was mentioned on this thread that OCminer shouldn't have posted about the issue here. This was based on some people knowledge/experience with software security.
    You can safely ignore those posts. Security through obscurity is a very well known anti-pattern to any professional security researcher. Quoting from wikipedia https://en.wikipedia.org/wiki/Security_through_obscurity In short, OCminer did the right thing.

2. Verge developer sunerok commits code that is copy pasted from other projects that he does not understand and sometimes includes bugs. This is true and anyone that can examine the source code that is available publicly on github can verify it. This is not the first time this happens, more like the Nth time. Examples of this are the feature of stealth addresses that was copy pasted from 3year old OpalCoin code that included the actual names of OpalCoin. Imagine using your Verge wallet and suddenly you get an error message saying your OpalCoin address is invalid.. https://github.com/vergecurrency/VERGE/commit/e3612923a51016fc78e470d9e15a744d6ad64cb5#diff-e75eff0ce0dde388eddbe3173db85bd4L1779
Other examples where someone gathered many references to copy pasted code: https://github.com/vergecurrency/VERGE/issues/304. Every single time the Verge developer and the fanatic community was either blocking/bashing on/banning the people that would report this. In Software Development and all professional circles and companies this is exactly what is called a Junior or inexperienced developer. Developers that do this usually are not allowed to commit to the mission critical products of a company, due to the damage they can cause. Instead they are assigned more senior developers as mentors and other devs review every single line they write to prevent "accidental issues"..

3. Verge marketing team are trying their best to market a faulty product, trusting their lead dev but they also are as inexperienced as him. More specifically I've shown above and it was already known to most of you that code from OpalCoin was included in Verge source code. The ignorants would say that this is how open-source works. Those people however are the ones that do not understand Licenses which every open source software is accompanied with, and not every open-source software comes with a "free to copy paste" license. In fact OpalCoin as shown here https://github.com/OpalCoin/OpalCoin/blob/master/LICENSE#L13 comes with a license that specifically says Of course you never saw any of this in the marketing material of Verge.

4. Mcaffee. I don't know why this guy is still called a security expert. It saddens me that people will follow anything they will hear from "accredited" persons without investigating the legitimacy of it. For a Proof of Concept I decided to follow one of Mcaffes's leads for an ICO, specifically Bezop tokens, to see what I can get out of it. When I opened an account during their ICO sale, I immediately noticed the security flaws of their platform. The flaws where so big, that you could access identity cards, passports, driving licenses and other PII, as well as being able to add tokens to your wallet. I immediately reported this to the company but did not receive any response. I tried to contact them in their LinkedIn accounts and again got no response. 2 days later someone writes a blog post on Medium about the same flaw however mentioning half of the vulnerabilities. When I found that post it was already editted, now containing only 2 lines saying that he got in touch with the company, the issues were fixed, and there is nothing to worry about. (note: Thanks to google cached content I was able to find the original post that included the vulnerabilities). I tested again my PoC and the vulnerabilities were still there, nothing was fixed at all. This is not an uncommon incident in software security. Sadly when the responsible people only care about money, we get to pay the price..

A few last words and I'm sorry for the long post:

Once a colleague of mine told me that if we were to build an in house solution for X feature instead of using an open source existing solution, this would have been way more secure. I replied to him "How many security experts does our team have..? Do you think those few minds are much greater and have more time than the huge community of hundreds of security experts & hackers?"
Open source world has helped a lot in making software more secure. People actively trying to find vulnerabilities and the community actively trying to patch those vulnerabilities is what creates more secure software. We learn from our mistakes so that we don't repeat them in the future. But we need to be aware of our mistakes; we cant fix something we don't know about. If we care about our users/customers we need to be open and transparent. And if we don't care we also need to be open and transparent, so that anyone that will use our product knows the risks of doing so, instead of being lured by false marketing claims of "privacy and security".
 
Btw does anyone have a link to the pen-test reports/security audits of Verge..? I remember some months ago there were talks about security audits being scheduled.. I haven't followed up on this, any news..?

Wow, could be a team member lol

This issue was found 4 years ago. Someone should be going thru the libs that XVG uses and helping to sort this out; unfortunately someone has been going thru and looking to exploit.