Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Uses Exploit To Generate Verge Cryptocurrency Out of Thin Air (bleepingcomputer.com)

Posted by BeauHD on from the turn-water-into-wine dept.

An anonymous reader quotes a report from Bleeping Computer: An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air. The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state before the attack to neutralize the hacker's gains. The attack took place yesterday, and initially users thought it was a over "51% attack," an attack where a malicious actor takes control over the more than half of the network nodes, giving himself the power to forge transactions. Nonetheless, users who later looked into the suspicious network activity eventually tracked down what happened, revealing that a mysterious attacker had mined Verge coins at a near impossible speed of 1,560 Verge coins (XVG) per second, the equivalent of $78/s. The malicious mining lasted only three hours, according to the Verge team. According to users who tracked the illegally mined funds on the Verge blockchain said the hacker appears to have made around 15.6 million Verge coins, which is around $780,000.

43 of 85 comments (clear)

  1. Oops by M0j0_j0j0 · · Score: 1

    Hard-fork to rollback? Of it goes the can never forget a transaction, apparently it looks like it useful to forget, can't see why they make it a feature.

  2. Generate Verge Cryptocurrency Out of Thin Air by tomxor · · Score: 5, Insightful

    ... That is the general idea.

    1. Re:Generate Verge Cryptocurrency Out of Thin Air by netcruiser · · Score: 1

      Which *currency* isn't generated out of "Thin Air"?

    2. Re:Generate Verge Cryptocurrency Out of Thin Air by thegarbz · · Score: 1

      Given the way my fans spin I would say Bitcoin is generated out of "Thick Air"

  3. How is this an attack? by Anonymous Coward · · Score: 2, Interesting

    How is this an attack? Sounds like somebody smart figured out how to mine very quickly.

    1. Re:How is this an attack? by o_ferguson · · Score: 1

      this

      --
      - In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
    2. Re:How is this an attack? by omnichad · · Score: 1

      And if the "mining" is just busywork, then it is inefficient and wasteful.

  4. Certainly not $780,000 by Anonymous Coward · · Score: 1

    If he tries to use the funds he will bring the value down to a fraction of that. It is sad that other people will suffer as well.

    1. Re:Certainly not $780,000 by magarity · · Score: 1

      If he tries to use the funds he will bring the value down to a fraction of that. It is sad that other people will suffer as well.

      It looks like the value is pretty darn low in the first place. They won't lose much.

  5. Re:Generate Cryptocurrency out of thin air? by Kaenneth · · Score: 3, Insightful

    air thick with pollution from wasted energy.

  6. Re:Generate Cryptocurrency out of thin air? by alvinrod · · Score: 1

    Well the really old currencies typically had to be mined out of thick hard rock.

    Thin air seems rather convenient by comparison. Perhaps too convenient.

  7. Greed fail by Anonymous Coward · · Score: 3, Insightful

    If the attacker would have created coins at a reasonable rate the attack may have never been detected.

    1. Re:Greed fail by bobbied · · Score: 3

      Yea, crooks are usually more greedy than they are smart. Bright enough to figure out how to do this, not smart enough to make it pay very long. Actually, if you think about it, the inability to delay gratification is likely one of the key traits that makes one inclined to cheat so that makes sense.

      Despite what you see on the Crime shows on TV, most petty criminals get caught because they are stupid, at least according to my brother in law who's been a cop for 25 years. He says that detectives really just follow the obvious trail of stupid stuff to the usual suspects, who then confess to the crime before they can get the handcuffs on.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Greed fail by phantomfive · · Score: 1

      How long do you think this will last? Have you heard of Verge cryptocurrency before this? Don't you think it will be completely gone before the end of the year?

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Greed fail by Bing+Tsher+E · · Score: 1

      So long as it's around long enough for the Student Loan Checks to be disbursed, it will serve it's purpose.

    4. Re:Greed fail by bobbied · · Score: 1

      most petty criminals get caught because they are stupid, at least according to my brother in law who's been a cop for 25 years.

      In other words, cops are only smart enough to catch really dumb criminals who make obvious stupid mistakes.

      Well, mostly that's true. But we don't pay cops all that much so what do you expect? There are a few (like my brother in law) who actually like the job regardless of what it pays, but in most places they have been continually lowering their recruiting standards trying to hire enough people.

      And, if they don't have to work all that hard to solve 99% of the crimes in that small town... Why not harvest the low hanging fruit? that actually sounds smart to me.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    5. Re:Greed fail by david_thornley · · Score: 1

      It seems to work well enough.

      However, even a smart criminal is likely to screw up at least once, as opposed to making money in legit or financial-institution means, so prison is more of a deterrence to them.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  8. He should've been less greedy by davidwr · · Score: 5, Insightful

    If he'd kept the mining down to a high-but-not-suspicious level he could've mined for weeks and sold his Verge for USD nd walked away with tens or hundreds of thousands of dollars by summer and maybe millions by Christmas.

    Hmm, maybe he or one of is buddies did and this is his way of "shutting the whole exploit down."

    We will probably never know.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:He should've been less greedy by Anonymous Coward · · Score: 1

      You're kidding right? You really don't understand how realistic the previous post is? Sure they wouldn't have made "millions" with a crappy crypto but that's exactly what people said about bitcoin years ago. Theres every chance that it would NOT have been fixed as well. Who is to say they couldn't have started mining in the same manner from more than one direction.

    2. Re:He should've been less greedy by nitehawk214 · · Score: 1

      Michael Bolton: I always miss some mundane detail.
      Peter Gibbons: This is not a mundane detail, Michael!

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  9. Blockchain Secuirty by Anonymous Coward · · Score: 2, Interesting

    So transactions in a blockchain are NOT secure and are NOT permanent. If a blockchain can be AND IS forked from a previous point in time, then doesn't that defeat all security and reliability in the blockchain currency?

    1. Re: Blockchain Secuirty by reanjr · · Score: 2

      You're statement is probably accurate for pretty much all alt coins. But not BTC. The BTC network's entire value prop is an immutable ledger. They don't need to pander to people who lose money like all the altcoins do.

    2. Re: Blockchain Secuirty by Bing+Tsher+E · · Score: 1

      It's the One True Cryptocurrency.

      For now. Anyway.

  10. Legit transactions by enriquevagu · · Score: 5, Insightful

    The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state before the attack to neutralize the hacker's gains.

    And to neutralize all the legit (if any) transactions, by the way, creating money out of thin air for those that spent it, and destroying it for those that received it.

    Remember this if you are investing real money in Bitcoin, or any other well-known cryptocurrency: Some few people have the power to revert all operations back and make your money vanish, as proven here.

    1. Re:Legit transactions by thegarbz · · Score: 1

      Remember this if you are investing real money in Bitcoin

      Actually this is something far harder to do with Bitcoin than some tiny no-name currency no one has ever heard of. Hell Bitcoin couldn't even agree on a fork for technical reasons designed to save the currency, do you think such an agreement needed is a possibility because someone gets hacked and wants to roll back the blockchain?

      I'll happily bet a BTC that it will never happen, and we've seen some bitcoin heists that make this look like petty theft which hasn't caused such a response.

    2. Re:Legit transactions by tlhIngan · · Score: 1

      Actually this is something far harder to do with Bitcoin than some tiny no-name currency no one has ever heard of. Hell Bitcoin couldn't even agree on a fork for technical reasons designed to save the currency, do you think such an agreement needed is a possibility because someone gets hacked and wants to roll back the blockchain?

      And yet, Bitcoin forked. It's why we have Bitcoin (BTC) and Bitcoin Cash (BCH). And everyone was basically saying to move your money out of CoinBase (which will not handle the fork and stick with BTC) so your wallets will "double" and you will get 1 BCH for ever BTC because the blockchain will officially fork.

      And this was because no one could agree on larger blocks or segregated witnesses (segwit).

      Granted, BCH isn't worth as much, but free money is still free money.

    3. Re:Legit transactions by thegarbz · · Score: 1

      And yet, Bitcoin forked.

      Yes but what happened. There's a reason the situation ended like you said it did. The fork happened and no one gave a shit. Free money turned out to not exist. Bitcoin cash has 5% of the trading volume of bitcoin which caused it's price to plummet. Not only that, the trading volume is so incredibly small than attempts to cash out would affect the price even further.

      It is a prime example of how on a major currency like bitcoin, forking does nothing as it becomes too difficult to get people to use the fork. They literally advertised it as free money and people still start trading with it.

      Like I said, you can't fork something like bitcoin to undo a mistake, it's too entrenched.

  11. Out of thin air? Sounds entirely normal... by gweihir · · Score: 1

    That basically is the way these things are generated. Sure, usually it takes more time, but that is the only thing that went wrong here. Also describes well what these "coins" are worth: Absolutely nothing. That is, unless you find a sucker that is willing to pay for them.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Illegal or just following the protocol? by Nkwe · · Score: 4, Insightful

    According to users who tracked the illegally mined funds on the Verge blockchain...

    Is not what is "legal" for a blockchain what the majority of nodes maintaining the chain say is legal? If someone broadcast a "weird" transaction on the network but all of the other nodes accepted it and agreed to include it in the blockchain, isn't by definition the transaction done and considered "legal" by the network? After all the rules of the network are what the network says they are; without this concept it wouldn't really be a non centralized, distributed system.

    1. Re:Illegal or just following the protocol? by phantomfive · · Score: 1

      It could be covered under standard fraud laws, depending on the exact wording of those laws (and how a judge can be convinced to interpret them).

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Illegal or just following the protocol? by Bing+Tsher+E · · Score: 1

      If someone broadcast a "weird" transaction

      "...using this one weird old trick."

    3. Re:Illegal or just following the protocol? by Jeremi · · Score: 1

      Is not what is "legal" for a blockchain what the majority of nodes maintaining the chain say is legal?

      Makes perfect sense to me, in a laissez-faire kind of way.

      Of course, by that same token, if the majority of the nodes cry foul the next day and accept/demand a "do over" in the form of a hard-fork, then that too is "legal" as far as the system is concerned.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    4. Re:Illegal or just following the protocol? by thegarbz · · Score: 1

      without this concept it wouldn't really be a non centralized

      They are rolling back the block chain to fix it. Does it sound like Verge is "non-centralised" ?

    5. Re:Illegal or just following the protocol? by Nkwe · · Score: 1

      without this concept it wouldn't really be a non centralized

      They are rolling back the block chain to fix it. Does it sound like Verge is "non-centralised" ?

      It does not, and that is part of my point. One of the primary reasons you would use a blockchain with distributed transaction verifiers (miners) is so that you are NOT centralized. If you are going to have centralized control there are much better ways to store transactional data. If you are storing value (money) in a blockchain because you "don't trust the man" but that blockchain is centralized, then you are "trusting the man". If the blockchain you are using is non-centeralized, you are "trusting the people" and when you do this "the people" (mining nodes) set the rules (for better or worse).

  13. Are the coin's valid? by rsilvergun · · Score: 2

    because if so, what difference does it make how they're mined? And if not, shouldn't you be able to stop the invalid coins?

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  14. Mighta just been a hacker by rsilvergun · · Score: 1

    screwing with it for it's own sake. Hell, he might have already made all his money, decided anything more would be pointless, and did this again, for the hell of it.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  15. Generate Verge Cryptocurrency Out of Thin Air by kenh · · Score: 3, Insightful

    Which cryptocurrency isn't generated out of "Thin Air"?

    --
    Ken
  16. So what's the actual attack? by Wrath0fb0b · · Score: 1

    I read through TFA and the submitted patch, but it's not actual clear what the flaw was. I figured /. would like to some full description rather than vague handwaving.

  17. Re:Generate Cryptocurrency out of thin air? by Bing+Tsher+E · · Score: 1

    Not at all. One old currency was cowry shells.

    Anything works as a currency so long as it's not widely available for nothing in the culture it is used within.

  18. Just like all crypto-currency by Required+Snark · · Score: 2
    It all comes out of thin air.

    The nominal value of crypto-currency is a consensual agreement among it's users. The technology is the hand waving part that gives a pseudo-rationality to the shared delusion. At the point that enough people doubt the value it ceases to exist.

    Nations that maintain currencies have resources to manage currency: courts, law enforcement, armies, laws, taxes, international agreements, the world wide banking system. And even with all that it's not always possible to keep things from going haywire.

    Crypto-currency is dependent on a rule of law maintained by the same entities that are responsible for regular currency. It is intrinsically less secure then regular traditional money.

    And you can take that to the bank.

    --
    Why is Snark Required?
  19. Original "Fix" by Anonymous Coward · · Score: 2, Interesting

    More amusingly, this was the original attempt to fix it before deciding to fork

    -static const int64 nMaxClockDrift = 2 * 60 * 60; // two hours
    +static const int64 nMaxClockDrift = 2 * 15; // fifteen minutes

    Because, yeah, 2 * 15 seconds is fifteen minutes.

    They then had another go and just added "* 15" to increase the value, creating a weirdly obscure way to specify 7.5 minutes

    +static const int64 nMaxClockDrift = 2 * 15 * 15;

  20. Re:Cryptocurrencies are hot air by CSMoran · · Score: 1

    The mere fact that a hack could "create" cryptocurrency out of thin air is proof enough that all cryptocurrencies are thin air,

    You might want to reread the chapter on inference in the presence of quantifiers.

    --
    Every end has half a stick.
  21. white hat, grey hat, black hat, joker hat by davidwr · · Score: 1

    That guy must've been wearing a "joker hat" - he wound up with nothing except the "joy" of seeing a bunch of people having to deal with cleaning up his mess, just like Gotham City's Joker.

    A white hat would've reported the bug quietly. A black hat would've capitalized on it with a lot more "smarts" so he wouldn't walk away with nothing.

    A grey hat would've done something in between, but he wouldn't have done it just for the lulz.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.