The Verge Hack, Explained
Cryptocurrency enthusiasts are keen on telling ordinary civilians how safe and secure the Blockchain protocols powering their favorite coins are. Indeed, major cryptocurrencies like Bitcoin and Ethereum have maintained their security quite well—better, arguably, than any other digital asset/payment system in history—which is pretty remarkable, considering that they are unbacked digital money free from any single party’s control with an effective multi-billion dollar bounty on their proverbial heads. Last month, an as-of-yet unidentified attacker was able to severally compromise Verge, a relatively small, privacy-focused cryptocurrency.
The mystery hacker managed to dominate the network on three occasions for intervals of several hours at a time over the course of April 4th-6th, preventing any other user from making any payments. Worse, in that interval, they were able to generate what is effectively counterfeit Verge at a rate of 1,560 Verge coins (roughly $80) per second, minting what amounted to over a million dollars worth of the currency. So, in sum: timestamp spoofing made it possible to drastically lower mining difficulty; Verge’s use of five algorithms meant that one could lower the difficulty of just one of them, thus making it far easier to override the whole network; the economic/industrial status of this one particular mining algorithm made it even easier to dominate still; and finally, the drastically decreased block-times ensuing from the low difficulty made the attack roughly 30 times more profitable than it would otherwise be.