$0 USD

DECEMBER 2019

GLOBAL

VERTCOIN

DESCRIPTION OF EVENTS

"Vertcoin (VTC) is an open-source cryptocurrency created in early 2014 that focuses on decentralization." "Vertcoin is a Bitcoin clone that claims to be ASIC-resistant through regular mining algorithm changes introduced via hardfork." "Vertcoin uses an ASIC resistant proof-of-work mechanism to issue new coins and incentivize miners to secure the network and validate transactions. Vertcoin's blockchain is maintained by a decentralized coalition of individuals collectively mining using modern graphics cards." In December 2019, "Vertcoin [ranked] 194th by market capitalization and boast[ed] a market cap of $12.5 million."

 

"Vertcoin was previously 51% attacked in December of 2018." "​The attack on Vertcoin in 2018 led the company to change its system algorithm to one called Lyra2REv3 since they prefer affordable mining that allows for the involvement of the community."

 

"On Nov 30th 2019, a Vertcoin miner noticed a large upswing in hashrate rental prices for Lyra2REv3 on Nicehash. This was combined with workers connected to Nicehash's stratum server being sent work for unknown (non-public) Vertcoin blocks. I contacted Bittrex, Vertcoin's most prominent exchange, to recommend they disable the Vertcoin wallet on their platform once it became clear an attack was in progress, which they subsequently did."

 

"On Dec. 1 at 15:19 UTC, 603 blocks were removed from VTC’s main blockchain and replaced by 553 attacker blocks. There were 5 recorded double-spent transactions. A total of 125 VTC ($29) was redirected to the hacker’s wallet address."

 

"[T]he captured hashrate was blamed on Nicehash. The company sells hashpower to individuals and acts as a hashpower broker marketplace that connects sellers and miners." "Post-attack analysis of the Nicehash orderbook during the attack's preparation shows a large upswing in hashrate rental price from the market equilibrium on both their EU and USA markets. Now that the attack is over, the rental price has returned to the baseline market equilibrium." "Based on the market prices during the attack's preparation and the difficulty of the blocks the attacker produced, we estimate the attacker spent between 0.5-1 BTC to perform the attack. The total value of the block rewards the attack received is 13825 VTC (~0.44 BTC). Given the attack was likely not profitable to perform based solely on block rewards, the motivation for the attack is not certain."

 

"Each of the double-spent outputs are coinbase outputs owned by the attacker and it is unknown to whom the coins were originally sent before being swept to an attacker address after the reorg," Lovejoy said.

 

"Given the reorg was just deeper than 600 blocks (Bittrex's confirmation requirement for VTC), it is possible that Bittrex was the original target." "Bittrex, Vertcoin’s most trafficked exchange by real volume, disabled withdrawals on the platform once it became clear the attack was in progress." "Lovejoy said it would not have been profitable based on miners' block rewards alone. He suggested Bittrex may have been target, but the exchange disabling its Vertcoin wallet may have prevented more double spends."

Despite upgrading to a new algorithm after their first attack, the Vertcoin blockchain fell under threat of another 51% attack. This attack appears to be intended to be used to double-spend against the Bittrex exchange. Since Bittrex closed their wallets prior to the attack, they avoided any loss.

HOW COULD THIS HAVE BEEN PREVENTED?

51% attacks can be prevented through a mix of increased block confirmation times and setting checkpoints to prevent large-scale reorganizations. This means the exchange will not allow withdrawals based on newly deposited funds (which could still be taken back through a 51% attack), and nodes will be prevented from accepting longer attacking chains.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.