MintPal Vericoin Hack/Rollback

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

MintPal

MintPal was a leading UK-based exchange in 2014. In addition to large currencies such as bitcoin and litecoin, they had an extensive selection of alt coins including vericoin. However, their vericoin was not stored in cold storage nor were any of their coins subject to a multi-sig.

SQL injection is a form of attack where an attacker gives special data that tricks a database into running an unintended query. Despite expressly advertising protection against SQL injection on their site, the service fell victim to an SQL injection attack, which allowed the hacker to request a large vericoin withdrawal. This was handled without scrutiny by their automated system, withdrawing the entirety of the funds available.

Customer funds were recovered in the end by rolling back the vericoin blockchain.

This exchange or platform is based in United Kingdom, or the incident targeted people primarily in United Kingdom.

About MintPal

"The fast, efficient and secure cryptocurrency exchange." "MintPal Limited is a UK based private company (registered UK company #09009856) that focuses on the exchanging of cryptocurrencies. Launched in early 2014, we aim to provide the best user experience matched with quick support times." "Our team is made up of talented developers and network engineers who know how to build a fast, efficient and secure system that takes advantage of the latest web technologies. Check out our security page to find out more about the security precautions we have in place."

"Our beautiful interface allows you to trade in real-time with live updating prices so you never miss the action. At just 0.15% per trade for both BUY and SELL orders, we have some of the lowest trading fees in the industry. MintPal has been built with strong security principles in mind. We utilise COLD storage and strict firewalls. Our support team handle customer queries throughout the day, never will you experience a long wait for a reply."

"A secure and reliable trading environment. A fast matching engine that executes trades within milliseconds. The latest market data available to all users as fast as possible. A highly scalable architecture that can handle spikes of activity. An appealing and responsive user interface that is easy to use. Fast support responses, typically within 24 hours. Full DDoS protection with a leading provider. CDN Caching for all static content. Distributed wallets and Hot/Cold wallets. Tiered design from day 1 to improve scalability. Push instead of pull to deliver all market updates as fast as possible. 2 Factor Authentication as standard for all staff."

"We store the majority of our customer's funds in a secure offline wallet, with only a portion available in a 'hot' wallet for instant withdrawals. This method vastly improves security at a minor expense of large withdrawals requiring manual processing. We utilize a leading DDoS provider for all public facing content and cache all static content on a CDN to provide the fastest possible load times. All website components are logically separated and protected by physical firewalls for increased security. All employees are required to connect to a secure VPN before gaining access to any systems. All interaction with the website is required over HTTPS so all communication is encrypted via SSL. Customers can set up two-factor authentication for accounts with Google Authenticator to provide an extra layer of security. We use an industry recognised PCI (credit card provisioning compliance) scanning service to routinely scan the website to aid in locating any potential security issues. We use industry standard methods for preventing SQL Injection & XSS attacks on our website. In additional, all passwords & sensitive data are encrypted along with a static & random salt."

"MintPal was the primary exchange for altcoin Vericoin. Vericoin uses what is called Proof of Stake (PoS) instead of Proof of Work (PoW), used by Bitcoin, Litecoin and Dogecoin. In traditional PoW mining miners compete to be the first to validate a block. The first to do so receives a fixed reward according to the “winner-take-all” principle. Effectively, it can be compared to a lottery that pays out once per block once it receives a winning ticket."

"In PoS, blocks are minted instead of mined, and rewards are limited due to the concept of coin age. Coin age can be seen as a measure of accrued interest. The interest still gets paid out to only the first stakeholder to validate a block, but coin age is reset when this happens. To allow all miners to receive their interest, there is minimum coin age to be accumulated before interest is paid. If the interest rate is 5 percent per year, then a stakeholder with 1,000,000 coins would be entitled to receive 2.28 coins every 8 hours (the minimum coin age for Vericoin). As long as there is no eligible coin age, users do not participate in the lottery. Also, higher coin age typically gets an additional weight in the process, making it more likely to be paid out."

"MintPal accepts no liability for any loss however so arising suffered as a result of any failure or fault in the service provided by MintPal. Any compensation shall be at the discretion of MintPal."

"MintPal will not be responsible for any damages that you may suffer. MintPal makes no warranties of any kind, expressed or implied for services we provide. MintPal disclaims any warranty or merchantability or fitness for a particular purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by MintPal and its employees."

"Cryptocurrency exchange platform MintPal has suffered a successful hack attack that stole 30% of all vericoins." "The 13th July attack targeted a vulnerability in the site’s withdrawal system." "Mintpal faced a major hack on the 13th of July, causing 8,000,000 Vericoin being stolen (value $2,000,000), which was about 30% of the circulating supply at the time. The exchange had kept their Vericoin on a “hot” wallet (an online, internet-connected wallet), which is much more vulnerable."

"[T]he site’s bitcoin and litecoin wallets were also targeted by those behind the attack. However, owing to MintPal’s existing cold storage procedures for those wallets, user balances were not affected during the incident." "According to MintPal, only the vericoin wallet was affected during the attack. This includes the database containing sensitive customer information and passwords." "MintPal is confident that its server infrastructure was not directly accessed in the attack."

"According to MintPal, the hackers injected a withdrawal request into its database which allowed it to bypass risk control measures." "The hacker, according to an official statement from MintPal, was able to circumvent internal controls and authorize a withdrawal request for the contents of the vericoin wallet." "The attack took place at roughly 7 am BST, and utilized a SQL injection to initialize the wallet withdrawal. Six hours later, the MintPal development team made contact with the vericoin team, after which time a solution - ultimately a hard fork - was sought and reached."

"The breach resulted in the loss of roughly 8 million vericoins (VRC), or about 30% of the total coins in existence, a member of the vericoin development team told CoinDesk."

"Since the attack, MintPal has been plagued with inquiries from users asking questions why only VeriCoins were targeted, if any of their personal information was acquired by the attackers, if cold storage was used for VeriCoin, and whether or not they’ll recover their VRCs."

"In a statement, the MintPal team pledged to recoup all losses from the attack, including those from other exchanges who were impacted by the event."

“Please read the entirety of this post.

A few hours ago we were unfortunately the subject of a successful attack against the exchange. Our investigations have shown that whilst our security was breached, VeriCoin was the target. We would like to stress that VeriCoin and the VeriCoin network has not been in any way compromised. We have worked to secure the exchange and the withdraw process from any further attack.

As it stands at the moment the following applies:

1) We lost a considerable amount of VeriCoin in the attack, however we have been working with the VRC developers and all major exchanges to hard fork the coin at a position before the attack. This will allow us to retrieve the stolen coins and facilitate all withdrawals. We are also working with various exchanges to accommodate any losses they may encouter as a result of the required fork.

2) We are currently processing withdrawals for all other coins.

As I'm sure you will appreciate, our support channels will most likely be very busy over the coming hours/days so please bear with us.

We would like to personally extend our thanks to the VeriCoin developers and the other exchanges who have pulled out all of the stops to ensure that your VRC funds are safe.”

"The biggest implication of the rollback is to the various exchanges who have accepted customer deposits and then had trades executed on those deposits. We have committed to our customers and to all exchanges that we will cover any losses faced as a result of the rollback."

"Given the extent of the damage, the vericoin development team opted to hard fork the coin’s block chain in order to reverse the theft transaction." "For the first hack that Mintpal faced, the cryptocurrency exchange was saved by the Vericoin community who decided to fork the coin starting the block before the hack took place." "This was performed, they said, in order to both prevent the loss of roughly $2m in investor funds and stop a fraudulent actor from holding 30% of the coin’s proof-of-stake network capacity."

As for the VeriCoins taken by the attacker, MintPal explained that “VRC developers have worked tirelessly to perform something never before done by a cryptocurrency, and rollback the blockchain in order to reverse the two malicious transactions. This was not done out of a desire to save MintPal, but rather a desire to save your coins. Once the updated wallet has been distributed and the new fork is active we will re-open our VRC wallet to facilitate withdrawals.”

“The community is clearly divided. Some think we are good guys for helping users keep their stolen coin. Others think we are bad for ‘abusing’ our dev rights to change the blockchain. We believe we are in the right as less than $4,000 worth of VRC were sent between the theft time and hard fork, while over $2m of VRC would have been sent otherwise,” Patrick Nosker, Vericoin developer, said in an interview with CoinDesk.

"In the best interest of VeriCoin, we have decided to revert the blockchain to a state immediately before the attack. This is not to protect MintPal from losses but rather to prevent a single entity from controlling 30% of the total supply, and to protect the VeriCoin users. Due to the way Proof of Stake operates, this quantity of coin could potentially attack the blockchain. To be clear, the coins that are on the Mintpal exchange are not owned by Mintpal but rather VeriCoins owned by users."

"However, according to vericoin developer Patrick Nosker, older clients that were broadcasting the transaction resulted in the network mistakenly approving it, allowing the hacker to receive the 8m VRC."

"A second hard fork was conducted on 14th July, an operation that also involved creating a transaction that moved the 8m VRC to a new wallet location. As a result, blocks containing the theft transactions were orphaned and remained unaccepted by the network."

"By forking, VeriCoin can, in effect, reset their blockchain to just before the security breach at Mintpal. In this way, all the VeriCoin that was stolen is put back in control of Mintpal, who will then reimburse their own VeriCoin holders and traders manually. Outside of exchanges, all VeriCoin transactions that occurred after 2 AM EST 7/13/14 will be erased in this “theft reversal process.”" "This returned the Vericoins to their rightful owners and rendered the stolen ones unusable."

"From the perspective of VeriCoin investors, a fork is indeed preferable to an unknown and presumably malicious entity being in control of 30% of a Proof of Stake (PoS) altcoin. In contrast to Proof of Work (PoW) altcoins, PoS altcoins such as VeriCoin generate new coins by “staking” existing coins. The “staking” process replaces the mining process as the consensus mechanism; however, all of the existing pressures in the Bitcoin mining world translate to PoS in some way, shape, or form. As such, a single entity controlling 30% of the total supply of VeriCoin is equivalent to a single entity controlling 30% of the Bitcoin mining network and is more centralization than most digital currency enthusiasts are able to stomach. Mintpal’s breach reveals that 30% of the total supply of VeriCoin was being held on MintPal, and not being staked and used for anything besides trading. Instead of holding VeriCoin on a centralized, and thus vulnerable, exchange, VeriCoin developers reminded VeriCoin investors in their statement that “staking your VeriCoin in the wallet is the best-decentralized solution.”"

"When operations resume, MintPal will begin processing transactions manually until they are 110 percent sure that the issue has been resolved to prevent a similar incident. MintPal assures its customers that they will be refunded in full, but for customers of other exchanges affected by the incident, they’re advised to get in touch with them directly."

This exchange or platform is based in United Kingdom, or the incident targeted people primarily in United Kingdom.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - MintPal Vericoin Hack/Rollback
Date	Event	Description
July 13th, 2014 12:00:00 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

In order to avoid such attacks, all assets should be protected by offline storage and subject to a multi-sig with trusted and trained individuals. If this can't be done, as in the case of a hot wallet, it's suggested to use company funds, self-insure, or form an industry insurance fund.