MintPal Vericoin Hack/Rollback

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

MintPal Logo/Homepage

MintPal was a leading UK-based exchange in 2014. In addition to large currencies such as bitcoin and litecoin, they had an extensive selection of alt coins including vericoin. However, their vericoin was not stored in cold storage nor were any of their coins subject to a multi-sig. SQL injection is a form of attack where an attacker gives special data that tricks a database into running an unintended query. Despite expressly advertising protection against SQL injection on their site, the service fell victim to an SQL injection attack, which allowed the hacker to request a large vericoin withdrawal. This was handled without scrutiny by their automated system, withdrawing the entirety of the funds available. Customer funds were recovered in the end by rolling back the vericoin blockchain.

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About MintPal

"The fast, efficient and secure cryptocurrency exchange." "MintPal Limited is a UK based private company (registered UK company #09009856) that focuses on the exchanging of cryptocurrencies. Launched in early 2014, we aim to provide the best user experience matched with quick support times." "Our team is made up of talented developers and network engineers who know how to build a fast, efficient and secure system that takes advantage of the latest web technologies. Check out our security page to find out more about the security precautions we have in place."

"Our beautiful interface allows you to trade in real-time with live updating prices so you never miss the action. At just 0.15% per trade for both BUY and SELL orders, we have some of the lowest trading fees in the industry. MintPal has been built with strong security principles in mind. We utilize COLD storage and strict firewalls. Our support team handle customer queries throughout the day, never will you experience a long wait for a reply."

"A secure and reliable trading environment. A fast matching engine that executes trades within milliseconds. The latest market data available to all users as fast as possible. A highly scalable architecture that can handle spikes of activity. An appealing and responsive user interface that is easy to use. Fast support responses, typically within 24 hours. Full DDoS protection with a leading provider. CDN Caching for all static content. Distributed wallets and Hot/Cold wallets. Tiered design from day 1 to improve scalability. Push instead of pull to deliver all market updates as fast as possible. 2 Factor Authentication as standard for all staff."

"We store the majority of our customer's funds in a secure offline wallet, with only a portion available in a 'hot' wallet for instant withdrawals. This method vastly improves security at a minor expense of large withdrawals requiring manual processing. We utilize a leading DDoS provider for all public facing content and cache all static content on a CDN to provide the fastest possible load times. All website components are logically separated and protected by physical firewalls for increased security. All employees are required to connect to a secure VPN before gaining access to any systems. All interaction with the website is required over HTTPS so all communication is encrypted via SSL. Customers can set up two-factor authentication for accounts with Google Authenticator to provide an extra layer of security. We use an industry recognized PCI (credit card provisioning compliance) scanning service to routinely scan the website to aid in locating any potential security issues. We use industry standard methods for preventing SQL Injection & XSS attacks on our website. In additional, all passwords & sensitive data are encrypted along with a static & random salt."

"MintPal was the primary exchange for altcoin Vericoin."

About Vericoin

"Vericoin uses what is called Proof of Stake (PoS) instead of Proof of Work (PoW), used by Bitcoin, Litecoin and Dogecoin. In traditional PoW mining miners compete to be the first to validate a block. The first to do so receives a fixed reward according to the “winner-take-all” principle. Effectively, it can be compared to a lottery that pays out once per block once it receives a winning ticket."

The Reality

"MintPal accepts no liability for any loss however so arising suffered as a result of any failure or fault in the service provided by MintPal. Any compensation shall be at the discretion of MintPal."

"MintPal will not be responsible for any damages that you may suffer. MintPal makes no warranties of any kind, expressed or implied for services we provide. MintPal disclaims any warranty or merchantability or fitness for a particular purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by MintPal and its employees."

"The exchange had kept their Vericoin on a “hot” wallet (an online, internet-connected wallet), which is much more vulnerable."

"We did have cold storage setup for VRC, however in this instance, due to an error for which only we can be accountable, we had transferred far fewer coins than was required, resulting in a large proportion of coins being left in the hot wallet."[1]

What Happened

"Cryptocurrency exchange platform MintPal has suffered a successful hack attack that stole 30% of all vericoins."

Key Event Timeline - MintPal Vericoin Hack/Rollback
Date Event Description
July 13th, 2014 12:00:00 AM MDT MintPal Withdrawal Targeted The MintPal platform suffers from an exploit where an SQL injection attack allows 8 million Vericoin to be withdrawn from the platform. "The attack took place at roughly 7 am BST, and utilized a SQL injection to initialize the wallet withdrawal."
July 13th, 2014 6:00:00 AM MDT Blockchain Rollback Negotiated "Six hours later, the MintPal development team made contact with the vericoin team, after which time a solution - ultimately a hard fork - was sought and reached." An initial rollback of the blockchain reportedly failed, since the transaction had been reverted but not blocked. The attacker transaction was able to be broadcast again, giving the attacker back the 8m VRC.
July 13th, 2014 9:47:00 AM MDT Vericoin Tweet Vericoin posts a tweet about the rollback, which they are reportedly doing for their users[5].
July 13th, 2014 9:32:00 PM MDT Mintpal Update Posted On Site Mintpal posts an update on their website[17].
July 14th, 2014 Vericoin Blockchain Rollback The Vericoin blockchain undergoes a second rollback mechanism where the blockchain is rolled back to a state before the attack occurred. In this case, the rollback includes a transaction to send the stolen funds to a new wallet address. Older clients who do not participate in the rollback are now an orphaned chain.
July 14th, 2014 4:11:49 PM MDT CoinDesk Article Published CoinDesk publishes an article on the exploit and the Vericoin rollback which is now underway.

Technical Details

"In PoS, blocks are minted instead of mined, and rewards are limited due to the concept of coin age. Coin age can be seen as a measure of accrued interest. The interest still gets paid out to only the first stakeholder to validate a block, but coin age is reset when this happens. To allow all miners to receive their interest, there is minimum coin age to be accumulated before interest is paid. If the interest rate is 5 percent per year, then a stakeholder with 1,000,000 coins would be entitled to receive 2.28 coins every 8 hours (the minimum coin age for Vericoin). As long as there is no eligible coin age, users do not participate in the lottery. Also, higher coin age typically gets an additional weight in the process, making it more likely to be paid out."

"The 13th July attack targeted a vulnerability in the site’s withdrawal system." "Mintpal faced a major hack on the 13th of July, causing 8,000,000 Vericoin being stolen (value $2,000,000), which was about 30% of the circulating supply at the time."

"[T]he site’s bitcoin and litecoin wallets were also targeted by those behind the attack. However, owing to MintPal’s existing cold storage procedures for those wallets, user balances were not affected during the incident." "According to MintPal, only the vericoin wallet was affected during the attack. This includes the database containing sensitive customer information and passwords." "MintPal is confident that its server infrastructure was not directly accessed in the attack."

Total Amount Lost

There were reportedly roughly 8 million vericoins which were lost in the attack.

The total amount lost has been estimated at $2,000,000 USD.

Immediate Reactions

"According to MintPal, the hackers injected a withdrawal request into its database which allowed it to bypass risk control measures." "The hacker, according to an official statement from MintPal, was able to circumvent internal controls and authorize a withdrawal request for the contents of the vericoin wallet." "The attack took place at roughly 7 am BST, and utilized a SQL injection to initialize the wallet withdrawal. Six hours later, the MintPal development team made contact with the vericoin team, after which time a solution - ultimately a hard fork - was sought and reached."

"The breach resulted in the loss of roughly 8 million vericoins (VRC), or about 30% of the total coins in existence, a member of the vericoin development team told CoinDesk."

"Since the attack, MintPal has been plagued with inquiries from users asking questions why only VeriCoins were targeted, if any of their personal information was acquired by the attackers, if cold storage was used for VeriCoin, and whether or not they’ll recover their VRCs."

"In a statement, the MintPal team pledged to recoup all losses from the attack, including those from other exchanges who were impacted by the event."

“Please read the entirety of this post.

A few hours ago we were unfortunately the subject of a successful attack against the exchange. Our investigations have shown that whilst our security was breached, VeriCoin was the target. We would like to stress that VeriCoin and the VeriCoin network has not been in any way compromised. We have worked to secure the exchange and the withdraw process from any further attack.

As it stands at the moment the following applies:

1) We lost a considerable amount of VeriCoin in the attack, however we have been working with the VRC developers and all major exchanges to hard fork the coin at a position before the attack. This will allow us to retrieve the stolen coins and facilitate all withdrawals. We are also working with various exchanges to accommodate any losses they may encouter as a result of the required fork.

2) We are currently processing withdrawals for all other coins.

As I'm sure you will appreciate, our support channels will most likely be very busy over the coming hours/days so please bear with us.

We would like to personally extend our thanks to the VeriCoin developers and the other exchanges who have pulled out all of the stops to ensure that your VRC funds are safe.”

Ultimate Outcome

"The biggest implication of the rollback is to the various exchanges who have accepted customer deposits and then had trades executed on those deposits. We have committed to our customers and to all exchanges that we will cover any losses faced as a result of the rollback."

"Given the extent of the damage, the vericoin development team opted to hard fork the coin’s block chain in order to reverse the theft transaction." "For the first hack that Mintpal faced, the cryptocurrency exchange was saved by the Vericoin community who decided to fork the coin starting the block before the hack took place." "This was performed, they said, in order to both prevent the loss of roughly $2m in investor funds and stop a fraudulent actor from holding 30% of the coin’s proof-of-stake network capacity."

As for the VeriCoins taken by the attacker, MintPal explained that “VRC developers have worked tirelessly to perform something never before done by a cryptocurrency, and rollback the blockchain in order to reverse the two malicious transactions. This was not done out of a desire to save MintPal, but rather a desire to save your coins. Once the updated wallet has been distributed and the new fork is active we will re-open our VRC wallet to facilitate withdrawals.”

“The community is clearly divided. Some think we are good guys for helping users keep their stolen coin. Others think we are bad for ‘abusing’ our dev rights to change the blockchain. We believe we are in the right as less than $4,000 worth of VRC were sent between the theft time and hard fork, while over $2m of VRC would have been sent otherwise,” Patrick Nosker, Vericoin developer, said in an interview with CoinDesk.

"In the best interest of VeriCoin, we have decided to revert the blockchain to a state immediately before the attack. This is not to protect MintPal from losses but rather to prevent a single entity from controlling 30% of the total supply, and to protect the VeriCoin users. Due to the way Proof of Stake operates, this quantity of coin could potentially attack the blockchain. To be clear, the coins that are on the Mintpal exchange are not owned by Mintpal but rather VeriCoins owned by users."

"However, according to vericoin developer Patrick Nosker, older clients that were broadcasting the transaction resulted in the network mistakenly approving it, allowing the hacker to receive the 8m VRC."

"A second hard fork was conducted on 14th July, an operation that also involved creating a transaction that moved the 8m VRC to a new wallet location. As a result, blocks containing the theft transactions were orphaned and remained unaccepted by the network."

"By forking, VeriCoin can, in effect, reset their blockchain to just before the security breach at Mintpal. In this way, all the VeriCoin that was stolen is put back in control of Mintpal, who will then reimburse their own VeriCoin holders and traders manually. Outside of exchanges, all VeriCoin transactions that occurred after 2 AM EST 7/13/14 will be erased in this “theft reversal process.”" "This returned the Vericoins to their rightful owners and rendered the stolen ones unusable."

"From the perspective of VeriCoin investors, a fork is indeed preferable to an unknown and presumably malicious entity being in control of 30% of a Proof of Stake (PoS) altcoin. In contrast to Proof of Work (PoW) altcoins, PoS altcoins such as VeriCoin generate new coins by “staking” existing coins. The “staking” process replaces the mining process as the consensus mechanism; however, all of the existing pressures in the Bitcoin mining world translate to PoS in some way, shape, or form. As such, a single entity controlling 30% of the total supply of VeriCoin is equivalent to a single entity controlling 30% of the Bitcoin mining network and is more centralization than most digital currency enthusiasts are able to stomach. Mintpal’s breach reveals that 30% of the total supply of VeriCoin was being held on MintPal, and not being staked and used for anything besides trading. Instead of holding VeriCoin on a centralized, and thus vulnerable, exchange, VeriCoin developers reminded VeriCoin investors in their statement that “staking your VeriCoin in the wallet is the best-decentralized solution.”"

"When operations resume, MintPal will begin processing transactions manually until they are 110 percent sure that the issue has been resolved to prevent a similar incident. MintPal assures its customers that they will be refunded in full, but for customers of other exchanges affected by the incident, they’re advised to get in touch with them directly."

Total Amount Recovered

Due to the blockchain being reverted, all funds were effectively recovered in this case.

Ongoing Developments

The MintPal exchange ultimately defrauded investors out of their funds.

Individual Prevention Policies

In order to avoid such attacks, all assets should be protected by offline storage and subject to a multi-sig with trusted and trained individuals. If this can't be done, as in the case of a hot wallet, it's suggested to use company funds, self-insure, or form an industry insurance fund.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

In general, blockchain-level exploits can be resolved by reverting the blockchain to a prior state, which restores all funds to their prior ownership and limits potential losses to those who are transacting between the time of the exploit and the time of the revert. Effort should be undertaken by node operators to switch to a branch that eliminates the exploit as soon as possible to minimize losses. Any remaining losses would be resolved through the industry insurance fund.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 8 Million Vericoin Hack Prompts Hard Fork to Recover Funds - CoinDesk (Accessed Sep 18, 2021)
  2. Remembering the Mintpal Hack - October 2014 $3.500.000 Loss in Crypto Assets - Ledger (Accessed Oct 2, 2021)
  3. VeriCoin hack leads to controversial 'fork' to recover stolen loot - SiliconANGLE (Accessed Oct 2, 2021)
  4. Official VeriCoin Statement RE: Mintpal Security Breach Archive August 1st, 2014 1:23:52 AM MDT (Accessed Oct 2, 2021)
  5. 5.0 5.1 VeriCoin - "We are working to fix a problem that is @MintPalExchange's.  We are doing this for our users, nothing more, nothing less." - Twitter (Accessed Oct 2, 2021)
  6. Mintpal Gets Hacked And PoS VeriCoin Has To Fork As A Result - CCN (Accessed Oct 2, 2021)
  7. Implications of MintPal and BTER Hacks - Digiconomist (Accessed Oct 2, 2021)
  8. Mintpal Hacked 'Considerable Amount' Of VeriCoin Stolen - CoinTelegraph (Accessed Oct 2, 2021)
  9. MintPal Vows to Fight Former Moolah CEO in Court - CoinDesk (Accessed Oct 3, 2021)
  10. Mintpal hacked (VeriCoin) - BitcoinTalk (Accessed Oct 3, 2021)
  11. VeriCoin's 'solution' to Mintpal hack - a dangerous precedent? - reddCoin Subreddit (Accessed Oct 3, 2021)
  12. MintPal Homepage Archive June 25th, 2014 1:24:38 AM MDT (Accessed Oct 3, 2021)
  13. MintPal About Page Archive June 26th, 2014 10:57:10 AM MDT (Accessed Oct 3, 2021)
  14. MintPal Security Page Archive June 26th, 2014 10:11:18 AM MDT (Accessed Oct 3, 2021)
  15. Mintpal - successful attack on VeriCoin, lost a considerable amount - Dash Forum (Accessed Oct 7, 2021)
  16. SlowMist Hacked - SlowMist Zone (Accessed Jun 26, 2021)
  17. 17.0 17.1 MintPal / VRC Update Archive - September 23rd, 2014 1:18:16 AM MDT (Accessed Aug 7, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MintPal_Vericoin_Hack/Rollback&oldid=5937"