According to various press and social media sources, including Verge developer known as Sunerok, a bug allowed manipulation of block mining timestamps. This created the potential for illegitimate coins to appear from nowhere.
“There's currently a >51% attack going on on XVG which exploits a bug in retargeting in the XVG code,” Suprnova mining pool’s OCminer reported on Bitcointalk.
“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algo was one hour ago.”
Following the fresh bug reports, however, Sunerok appeared to adopt a laissez faire attitude to fixing them, pushing through an accidental hard fork.
“You guys are aware that the ‘fix’ you pushed actually IS a hardfork? So your blockchain snapshot is not valid anymore, the wallet’s won’t sync up from scratch anymore and the current chain is simply not usable anymore with that new ‘fix’?” OCminer continued.
Analysis by Suprnova suggested the hack stopped April 5. “I skimmed the logs and saw the attacker started the new attack at around block 2014060 and stopped just now at block 2026196,” OCminer wrote in a further post.
Verge’s last official Twitter update was published around 19 hours ago, claiming funds were only exploitable for three hours:
We had a small hash attack that lasted about 3 hours earlier this morning, it's been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam— vergecurrency (@vergecurrency) April 4, 2018