8 Million Vericoin Hack Prompts Hard Fork to Recover Funds

Cryptocurrency exchange platform MintPal has suffered a successful hack attack that stole 30% of all vericoins.

AccessTimeIconJul 14, 2014 at 10:11 p.m. UTC
Updated Sep 11, 2021 at 10:58 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Digital currency exchange platform MintPal has suffered a successful hack attack that resulted in the loss millions of vericoins from its hot wallet.

The 13th July attack targeted a vulnerability in the site’s withdrawal system. The hacker, according to an official statement from MintPal, was able to circumvent internal controls and authorize a withdrawal request for the contents of the vericoin wallet.

Notably, the site’s bitcoin and litecoin wallets were also targeted by those behind the attack. However, owing to MintPal’s existing cold storage procedures for those wallets, user balances were not affected during the incident.

This result is potentially encouraging as hot wallet vulnerabilities have been a persistent issue among major bitcoin exchanges this year, with defunct Japan-based bitcoin exchange Mt. Gox providing perhaps the most noteworthy example of how connected wallets can be targeted by hackers.

MintPal is an alternative digital currency exchange registered in the UK that trades bitcoin, litecoin and popular alternative currencies such as vericoin and darkcoin.

Vericoin's controversial response

The breach resulted in the loss of roughly 8 million vericoins (VRC), or about 30% of the total coins in existence, a member of the vericoin development team told CoinDesk.

Given the extent of the damage, the vericoin development team opted to hard fork the coin’s block chain in order to reverse the theft transaction. This was performed, they said, in order to both prevent the loss of roughly $2m in investor funds and stop a fraudulent actor from holding 30% of the coin’s proof-of-stake network capacity.

The fork is now complete, with new wallets now available for download, the vericoin development team told CoinDesk.

In a statement, the MintPal team pledged to recoup all losses from the attack, including those from other exchanges who were impacted by the event, saying:

"The biggest implication of the rollback is to the various exchanges who have accepted customer deposits and then had trades executed on those deposits. We have committed to our customers and to all exchanges that we will cover any losses faced as a result of the rollback."

CoinDesk reached out to MintPal for comment but has not received an immediate response.

Anatomy of an exchange attack

The attack took place at roughly 7 am BST, and utilized a SQL injection to initialize the wallet withdrawal. Six hours later, the MintPal development team made contact with the vericoin team, after which time a solution - ultimately a hard fork - was sought and reached.

According to MintPal, only the vericoin wallet was affected during the attack. This includes the database containing sensitive customer information and passwords.

The company stated that a failure to secure customer vericoin balances in cold storage led to the vulnerability, saying:

"We did have cold storage setup for VRC, however in this instance, due to an error for which only we can be accountable, we had transferred far fewer coins than was required, resulting in a large proportion of coins being left in the hot wallet."

MintPal added that the company’s procedures have been changed to include stricter cold storage protocols as well as the institution of manual withdrawal clearances until the system has been cleared for all vulnerabilities.

Stolen coins returned

An initial attempt to roll back the block chain to reverse the vericoin theft was launched in the hours after the attack, which involved recreating the original block chain without the withdrawal from MintPal.

However, according to vericoin developer Patrick Nosker, older clients that were broadcasting the transaction resulted in the network mistakenly approving it, allowing the hacker to receive the 8m VRC.

A second hard fork was conducted on 14th July, an operation that also involved creating a transaction that moved the 8m VRC to a new wallet location. As a result, blocks containing the theft transactions were orphaned and remained unaccepted by the network.

Nosker told CoinDesk that the move was necessary to protect investors. However, he acknowledged the controversy behind the move and the frustration among those affected, saying:

“The community is clearly divided. Some think we are good guys for helping users keep their stolen coin. Others think we are bad for 'abusing' our dev rights to change the blockchain. We believe we are in the right as less than $4,000 worth of VRC were sent between the theft time and hard fork, while over $2m of VRC would have been sent otherwise."

He added: "We also didn't want one individual with the ability to 51% attack".

At press time, MintPal has not yet reactivated its vericoin market. However, one of the site’s admins commented that the focus now is on identifying customers who suffered losses.

Hacker image via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.