Digital currency exchange platform MintPal has suffered a successful hack attack that resulted in the loss millions of vericoins from its hot wallet.
The 13th July attack targeted a vulnerability in the site’s withdrawal system. The hacker, according to an official statement from MintPal, was able to circumvent internal controls and authorize a withdrawal request for the contents of the vericoin wallet.
Notably, the site’s bitcoin and litecoin wallets were also targeted by those behind the attack. However, owing to MintPal’s existing cold storage procedures for those wallets, user balances were not affected during the incident.
This result is potentially encouraging as hot wallet vulnerabilities have been a persistent issue among major bitcoin exchanges this year, with defunct Japan-based bitcoin exchange Mt. Gox providing perhaps the most noteworthy example of how connected wallets can be targeted by hackers.
MintPal is an alternative digital currency exchange registered in the UK that trades bitcoin, litecoin and popular alternative currencies such as vericoin and darkcoin.
Vericoin's controversial response
The breach resulted in the loss of roughly 8 million vericoins (VRC), or about 30% of the total coins in existence, a member of the vericoin development team told CoinDesk.
Given the extent of the damage, the vericoin development team opted to hard fork the coin’s block chain in order to reverse the theft transaction. This was performed, they said, in order to both prevent the loss of roughly $2m in investor funds and stop a fraudulent actor from holding 30% of the coin’s proof-of-stake network capacity.
The fork is now complete, with new wallets now available for download, the vericoin development team told CoinDesk.
In a statement, the MintPal team pledged to recoup all losses from the attack, including those from other exchanges who were impacted by the event, saying:
"The biggest implication of the rollback is to the various exchanges who have accepted customer deposits and then had trades executed on those deposits. We have committed to our customers and to all exchanges that we will cover any losses faced as a result of the rollback."
CoinDesk reached out to MintPal for comment but has not received an immediate response.
Anatomy of an exchange attack
The attack took place at roughly 7 am BST, and utilized a SQL injection to initialize the wallet withdrawal. Six hours later, the MintPal development team made contact with the vericoin team, after which time a solution - ultimately a hard fork - was sought and reached.
According to MintPal, only the vericoin wallet was affected during the attack. This includes the database containing sensitive customer information and passwords.
The company stated that a failure to secure customer vericoin balances in cold storage led to the vulnerability, saying:
"We did have cold storage setup for VRC, however in this instance, due to an error for which only we can be accountable, we had transferred far fewer coins than was required, resulting in a large proportion of coins being left in the hot wallet."
MintPal added that the company’s procedures have been changed to include stricter cold storage protocols as well as the institution of manual withdrawal clearances until the system has been cleared for all vulnerabilities.
Stolen coins returned
An initial attempt to roll back the block chain to reverse the vericoin theft was launched in the hours after the attack, which involved recreating the original block chain without the withdrawal from MintPal.
However, according to vericoin developer Patrick Nosker, older clients that were broadcasting the transaction resulted in the network mistakenly approving it, allowing the hacker to receive the 8m VRC.
A second hard fork was conducted on 14th July, an operation that also involved creating a transaction that moved the 8m VRC to a new wallet location. As a result, blocks containing the theft transactions were orphaned and remained unaccepted by the network.
Nosker told CoinDesk that the move was necessary to protect investors. However, he acknowledged the controversy behind the move and the frustration among those affected, saying:
“The community is clearly divided. Some think we are good guys for helping users keep their stolen coin. Others think we are bad for 'abusing' our dev rights to change the blockchain. We believe we are in the right as less than $4,000 worth of VRC were sent between the theft time and hard fork, while over $2m of VRC would have been sent otherwise."
He added: "We also didn't want one individual with the ability to 51% attack".
At press time, MintPal has not yet reactivated its vericoin market. However, one of the site’s admins commented that the focus now is on identifying customers who suffered losses.
Hacker image via Shutterstock