Digital currency exchange platform MintPal has suffered a successful hack attack that resulted in the loss millions of vericoins from its hot wallet.
Notably, the site’s bitcoin and litecoin wallets were also targeted by those behind the attack. However, owing to MintPal’s existing cold storage procedures for those wallets, user balances were not affected during the incident.
This result is potentially encouraging as hot wallet vulnerabilities have been a persistent issue among major bitcoin exchanges this year, with defunct Japan-based bitcoin exchange Mt. Gox providing perhaps the most noteworthy example of how connected wallets can be targeted by hackers.
MintPal is an alternative digital currency exchange registered in the UK that trades bitcoin, litecoin and popular alternative currencies such as vericoin and darkcoin.
Vericoin's controversial response
The breach resulted in the loss of roughly 8 million vericoins (VRC), or about 30% of the total coins in existence, a member of the vericoin development team told CoinDesk.
Given the extent of the damage, the vericoin development team opted to hard fork the coin’s block chain in order to reverse the theft transaction. This was performed, they said, in order to both prevent the loss of roughly $2m in investor funds and stop a fraudulent actor from holding 30% of the coin’s proof-of-stake network capacity.
The fork is now complete, with new wallets now available for download, the vericoin development team told CoinDesk.
In a statement, the MintPal team pledged to recoup all losses from the attack, including those from other exchanges who were impacted by the event, saying:
CoinDesk reached out to MintPal for comment but has not received an immediate response.
Anatomy of an exchange attack
The attack took place at roughly 7 am BST, and utilized a SQL injection to initialize the wallet withdrawal. Six hours later, the MintPal development team made contact with the vericoin team, after which time a solution - ultimately a hard fork - was sought and reached.
According to MintPal, only the vericoin wallet was affected during the attack. This includes the database containing sensitive customer information and passwords.
The company stated that a failure to secure customer vericoin balances in cold storage led to the vulnerability, saying:
MintPal added that the company’s procedures have been changed to include stricter cold storage protocols as well as the institution of manual withdrawal clearances until the system has been cleared for all vulnerabilities.
Stolen coins returned
An initial attempt to roll back the block chain to reverse the vericoin theft was launched in the hours after the attack, which involved recreating the original block chain without the withdrawal from MintPal.
However, according to vericoin developer Patrick Nosker, older clients that were broadcasting the transaction resulted in the network mistakenly approving it, allowing the hacker to receive the 8m VRC.
A second hard fork was conducted on 14th July, an operation that also involved creating a transaction that moved the 8m VRC to a new wallet location. As a result, blocks containing the theft transactions were orphaned and remained unaccepted by the network.
Nosker told CoinDesk that the move was necessary to protect investors. However, he acknowledged the controversy behind the move and the frustration among those affected, saying:
He added: "We also didn't want one individual with the ability to 51% attack".
At press time, MintPal has not yet reactivated its vericoin market. However, one of the site’s admins commented that the focus now is on identifying customers who suffered losses.
Hacker image via Shutterstock
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.