Mintpal, a popular altcoin exchange, has been hacked. In their official announcement of the matter, they revealed that the hacker specifically targeted Mintpal’s large VeriCoin holdings. Mintpal was in control of 30% of existing VeriCoin, all of which were stolen by a yet unidentified hacker. Mintpal has emphasized to its users that they are still processing withdrawals for all other coins; however, they have not revealed the exact vector of the attack. Mintpal and other VRC exchanges have worked directly with VeriCoin developers to come up with a seemingly satisfactory solution for all parties involved (except the hacker): VeriCoin is going to fork. By forking, VeriCoin can, in effect, reset their blockchain to just before the security breach at Mintpal. In this way, all the VeriCoin that was stolen is put back in control of Mintpal, who will then reimburse their own VeriCoin holders and traders manually. Outside of exchanges, all VeriCoin transactions that occurred after 2 AM EST 7/13/14 will be erased in this “theft reversal process.”
Vericoin has been generating a lot of attention since its launch, particularly with projects such as VeriBit and VeriSMS. In light of the largest VeriCoin-related hack in history, VeriCoin developers, Patrick Nosker, Douglas Pike, and David Boehm promptly released an Official VeriCoin Statement RE: Mintpal Security Breach. In this statement, the developers emphasized that “VeriCoin security was not breached or compromised in any way.” They also admitted that “Mintpal is a centralized storage solution. Because of this, it is more vulnerable to attacks such as the one that has occurred.”
VeriCoin’s decision to fork in response to Mintpal’s security breach was then announced and explained as necessary:
“In the best interest of VeriCoin, we have decided to revert the blockchain to a state immediately before the attack. This is not to protect MintPal from losses but rather to prevent a single entity from controlling 30% of the total supply, and to protect the VeriCoin users. Due to the way Proof of Stake operates, this quantity of coin could potentially attack the blockchain. To be clear, the coins that are on the Mintpal exchange are not owned by Mintpal but rather VeriCoins owned by users.”
To be clear, the coins that are on Mintpal exchange might not have been technically “owned” by Mintpal, as opposed to the individual VeriCoin traders; however, all of the VeriCoin stored on Mintpal was indeed under the control of Mintpal. After Mintpal was breached, the VeriCoin was then under the control (and for all intents and purposes: ownership) of the hacker. It is likely that the hacker was not expecting his target altcoin to fork. VeriCoin’s swift action has been greeted with a lot of support from its own community while facing criticism from some cryptocurrency purists.
We are working to fix a problem that is @MintPalExchange's. We are doing this for our users, nothing more, nothing less.
— VeriCoin (@VeriCoin) July 13, 2014
Why Did VeriCoin Need To Fork?
From the perspective of VeriCoin investors, a fork is indeed preferable to an unknown and presumably malicious entity being in control of 30% of a Proof of Stake (PoS) altcoin. In contrast to Proof of Work (PoW) altcoins, PoS altcoins such as VeriCoin generate new coins by “staking” existing coins. The “staking” process replaces the mining process as the consensus mechanism; however, all of the existing pressures in the Bitcoin mining world translate to PoS in some way, shape, or form. As such, a single entity controlling 30% of the total supply of VeriCoin is equivalent to a single entity controlling 30% of the Bitcoin mining network and is more centralization than most digital currency enthusiasts are able to stomach. Mintpal’s breach reveals that 30% of the total supply of VeriCoin was being held on MintPal, and not being staked and used for anything besides trading. Instead of holding VeriCoin on a centralized, and thus vulnerable, exchange, VeriCoin developers reminded VeriCoin investors in their statement that “staking your VeriCoin in the wallet is the best-decentralized solution.”
VeriCoin has successfully forked away from the coins from the hacker.
— Patrick Nosker (@pnosker) July 14, 2014
Some in the community have wondered why VeriCoin wasn’t secured in cold storage like Mintpal’s Bitcoin and Litecoin. The insinuation is that Mintpal was running a fractional reserve with their PoS coins.
My bet is Mintpal were staking all their PoS coins instead of using cold storage which is why VRC was taken over BTC
— KING CO฿IE (@CryptoCobain) July 13, 2014