$2 000 000 USD

JULY 2014

UNITED KINGDOM

MINTPAL

DESCRIPTION OF EVENTS

"The fast, efficient and secure cryptocurrency exchange." "MintPal Limited is a UK based private company (registered UK company #09009856) that focuses on the exchanging of cryptocurrencies. Launched in early 2014, we aim to provide the best user experience matched with quick support times." "Our team is made up of talented developers and network engineers who know how to build a fast, efficient and secure system that takes advantage of the latest web technologies. Check out our security page to find out more about the security precautions we have in place."

 

"Our beautiful interface allows you to trade in real-time with live updating prices so you never miss the action. At just 0.15% per trade for both BUY and SELL orders, we have some of the lowest trading fees in the industry. MintPal has been built with strong security principles in mind. We utilise COLD storage and strict firewalls. Our support team handle customer queries throughout the day, never will you experience a long wait for a reply."

 

"A secure and reliable trading environment. A fast matching engine that executes trades within milliseconds. The latest market data available to all users as fast as possible. A highly scalable architecture that can handle spikes of activity. An appealing and responsive user interface that is easy to use. Fast support responses, typically within 24 hours. Full DDoS protection with a leading provider. CDN Caching for all static content. Distributed wallets and Hot/Cold wallets. Tiered design from day 1 to improve scalability. Push instead of pull to deliver all market updates as fast as possible. 2 Factor Authentication as standard for all staff."

 

"We store the majority of our customer's funds in a secure offline wallet, with only a portion available in a 'hot' wallet for instant withdrawals. This method vastly improves security at a minor expense of large withdrawals requiring manual processing. We utilize a leading DDoS provider for all public facing content and cache all static content on a CDN to provide the fastest possible load times. All website components are logically separated and protected by physical firewalls for increased security. All employees are required to connect to a secure VPN before gaining access to any systems. All interaction with the website is required over HTTPS so all communication is encrypted via SSL. Customers can set up two-factor authentication for accounts with Google Authenticator to provide an extra layer of security. We use an industry recognised PCI (credit card provisioning compliance) scanning service to routinely scan the website to aid in locating any potential security issues. We use industry standard methods for preventing SQL Injection & XSS attacks on our website. In additional, all passwords & sensitive data are encrypted along with a static & random salt."

 

"MintPal was the primary exchange for altcoin Vericoin. Vericoin uses what is called Proof of Stake (PoS) instead of Proof of Work (PoW), used by Bitcoin, Litecoin and Dogecoin. In traditional PoW mining miners compete to be the first to validate a block. The first to do so receives a fixed reward according to the “winner-take-all” principle. Effectively, it can be compared to a lottery that pays out once per block once it receives a winning ticket."

 

"In PoS, blocks are minted instead of mined, and rewards are limited due to the concept of coin age. Coin age can be seen as a measure of accrued interest. The interest still gets paid out to only the first stakeholder to validate a block, but coin age is reset when this happens. To allow all miners to receive their interest, there is minimum coin age to be accumulated before interest is paid. If the interest rate is 5 percent per year, then a stakeholder with 1,000,000 coins would be entitled to receive 2.28 coins every 8 hours (the minimum coin age for Vericoin). As long as there is no eligible coin age, users do not participate in the lottery. Also, higher coin age typically gets an additional weight in the process, making it more likely to be paid out."

 

"MintPal accepts no liability for any loss however so arising suffered as a result of any failure or fault in the service provided by MintPal. Any compensation shall be at the discretion of MintPal."

 

"MintPal will not be responsible for any damages that you may suffer. MintPal makes no warranties of any kind, expressed or implied for services we provide. MintPal disclaims any warranty or merchantability or fitness for a particular purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by MintPal and its employees."

 

"Cryptocurrency exchange platform MintPal has suffered a successful hack attack that stole 30% of all vericoins." "The 13th July attack targeted a vulnerability in the site’s withdrawal system." "Mintpal faced a major hack on the 13th of July, causing 8,000,000 Vericoin being stolen (value $2,000,000), which was about 30% of the circulating supply at the time. The exchange had kept their Vericoin on a “hot” wallet (an online, internet-connected wallet), which is much more vulnerable."

 

"[T]he site’s bitcoin and litecoin wallets were also targeted by those behind the attack. However, owing to MintPal’s existing cold storage procedures for those wallets, user balances were not affected during the incident." "According to MintPal, only the vericoin wallet was affected during the attack. This includes the database containing sensitive customer information and passwords." "MintPal is confident that its server infrastructure was not directly accessed in the attack."

 

"According to MintPal, the hackers injected a withdrawal request into its database which allowed it to bypass risk control measures." "The hacker, according to an official statement from MintPal, was able to circumvent internal controls and authorize a withdrawal request for the contents of the vericoin wallet." "The attack took place at roughly 7 am BST, and utilized a SQL injection to initialize the wallet withdrawal. Six hours later, the MintPal development team made contact with the vericoin team, after which time a solution - ultimately a hard fork - was sought and reached."

 

"The breach resulted in the loss of roughly 8 million vericoins (VRC), or about 30% of the total coins in existence, a member of the vericoin development team told CoinDesk."

 

"Since the attack, MintPal has been plagued with inquiries from users asking questions why only VeriCoins were targeted, if any of their personal information was acquired by the attackers, if cold storage was used for VeriCoin, and whether or not they’ll recover their VRCs."

 

"In a statement, the MintPal team pledged to recoup all losses from the attack, including those from other exchanges who were impacted by the event."

 

“Please read the entirety of this post.

 

A few hours ago we were unfortunately the subject of a successful attack against the exchange. Our investigations have shown that whilst our security was breached, VeriCoin was the target. We would like to stress that VeriCoin and the VeriCoin network has not been in any way compromised. We have worked to secure the exchange and the withdraw process from any further attack.

 

As it stands at the moment the following applies:

 

1) We lost a considerable amount of VeriCoin in the attack, however we have been working with the VRC developers and all major exchanges to hard fork the coin at a position before the attack. This will allow us to retrieve the stolen coins and facilitate all withdrawals. We are also working with various exchanges to accommodate any losses they may encouter as a result of the required fork.

 

2) We are currently processing withdrawals for all other coins.

 

As I'm sure you will appreciate, our support channels will most likely be very busy over the coming hours/days so please bear with us.

 

We would like to personally extend our thanks to the VeriCoin developers and the other exchanges who have pulled out all of the stops to ensure that your VRC funds are safe.”

 

"The biggest implication of the rollback is to the various exchanges who have accepted customer deposits and then had trades executed on those deposits. We have committed to our customers and to all exchanges that we will cover any losses faced as a result of the rollback."

 

"Given the extent of the damage, the vericoin development team opted to hard fork the coin’s block chain in order to reverse the theft transaction." "For the first hack that Mintpal faced, the cryptocurrency exchange was saved by the Vericoin community who decided to fork the coin starting the block before the hack took place." "This was performed, they said, in order to both prevent the loss of roughly $2m in investor funds and stop a fraudulent actor from holding 30% of the coin’s proof-of-stake network capacity."

 

As for the VeriCoins taken by the attacker, MintPal explained that “VRC developers have worked tirelessly to perform something never before done by a cryptocurrency, and rollback the blockchain in order to reverse the two malicious transactions. This was not done out of a desire to save MintPal, but rather a desire to save your coins. Once the updated wallet has been distributed and the new fork is active we will re-open our VRC wallet to facilitate withdrawals.”

 

“The community is clearly divided. Some think we are good guys for helping users keep their stolen coin. Others think we are bad for ‘abusing’ our dev rights to change the blockchain. We believe we are in the right as less than $4,000 worth of VRC were sent between the theft time and hard fork, while over $2m of VRC would have been sent otherwise,” Patrick Nosker, Vericoin developer, said in an interview with CoinDesk.

 

"In the best interest of VeriCoin, we have decided to revert the blockchain to a state immediately before the attack. This is not to protect MintPal from losses but rather to prevent a single entity from controlling 30% of the total supply, and to protect the VeriCoin users. Due to the way Proof of Stake operates, this quantity of coin could potentially attack the blockchain. To be clear, the coins that are on the Mintpal exchange are not owned by Mintpal but rather VeriCoins owned by users."

 

"However, according to vericoin developer Patrick Nosker, older clients that were broadcasting the transaction resulted in the network mistakenly approving it, allowing the hacker to receive the 8m VRC."

 

"A second hard fork was conducted on 14th July, an operation that also involved creating a transaction that moved the 8m VRC to a new wallet location. As a result, blocks containing the theft transactions were orphaned and remained unaccepted by the network."

 

"By forking, VeriCoin can, in effect, reset their blockchain to just before the security breach at Mintpal. In this way, all the VeriCoin that was stolen is put back in control of Mintpal, who will then reimburse their own VeriCoin holders and traders manually. Outside of exchanges, all VeriCoin transactions that occurred after 2 AM EST 7/13/14 will be erased in this “theft reversal process.”" "This returned the Vericoins to their rightful owners and rendered the stolen ones unusable."

 

"From the perspective of VeriCoin investors, a fork is indeed preferable to an unknown and presumably malicious entity being in control of 30% of a Proof of Stake (PoS) altcoin. In contrast to Proof of Work (PoW) altcoins, PoS altcoins such as VeriCoin generate new coins by “staking” existing coins. The “staking” process replaces the mining process as the consensus mechanism; however, all of the existing pressures in the Bitcoin mining world translate to PoS in some way, shape, or form. As such, a single entity controlling 30% of the total supply of VeriCoin is equivalent to a single entity controlling 30% of the Bitcoin mining network and is more centralization than most digital currency enthusiasts are able to stomach. Mintpal’s breach reveals that 30% of the total supply of VeriCoin was being held on MintPal, and not being staked and used for anything besides trading. Instead of holding VeriCoin on a centralized, and thus vulnerable, exchange, VeriCoin developers reminded VeriCoin investors in their statement that “staking your VeriCoin in the wallet is the best-decentralized solution.”"

 

"When operations resume, MintPal will begin processing transactions manually until they are 110 percent sure that the issue has been resolved to prevent a similar incident. MintPal assures its customers that they will be refunded in full, but for customers of other exchanges affected by the incident, they’re advised to get in touch with them directly."

MintPal was a leading UK-based exchange in 2014. In addition to large currencies such as bitcoin and litecoin, they had an extensive selection of alt coins including vericoin. However, their vericoin was not stored in cold storage nor were any of their coins subject to a multi-sig.

 

SQL injection is a form of attack where an attacker gives special data that tricks a database into running an unintended query. Despite expressly advertising protection against SQL injection on their site, the service fell victim to an SQL injection attack, which allowed the hacker to request a large vericoin withdrawal. This was handled without scrutiny by their automated system, withdrawing the entirety of the funds available.

 

Customer funds were recovered in the end by rolling back the vericoin blockchain.

HOW COULD THIS HAVE BEEN PREVENTED?

In order to avoid such attacks, all assets should be protected by offline storage and subject to a multi-sig with trusted and trained individuals. If this can't be done, as in the case of a hot wallet, it's suggested to use company funds, self-insure, or form an industry insurance fund.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.