The CEO of cryptocurrency research and analytics firm Lunar Digital Assets believes there is something fishy going on at PIVX. Han Yoon claims to have been told directly contradictory versions of events from the project’s developers and was met with juvenile hostility for wanting to discuss a network vulnerability that was supposed to have been patched in January of this year.
The PIVX chain and more than 200 other proof-of-stake blockchains associated with it are currently vulnerable to attack from malicious actors. The weakness was first reported by developers associated with the BitGreen project.
The vulnerability allows attackers to receive a disproportionately large staking reward compared to the amount staked. BitGreen developer “XeZZ” stated:
“This makes no sense at all. [The wallet] only has 87 PIVX coins but minted 48 on that address alone. The average stakeweight on PIVX is 9K, 2.3 coins per stake.”
Fixed… for the Most Part
According to a report penned by Han Yoon of cryptocurrency research firm Lunar Digital Assets, the BitGreen developers subsequently found an article from January in which the attack is explained in full. The PIVX team were also well aware of the vulnerability at the time and claimed to have patched it.
Update: Core Development Team has published PR #803 containing a series of comprehensive fixes to address all the vulnerabilities outlined in the recent securities report for both PoS and zPoS that is unique to #PIVX https://t.co/xVLEEQCIFD#zerocoin #proofofstake #CryptoNews
— PIVX (@_pivx) January 26, 2019
BitGreen quickly took action to avoid further damage to their own network. Developers were able to dismantle large numbers of their masternodes. They also increased the staking threshold. This made it difficult for the hacker to continue to exploit the weakness. As a final solution, the BitGreen project plans to migrate from the still-vulnerable PIVX network to DASH on its next update, which ironically had its own hacking-related scenario some time ago.
PIVX Developers Are Not as They Seem
Although the story is newsworthy enough already, the tale gets even more interesting when Yoon decided to contact the PIVX team for updates. Firstly, he reports not receiving direct communication from the developers themselves. Instead, a PIVX discord community member called “bubiz” passed supposed messages between Yoon and the team.
Yoon claims to have been told that the developers were aware of the bug but had no plans to fix it until version 4.0 was released. When queried as to when to expect the update, he was given the vague date of “Q3 2019”. The team also stated that there were no ways to limit the damage caused by the exploit, something which the BitGreen team had already proved to be erroneous.
“For a bug as serious as this one, you would think that they would have issued a statement for all the PIVX forks in existence (there’s a lot). And the BitGreen team has proven them dead wrong in their statement.”
Yoon claims to have been later given email addresses for “fuzzbawls” and “furszy” at PIVX via private message. After establishing contact with the pair, he brought up an example of a PIVX wallet that appeared to be exploiting the bug. According to the researcher, communication ceased immediately following this. He adds that the address in question suspiciously stopped exploiting the bug “shortly after” this email correspondence.
Is This a Fix or a Cover-Up?
He writes that he visited the project’s Discord again channel after raising the issues initially. He discovered that the developers were busy “spewing lies that contradict what they had said through their ‘proxy man’ the other day.” Yoon has chat logs which show the team claiming that the issue had been fixed to community members in the Discord room.
Yoon was later banned from the group after being on the receiving end of some verbal abuse from the developers. The most telling of these messages are the following:
“… we work for PIVX, not for your crappy chain. We are working.. something that you seems to not know.”
“… nah, you are just stating crap and requesting stuff when you are nobody.”
Yoon concludes his report with a poignant question and speculation that all might not be what it seems at PIVX:
“Why was the BitGreen devs able to halt the attack in a few days, while PIVX has knowingly let this exploit go on for god knows how long?
“Something fishy is definitely going on in the fantasy world of PIVX. Lies, coverups, and silence is just scratching the surface.”
As of this writing, the PIVX team has yet to directly respond to Yoon’s emails, and haven’t provided any comment regarding the situation.
What do you think about the PIVX vulnerability? Does it sound like an inside job to you? Let us know your thoughts in the comments below.
Buy and trade cryptocurrencies with a 100x multiplier on our partner exchange, StormGain.
Images are courtesy of Shutterstock and Twitter.