Verge founder Justin Valo has been sued for “violations of Securities Act, Computer Fraud and Abuse Act” relating to a hack in November 2017 that saw 117 million XVG tokens stolen from the now defunct CoinPouch web wallet. Valo is accused alongside the ‘crypto-currency general partnership’ and ‘John Doe’, an unnamed collection of other defendants. The allegation surrounds the way in which the wallet users’ private keys were stored and the fact that Valo and the members of the general partnership knew it was unsafe.
Private Keys Stored on Central Server
The CoinPouch hack started on November 9, 2017, when users began reporting that their XVG tokens had been removed from their wallets without their consent. Velo allegedly put this down to an integrity error on the server that held the XVG wallets, called the Verge Specific Node (VSN), and offered advice on making it more secure. However, days later it became clear that all 117 million XVG tokens, worth some $700,000 at the time, had been removed, at which point the server was shut down. The very existence of this VSN is at the heart of the complaint, as not only did the node contain the 117 million user tokens but also the private keys to those wallets, something that goes against cryptocurrency security best practice. CoinPouch was advertised as a service that kept private keys on devices, but the lawsuit states that Verge’s programming didn’t allow this, resulting in everything being held on a hosted server – the kind anyone can rent for pennies. A hacker gained access to this server and drained the wallets. Even more galling for victims was the fact that the XVG tokens surged in price over the following weeks, meaning that $700,000 was worth a staggering £32.5 million at its peak.
Lack of Contracts Extends Liability
Another issue for Verge, and anyone connected with it, is that the existence of a ‘general partnership’ could potentially implicate anyone associated with the project. A general partnership, short for ‘common law general partnership’, is a name given to a loose connection of people associated with a project and a common goal but where very little, if anything, is confirmed by contract. This means that, without strict liability being stated from the outset, anyone involved can be held accountable, and this seems to be the case with Verge – the lawsuit states that their blackpaper (their edgy name for a whitepaper) contained a list of persons engaged in the development and marketing of Verge tokens, and it is this list that the plaintiffs’ lawyers are working from. This case therefore has the potential to end very badly for Verge, and any person associated with it, regardless of their complicity. As Dorothy very nearly said, we’re not in 2017 anymore.
So next time someone says “WE WOULD LIKE TO ADD YOU TO OUR BLACK PAPER” I am not saying say no I am saying maybe ask “what am I getting and what could happen and wen corporate shield?”
— Palley (@stephendpalley) November 10, 2019