The bull market of 2017 and the subsequent gold rush in mining hardware has created a surplus of equipment, which has become unaffordable to run for many prospective speculators/investors/miners.
This has in turn led to some notable outcomes:
- large amounts of cheap hashpower
- the weakening of Proof of Work (PoW) networks and subsequent lower blockchain security
- the exploitation of these weaknesses using the cheap hashpower
51% attack intro
I mostly see 51% attacks and double-spending attacks as interchangeable terms, because they usually describe the same thing. In reality, a 51% attack is only a subset of possible double spend attacks. Despite this, I will continue to refer to double spend and 51% attack as interchangeable terms throughout the article. The most prominent attack is the Finney attack, which requires significant, but less than 51% of the networks hashrate to function properly.
These are the ways to attack a blockchain network by a double spend attempt:
- Send two conflicting transactions in rapid succession into the network. This is called a race attack.
- Pre-mine one transaction into a block and spend the same coins before releasing the block to invalidate that transaction. This is called a Finney attack. => This is how you attack an exchange.
- Own 51+% of the total computing power of the network to reverse any transaction you feel like, as well as have total control of which transactions appear in blocks. This is called a true 51% attack.
The largest chain that has experienced a double spend attack so far has been Ethereum Classic in January 2019. A lot of the market was taken by surprise that such a thing is even possible on what was presumed a large network.
A bit of number crunching at the time of writing the article (February 2019):
Ethereum (ETH) market capitalization is sitting at $12.7 billion. The network’s hashrate (nethash) is currently 145 TH/s (terrahash per second).
Ethereum Classic (ETC) market capitalization is sitting at $400 million. The network’s hashrate is currently 8.5 TH/s.
ETH:ETC marketcap is 32 times larger, while the hashrate is 17 times larger. That seems fine at a glance. The problem with this comparison is simple but deceiving — all that is necessary for a 51% attack is 5TH/s of mining power to attack the ETC network at the same time. This is only around 3.5% of the ETH network. It is easily imaginable, that a single miner (or a mining company) holds this much hashrate at their disposal.
This is a top 20 marketcap coin we’re talking about.
The complexity of attacking the ETC chain from an ETH miner’s perspective is fairly simple — you don’t even need to change any software on your miners’ systems since the algorithm is the same. All the work necessary is going to be changing the configuration (where you are pointing the miners), which is trivial and automating the process of double spending (which is easy to reproduce once you have the process in hand).
The strength of the ETH network puts an enormous risk on every single GPU mineable project out there. A large GPU farm could, would and has diverted its hashpower to attack these smaller networks.
Finding network vulnerabilities and exploiting them is a viable business model.
51% attack mitigation attempts
DASH has implemented ChainLocks, so any fork of DASH that is keeping up to date with it as an upstream can have 51% attack protection.
The high level overview for DASH is a perpetual quorum of masternodes, which have to sign propagated blocks. The blocks will not be finalized until a majority of the masternode agrees upon the signed block. This solution limits especially race attacks and Finney attacks.
ChainLocks are only viable on networks with semi-trusted nodes. Running thousands of nodes in a pure PoW network is easy. It could therefore be Sybil attacked in conjunction with a double spend attack and the network is back in trouble. Thanks to the necessity of a masternode collateral to run the ChainLocks code, a Sybil attack is not an avenue for dominating the network.
This, however limits the solution to cryptoassets with collateralized full nodes, meaning hybrid PoW/PoS/Masternode networks.
The code is open source and any chain that forked DASH and uses it as upstream should either have implemented this upgrade already, or work on implementing it. It should therefore be applicable to around 50% of masternode coins in existence (with the other 50% being mostly PIVX forks). Ignoring this update is a major red flag.
ZEN has included the Penalty System to protect against 51% attacks. The Horizen team has correctly identified that the source of most, if not all successful double spends has been the Finney attack. Their solution penalizes block acceptance proportionally to the time they were hidden from the network.
The formula for necessary hidden blocks to be mined is
Confirmed blocks + [ Confirmed blocks * ( Confirmed blocks + 1) /2 ] = Minimum of hidden blocks for a Finney attack.
With 20 confirmations, the necessary hidden pre-mine comes up to 230 blocks, which is a significant amount of work.
Some exchanges, however, let one operate with the funds after less confirmations. With 5 confirmations necessary, it is only needed to pre-mine 20 blocks.
In the end, it depends on the speed of the underlying blockchain. Waiting for 60 ETH confirmations is acceptable due to 10 second blocks. Waiting for 60 BTC confirmations is living hell.
This is a mitigation specifically aimed at Finney attacks, which has to be enforced by multiple mandatory confirmations — it is therefore only a partial solution, which slows down payment confirmations for the sake of security.
It also does not address race attacks and actual 51% attacks.
We believe it is an ingenious mitigation, however it should be used as a complimentary boost to other options, not as the main deterrent, unless the chain is fine with high numbers on mandatory confirmations everywhere.
51% attack protection-as-a-service
Since the cryptoasset scene is one of the most capitalist systems out there, a market has emerged based on protecting one’s coin from 51% attacks.
The most prominent player right now is Komodo with their Delayed Proof of Work (DPoW).
The system is an atypical Delegated Proof of Stake implementation with 64 notary nodes. The nodes do not need to hold any KMD, however they get voted once a year into “notarizing” by KMD holders. The node owners are rewarded by block rewards from KMD inflation. Much more info here.
The nodes write the newest block headers from KMD into the Bitcoin blockchain. This way, KMD always has a fallback to the state of its chain in case of an attack, inside the BTC blockchain.
Delegated Proof of Stake is a system which brings a fair amount of politics and centralization into the blockchain governance. It is fairly controversial due to holder concentration and the implications on the policies voted into existence. This is especially concerning considering the start of KMD as a Bitcoin Dark (BTCD) ICO, which was afterwards exit pumped.
Any coin that wishes to be protected by KMD’s DPoW has to request this from the KMD team. It is a permissioned product. The implementation fee is paid to the KMD developers. This is a centralized process. The users of KMD blockchain nor notary nodes have no say in which coins are protected by DPoW.
The coins that are protected by DPoW save their block headers using the OP_RETURN command onto the KMD blockchain, similar to the Veriblock solution.
To successfully attack a blockchain protected by DPoW, the attacker would also have to revert blocks also on the Bitcoin blockchain on top of the attacked altcoin chain, which is unfeasible. The solution in theory prevents all types of 51% attacks that have been explored so far.
DPoW is therefore currently the best available product for projects with minor hashpower or chain security fears. Main concerns come with the underlying assets history (KMD) and the permissioned implementation.
Recently transferred into mainnet, Veriblock (VBK) is a VC/angel backed project with significant connections in the industry. It has launched in summer 2018 with a whitepaper called Proof-of-Proof: A Decentralized, Trustless, Transparent, and Scalable Means of Inheriting Proof-of-Work Security.
The core of the Proof of Proof (PoP) solution works very similarly to Komodo’s DPoW, except in a permissionless fashion.
Veriblock itself is a Proof of Work chain. Each VBK PoW block gets notarized (PoP-ed) into the Bitcoin blockchain. There are two types of miners — typical hardware miners with GPUs/ASICs and PoPpers, who receive the second half of the block reward for successfully writing the VBK block proofs into the Bitcoin blockchain using OP_RETURN command.
Veriblock nodecore code is closed source. The community is waiting for the team to release the open source code. PoP is a permissionless solution. The users vie for the PoP block rewards in a similar fashion to PoW mining. Any coin can implement the VBK PoP mechanism and incentivise its users to protect the chain using Veriblocks blockspace.
PoP mining is very popular. It currently amounts to around 10–40% of all Bitcoin transactions, with current statistics visible on the Veriblock explorer. The activity is higher on weekends when Bitcoin itself has lower general activity.
Veriblock’s impact on the Bitcoin blockchain was noticed already in 2018:
The source for above infographics is the website https://opreturn.org
The PoP mechanism in Bitcoin blockchain is interesting, because it creates an inherent price floor for Bitcoin transactions. As long as it is viable to PoP new Veriblock coins, users will keep paying BTC transactions to do so — if VBK price rises significantly, there will also be an upwards pressure in PoP miners, who will be able to pay higher fees to sustain their business of protecting the VBK chain.
On the other hand, if the Bitcoin fees rise due to higher amounts of transactions, the users “spamming” cheap VBK PoP transactions will be pushed out, resulting in less pressure on the Bitcoin blockchain.
This creates an oscillating relationship between Bitcoin price, Bitcoin TX fees and Veriblock price. Veriblock further pushes Bitcoin block space into a commodity market.
Similar to Komodo, an attacker would successfully have to revert blocks both in Bitcoin and in Veriblock to attack any chain protected by Proof of Proof. This prevents all known forms of 51% attacks.
The possibility of implementing PoP into other chains is questionable as of now since the code is closed soruce. If resolved, Veriblock will become all-round the best solution against 51% attacks on the market through it’s model, which not only protects chains against attacks, but also rewards for doing so in a decentralized fashion with proper market incentives.
PIRL is sharing the under-the-radar status with Veriblock, but takes a different spin on things. They have inspired themselves by the Horizen Penalty system and wrote their own open source implementation called PIRLGUARD for ethhash systems (Horizen is running on equihash, as a ZCash fork).
PIRL offers help with including the code into other coins as a product. They also offer further on-chain security through the usage of their masternode system as watchdogs.
Musicoin implementation of PIRLGUARD has successfully stopped a 51% attack in February 2019. This is the first time such a product has successfully stopped an attack that we know of.
Another notable coin that has included PIRLGUARD recently is Ethergem (EGEM).
Callisto (CLO) was planning to implement PIRLGUARD by Q4 2019. That has been sped up significantly after it suffered from 51% attacks in February 2019.
The foreseen limitation for PIRLGUARD so far is that is has been purely an ethash implementation so far and is untested on other algorithms.
It does not address race attacks or 51% attacks. A part of the solution, same as with ZEN’s Penalty system is the slowdown in confirmations.
Further thoughts and talking points
- None of these protection mechanisms block each other, although implementing both DPoW and PoP is redundant, as both rely on Bitcoins network security. It’s therefore possible to be protected both by PIRLGUARD and VBK Proof of Proof for example, making 51% attacks almost completely impossible even against small chains.
- There is no reason not to implement DPoW or PoP on a Proof of Stake network . It should in theory limit one of the largest dangers inherent to the consensus algorithm — a deep reorganization of blocks after a large, prolonged chain split. A Proof of Work network can fall back to the chain with the largest amount of work done, even after a catastrophic 10000 block reorganization. A PoS split this deep has no proper tested fallback mechanism. Implementing PoP/DPoW in such a fashion, that the Bitcoin chain would only accept blocks from one of the shards could prevent this theoretical disaster.
- Forking DPoW and PoP after it becomes open source and pointing them towards a different strong PoW chain, such as Ethereum, Litecoin or DASH (itself protected against 51% attacks) could prove to be an interesting alternative, which would protect smaller networks even in the unlikely scenario of Bitcoins blockchain coming under attack.
All current 51% attack solutions are either partial, inadequate or limited. DASH’s solution is limited to masternode chains. Horizen limits confirmations, slowing down transaction processing. Komodo’s solution is centralized and depends on the whim of the developers. Veriblock is not ready and has not been battle tested yet. PIRL is an underdog, which has shown first real results. It hasn’t been tested on other algorithms than ethash, however.
Overall, we are headed in the right direction. The ecosystem is gearing towards interconnected chain protection and any developers who care about the security of their networks should already be coordinating with the above mentioned projects.