Anatomy of a 51 % double-spend attack

Michal Táborský
May 28, 2018 · 6 min read

Maybe you’ve heard about the recent attack on Bitcoin Gold exchanges, where the attackers stole some BTG using a form of double-spend attack.

Now, you might start to wonder: How is that possible? The genius of blockchain is in preventing exactly this type of attack. But this crucial property holds only under certain network conditions. Let’s explore how such an attack is possible and what you can do to protect against it.

What is double-spend?

There are two ways, how to cope with this: centralized and decentralized. In the centralized, everyone has to register with a trusted third party and this party keeps the central registry of the assets and makes sure double-spend does not happen. An example of such a system is the central shares depository, which keeps the registry of everyone owning company shares. If I want to sell one Apple share to Bob, the registry first verifies that I have at least one share and then decreases my share count and increases Bob’s share count in an atomic transaction. I cannot sell the same share to anyone else.

But what about decentralized system, such as Bitcoin? This is where the blockchain comes in. There are three essential elements at play here.

  1. Everyone sees every transaction and everyone can verify, that the transaction is cryptographically valid.
  2. The order of transactions is determined by ever growing linked chain of blocks, meaning the transaction in block 1 is guaranteed to have happened before the transaction in block 2. And this chain cannot be tampered with, once there is another block in the chain. Essentially, you cannot replace any transaction in any block without exchanging all the blocks that go after it.
  3. Exchanging the block is very expensive, because the valid block can be generated only by investing large amounts of work (energy) into mining it.

This concept was revolutionary when published in the original Nakamoto’s paper and was the first valid solution to the double-spend problem in a trustless decentralized system.

Why “51%”?

Mounting the attack

The main prerequisite is, that the malicious miner must consistently control over 50% of the hashing power on the give chain. The higher the rate, the better the odds of success. In theory, 51% should be enough, if it can be maintained for a longer periods of time.

At a certain point, lets say block 500000, the miner starts mining blocks in private using his majority hashing power. He does not publish these blocks to the main network. The blocks can be empty, it does not really matter.

In the meantime, the miner places a significant deposit on a liquid exchange, let’s say 100 BTG from his address A, using the main network, in block 500001. The exchange will usually wait for several confirmations (in other words, blocks mined after the block where the transaction was included). Let’s assume they wait for 10 confirmations, which is more or less standard for altcoins. We are at block height 500011 on the main network at this point.

The deposit is confirmed and miner now exchanges the BTG for BTC (or any other currency, really) and makes immediate withdrawal on Bitcoin network. Let’s assume we are at block height 500012. Now comes the time to spring the trap.

Because the miner controls majority hashpower, his private chain, which he’s been mining in secret, is longer than the 500012 on main network. As I said, the blocks can be empty, but there is one transaction that the miner includes for sure and it’s a transaction, which transfers the 100 BTG from address A to another address controlled by the miner. This is the double-spend transaction, because the coins from address A have already been spent when sending the funds to the exchange.

The miner now submits all the blocks from his privately mined chain to the network and because it’s longer than the chain on main network — it could be at block height 500014 for example — it’s automatically accepted by the other nodes as the one true chain. All the transactions in the blocks 500001 to 500012 are invalidated and returned to the mempool. That includes also the transaction transferring the money from address A to the exchange. But because there is already a transaction from A to another address in the new valid chain, this one is marked as double-spend and discarded.

The exchange does not have the 100 BTG, because that transaction was rolled back, and is also robbed of the exchanged Bitcoin, because it was withdrawn before the attack was made public. Boom!

Prevention

The exchanges can increase the number of confirmations they require before considering the deposit as valid. This also increases the waiting time for legitimate users, of course.

Another often used protection is delaying withdrawals. If the exchange withheld the Bitcoin after it was exchanged, it could have denied the withdrawal and the miner would come up empty. But again, this inconveniences legitimate users.

The exchange can also monitor for sudden drops in network hashrate. This is caused by the miner starting to mine his private chain with more than half the hashpower. This detection is not effective in cases where the miner is mining other coin before and starts mining the private chain immediately after switching coins.

Is Bitcoin safe?

The same thing can happen to any altcoin which uses the same proof-of-work algorithm as Bitcoin. If you own a decent Bitcoin mining operation, controlling 1% of Bitcoin hashrate, you can completely take over such altcoin. Of course, you lose the mining reward in Bitcoin, during the time you use your mining equipment for playing god on altcoin networks.

This is most probably what happened here. If a big player starts accumulating the hashing power on a large network such as Bitcoin or Zcash, people notice. Similar situation happened in Bitcoin few years back and the situation was resolved fairly quickly, because even the miners realized that if someone held over 51% it would destabilize the whole ecosystem and their significant investment in mining rigs would be devalued.

This is also why Bitcoin is the safest cryptocurrency by a huge margin. Simply because it’s much more difficult to influence, one way or the other. If you are dealing with altcoins, always check if the same PoW algorithm is not used on some much larger network and adjust your confirmation requirements accordingly.

Coinmonks

Coinmonks is a non-profit Crypto educational publication.

Coinmonks

Coinmonks is a non-profit Crypto educational publication. Follow us on Twitter @coinmonks Our other project - https://coincodecap.com

Michal Táborský

Written by

https://taborsky.cz & https://tallship.cz

Coinmonks

Coinmonks is a non-profit Crypto educational publication. Follow us on Twitter @coinmonks Our other project - https://coincodecap.com