Different kinds of 51% attacks

Recently, I made a blog post explaining that 51% attacks are not a network failure. While I still believe this, I think it is important to mention that there are different kinds of 51% attacks. They all do the same thing but are fundamentally different for the network participants.

Proof of Work

Proof of Work is what brings security to the network. The main idea is that a huge amount of energy is being spent for the network and we give a proof such energy was spent to network participants that can independently verify that it was indeed spent. Depending on the average energy spent (hash rate) for the network, the network participants decide how many blocks they will wait to be convinced the transaction was secured with enough energy — e.g. if a participant decides to wait K blocks and the average energy spent in these K blocks is X , then he trusts that the transaction will stay on the chain with K * X energy. After K confirmations the participant is convinced that the probability a malicious actor produced K * X amount of energy to fool the network participants is very low and concludes the transaction is set in stone.

I like to think of an energy ball that makes sure we don’t have to trust each other. The energy balls can be of different colors (networks use different hash functions) and an energy ball can only compete with another energy ball if they are of the same color. The bigger the energy ball, the more secure the network is. The idea is brilliant and works well.

External energy attack

An obvious case how a 51% attack can be done is if a malicious actor buys a lot of hardware devices and starts secretly mining. An easier way to do the same thing is to just rent the hash from services like NiceHash. In both scenarios we have an energy ball of size E that is protecting the network and the external attacker needs to produce a new energy ball bigger than E for K blocks.

51% attack where a new energy ball appears that is bigger than the mainnet energy ball

It’s relatively easy to protect yourself as a participant of the network against these cases. Just wait enough confirmations. It’s important to note that the networks that are more in danger of such attacks are those where energy renting services provide more than 51% of the total network energy. Another unfortunate scenario is if another networks energy ball shares the same color (the same hash function) and that networks energy ball is bigger. To protect against an attack from another energy ball we know exists, alert systems could be set up that check whether these energy balls get smaller — the energy that went away could be used to attack other networks.

Internal energy attack

The energy ball that is protecting our network could split in two smaller energy balls that would compete with each other. An example of such an attack would be if we have a network where 65% of the energy ball comes only from 4 different sources (e.g. mining pools). If network’s internal energy is used to attack it, then we have a completely different scenario from the participant perspective.

51% attack by using most of internal energy from the mainnet energy ball

The energy attack in the picture above looks the same as the external energy attack, but what is different is that the number of confirmations the network participant needs to wait to be convinced the transaction is secured can no longer be derived from the size of the energy ball — the probability of the transaction being set in stone is no longer a function of the security provided by the energy ball, but merely a function of time. To illustrate this more clearly, let’s imagine a network secured by an energy ball so big, that it amounts to 90% of the total energy spent on the planet. It’s impossible to perform an external attack in such case, but the internal energy attack is no different than if the energy ball had 0.0001% of the total energy. This is because this kind of attack is using a percentage of existing energy and can thus scale indefinitely. In this case, a network participant can only rely on time passed. The size of the energy ball does not provide any security against this type of attack. This is why I think the two scenarios are a different kind of 51% attack. Internal energy attacks might be easier to spot on networks that have shorter block times, because we could see the distribution of pools in shorter span of time and act accordingly if some pools stopped mining.

Internal + External energy attack

A hybrid of the two attacks mentioned above is also possible. The attacker uses less than 51% of internal energy ball (e.g. 40%) and that energy is merged with a new energy ball (20%) that did not exist before. In this case, the size of the fair network energy ball provides security only for the new (external) energy ball created. This makes it a ‘less worse’ attack than the pure Internal energy attack.

Distribution of energy in Bitcoin

I’m not sure if these attacks are possible on the Bitcoin network. There could be some constraints implemented that make the internal attack almost impossible. It may even be that it ends up not being profitable or too expensive for the mining pools in case they need to pay the miners very frequently and don’t have money to back up for the time attacking the network.

At the time of writing, the Bitcoin energy ball looks like this

The current energy distribution of Bitcoin’s energy ball

Having ~10 sources accounting for vast majority of the energy seems suboptimal and increases the risk of internal energy attacks. Even if these 10 sources are controlled by good people, their systems could be hacked or they could be using the same software and that software could be exploited. In the end, I still think Bitcoin is the most secure network for transfering value with minimal trust needed, but it does look like there is room for improvement.

Summary

From the perspective of a network participant, there is one kind of a 51% attack where the participant can’t use the size of the energy ball to protect himself, which is the case of a full internal energy attack. This is because the size of the energy ball is irrelevant in internal energy attack. For this attack, the participant can only rely on the time that passed since the transaction was included in a block. It’s important to note that the networks with fast block times have an advantage in this scenario because they get more information on missing pools in a shorter amount of time. In case this attack is possible to pull off in practice, I believe this is something that should get some attention and research should be done to see if it’s possible to distribute the energy in a better way.