Bootstrapping Proof of Work

Proof of work has proved to be a sound consensus mechanism on which to build a cryptocurrency. It’s been battle-tested by the likes of Bitcoin and Ethereum and has withstood the test of time. Indeed this is a major reason we chose to use proof of work for Marconi’s global chain.

But of course, even the mighty proof of work has its flaws. Chief among them is the 51% attack, which if pulled off successfully, allows the attacker to undo transactions and commit double spends. Let’s take a moment to understand in detail how exactly such an attack works and why it’s so devastating.

Under normal operation, when a node in a proof-of-work network is presented with multiple different chains, the node follows a simple rule to pick the correct chain: it chooses the one with the most proof of work, or in other words the longest chain. This rule rests on the assumption that the majority of hash power is controlled by honest nodes which will continue working together to extend the correct chain, thus outpacing all other chains. This behavior is what a 51% attack exploits. By briefly controlling a larger amount of hash power than the rest of the network, an attacker can create a longest chain which includes only the transactions they prefer, then trick the rest of the network into switching to this chain.

As a concrete example, an attacker might use a cryptocurrency exchange to convert some altcoin they own into a coin such as Monero. Immediately after depositing the altcoins into the exchange, the attacker uses rented hash power to mine several blocks on a secret fork of the altcoin’s chain. Their fork excludes the transaction that sent funds from the attacker’s address to the exchange’s address, and instead includes a transaction which sent those same funds to a different address owned by the attacker. Once the conversion to and withdrawal of Monero has settled, the attacker broadcasts their revised history to the rest of the altcoin’s network. Because these blocks result in a longer chain, other nodes accept them as truth, completing the attacker’s double spend and leaving the exchange to foot the bill.

In the case of very popular coins like Bitcoin and Ethereum, a 51% attack is of no real concern, as an attacker would need to possess an extraordinarily large amount of capital in order to generate a viable hash rate. However in the case of newer coins with less established mining networks, the cost of an attack can be surprisingly low, resulting in real-world malicious behavior such as the recent attack on ZenCash and attack on Bitcoin Gold. Therefore bootstrapping a new minable coin can be difficult.

We’ve been thinking about this problem a lot as we’ve been preparing to launch Marconi’s proof-of-work chain, and we’ve come up with a solution that we think will work for everyone — users, miners, mining pools, and exchanges — while addressing the very real risk of 51% attacks. You can look forward to reading the details in our next post.