Priyeshu Garg · 2 hours ago · 2 min read
Guest Post › Mining
Ethereum Classic’s 51 Percent Attack Highlights the Challenges of Proof-of-Work Coins
On Jan. 5th, Ethereum Classic (ETC) suffered a 51% attack losing a total of more than US$1 million spread over 15 different transactions. The scale of this attack can offer some lessons to the challenges faced by blockchains secured by Proof of Work (PoW).
This is not the first majority attack that has occurred. In 2018, there were a string of 51 percent attacks on Equihash based coins, Zencash (now called Horizen), and Bitcoin Gold, as well as attacks that were from difficulty adjustment bugs on Monacoin and Verge.
To date, details of how the ETC attack happened isn’t clear. Some claim the attackers rented hash rate. Others claim that it was testing of an unreleased ASIC, or a Border Gateway Protocol (BGP) attack that rerouted hashing power to a private pool.
We can learn from this event by looking into PoW’s security, evaluate whether ASICs help in providing security, and evaluate other proposals that add further security to PoW coins.
PoW Is Still Our Best Option
Whatever the cause, the attack highlights the challenges facing PoW coins, especially for those that are not the dominant coin for a particular mining algorithm. One of the economic assumptions of PoW and especially those that are secured by ASICs is that miners would not be incentivized to destroy their source of income and thus render their own investment worthless. However, this doesn’t apply if they can redeploy those assets to mining other coins after the attack.
The reason behind this vulnerability has to do with hash rates. While it would normally be too difficult to convince individual miners to combine their hashing power, today, there are sites like Nicehash, which offer an on-demand service to pool and rent hashing power from several computers instantly.
This means coins that are not dominant in their mining algorithm are more vulnerable to 51 percent attacks. For example, Ethereum Classic’s hashrate is 22 times lower than Ethereum, so orchestrating an attack only requires a fraction of Ethereum’s hashrate.
This has often been seen as a reason to move towards systems such as Proof of Stake (PoS) where no mining is required. PoS systems are passive and require no additional work beyond just owning the coins, meaning the rich get richer with almost no effort.
This, however, ignores other properties of PoW which still makes it one of the best systems for a decentralized currency. PoW remains the preferable way to distribute coins since it rewards actual work that involves real-world costs (e.g. electricity). It also requires a constant and ongoing effort to continue earning coins. There is a separation of those who provide the security and those who own the coins.
For a currency where a continuation of wide distribution is important, PoW is hard to beat. PoW algorithms like MTP (Merkle Tree Proofs) as developed by Zcoin or ProgPoW have begun to tackle this problem by reducing the gap between specialized and commodity hardware. This enables more egalitarian mining since miners—whether large scale or hobby—will be using the same hardware to mine.
ASIC or CPU/GPU Mining: Which Provides More Security?
Without an algorithm that neutralizes the mining advantages that ASICs have, PoW coins can be compromised when transitioning from CPU and GPU mining. This is especially true if ASICs are being developed, if mining in secret, or if they are just coming onto the network.
Due to the poor distribution of these ASICs, a handful of people can control a significant proportion of the network hash rate making it much easier to obtain 51 percent. While not widely publicized, we have already seen this take place with Monero, when ASICs began mining the coins before the hardware was publicly available.
Zencash and Bitcoin Gold’s 51 percent attacks also coincided with the arrival of Equihash ASICs. Both these coins were not the dominant coins in the algorithm, making it worthwhile for attackers since miners could always switch back to mining the dominant Equihash coin, Zcash.
Even in instances where ASICs are already being used to secure the network, the economics of attacking an ASIC-backed coin versus one that is backed by commodity hardware differs drastically.
In the case of ASIC-backed coins, a single mining farm can be all it takes to attack smaller coins and is indeed a likely scenario if the mining collective supports the dominant coin.
With ASICs, there is also the risk of hardware mono-culture or backdoors. If everyone uses the same type of miners, they are at greater risk if a vulnerability is found. Incidents like Antbleed and the hAnt virus hint at how buggy or malicious firmware can affect large swathes of ASICs—even if they are distributed across different mining farms or mining pools.
On the other hand, while coins backed by CPUs and GPUs are vulnerable to rented hash rates, the opposite is possible, where a hash rate can be rented back to reverse the attack. We have seen this with Graft, a project that uses the same hashing algorithm as Monero.
Improving PoW to ensure it stays egalitarian, stable, and secure, prevents shocks like these as the same commodity hardware can be used both for attacking as well as defending the network.
Strategies to Secure PoW
There are two main strategies that are being developed to further secure algorithms for coins. These involve either adding secondary validation layers, or by penalizing delayed block submissions to increase the cost of an attack.
One recently proposed solution by Dash involves LLMQ-based chain locks, which uses masternodes to form quorums to vote and measure which block was ‘first seen.’ When enough masternodes agree (>60) that a particular block was first seen, all other blocks of that height will be rejected. Therefore, no reorganization can take place below that block. This also nullifies 25 percent selfish mining attacks from taking place since blocks that are mined—but not broadcasted—will not be ‘first seen.’
Another benefit is that it makes a 51 percent attack less likely because both masternodes and miners would need to collude for this to take place. Decred, although using a hybrid PoW and PoS system, would require both miners and ticket-holders to collude to compromise its blockchain.
The second strategy involves punishing delayed block submission. This strategy has been implemented by Horizen and works by imposing a delay penalty on forks that are being privately mined and then connected to the main chain. Before a forked chain can be permanently cemented, an attacker would need to continue mining on the new chain after their attack has taken place, thus increasing the cost of implementing a continued attack. The downside of this proposal is that it increases the time before forks can merge and may result in more forks.
Jonathan Toomim, a Bitcoin Cash developer, has also proposed a similar strategy where chains are given weightings which are penalized for keeping a chain hidden. This means the penalty increases, the longer the chain is kept hidden. Therefore, it is no longer just the chain with the most accumulated PoW that dominates, but also factors in which chains are submitted in a timely manner.
Ultimately, these proposals greatly increase the overall cost of attack. Although Bitcoin proponents note that an attack of this sort is much harder to pull off on a coin like bitcoin, it is not impossible. A notable critic of the weakness of unmodified PoW is Professor Emin Gun Sirer, who believes that even Bitcoin can be attacked by a few large players and the only reason it hasn’t happened is that Bitcoin is simply not big enough to matter right now. Another ignored metric is the cost of a PoW attack in comparison to its market capitalization since larger coins have much more at stake.
The ETC attack shines a glaring spotlight on PoW’s weaknesses which were previously thought to be a remote possibility or a problem for smaller coins only. What’s most concerning here is that PoW coins that do not have majority hash rate for its algorithm or miner class (commodity hardware vs ASIC) are the most vulnerable.
Luckily, methods to augment PoW are already being deployed or are in development. PoW-based coins need to implement additional safeguards as soon as possible. With the ETC attacker returning some of the proceeds of the attack, perhaps this was the point they were trying to make all along.