Earlier in October, an ethical hacker who goes by the handle GeoCold on Twitter announced the live-streaming of a 51% attack on the alt coin Einsteinium. The plan was to gain control of the network and expose vulnerabilities that exist in conventional proof-of-work blockchains which allow for double-spending attacks. Only it didn’t go quite as planned.
GeoCold switched the coin he attacked to Bitcoin Private after discovering Einsteinium’s use of a security protocol called Komodo, which utilizes delayed proof of work (dPoW) to verify the correct chain.
Just found out EMC2 uses @KomodoPlatform, still going to attack them later in the stream but it might not work (will be fun to test) so i'm switching the main event to a bigger coin (to be announced).
— GeoCold "Mischief-Maker" (@geocold51) October 9, 2018
What is dPoW?
During the interview, Daniel Pigeon, a technical writer at Komodo, explained the concept:
“To put it really briefly, Komodo has a network of 64 community-elected nodes that notarize a blockhash onto the Bitcoin ledger (using OP_RETURN command) every ten minutes. This creates a checkpoint, so to speak, and any transactions that have occurred prior to that notarization are protected with the power of the BTC network. The process takes place every 10 minutes so potential attackers don’t have enough time to launch a successful attack.”
With each new checkpoint, the entire network is verified so if a chain doesn’t match them all, it gets rejected.
So, in order to gain control over a network using dPoW, a hacker would have to fork a blockchain, mine enough blocks to convince the system it was the correct one, reintroduce that chain to the network they were attacking, then double-spend the currency they were attacking through an exchange in under ten minutes. Pigeon argues that this is effectively impossible.
The roughly two-hour wait time transactions are put through on exchanges which provides another layer of protection. By the time any attempt to double-spend goes through, “our devs would be on it,” Pigeon said.
Between verifications, chains using dPoW have a conventional level of security, but the checkpoint hashes written to the Bitcoin network would need an immense amount of power to overcome, due to its high amount of hashing power. Even if it were somehow to be hacked, each checkpoint contains a hash of the previous checkpoint within it.
Einsteinium is one of four projects not native to the Komodo system using its protocol. The other three are Bitcoin Hush, gaming cryptocurrency GameCredits, and Kreds. According to Pigeon, there are over 30 blockchains built on Komodo’s platform as of this writing. The company has been around for nearly two years, having introduced their dPoW protocol in January of 2017, but it’s been a slow build since.
“We’ve kinda been flying under the radar.”
Instances like GeoCold’s attempt to stream an altcoin attack highlight ways that ethical hackers and the blockchain community can work hand in hand to advance the technology. It’s far from novel for a company to bring on whitehats as consultants or offer bounties for any bugs they find.
When I asked Pigeon what he thought of GeoCold’s efforts, he said, “We welcome it with open arms, actually.” The publicity around GeoCold’s planned attack brought attention both to the vulnerabilities in conventional, small proof of work blockchains and the possible benefits of dPoW. Komodo’s developers appreciated the spotlight.
Pigeon said of hackers,
“Rather than having an enemy. We can have them join the team and help us be more secure.”
GeoCold’s planned attack on Bitcoin Private was cut off when two streaming platforms shut him down, but in an interview on the podcast The Bull Pen, he said he was able to “do everything but hit the button.” He thinks people have too much confidence that some chains can’t be hacked, leaning on assurances from before people could rent hashing power from sites like Nicehash. After raising money via donations, he planned to attack both Bitcoin Private and Einsteinium for a side-by-side security contrast.
Komodo’s dPoW still isn’t perfect. Another whitehat by the username forkwitch managed to reorganize a block on Einsteinium’s chain last week, but Komodo is planning to address the exposed vulnerability in an upcoming bug fix.
GeoCold also mentioned the possibility of using old nodes on the Einsteinium network without verification in place as a way to fork the chain. “That,” he said, “Would be curious.”