In early January, the Ethereum Classic blockchain experienced double-spend attacks created by deep reorganizations of the blockchain. While the perpetrators’ identity remains a mystery— although research from SlowMist suggests that exchanges involved in the incident may have additional information for locating them— there is enough information about the attack to draw general conclusions about the modus operandi and implications for other blockchains. This event has upended core assumptions made in previous economic analysis of blockchain security, defined as the cost/benefit calculus for mounting successful attacks against the integrity of the ledger.

Double-spending in the abstract

In one sense, there is nothing surprising or novel about the attack vector. The vulnerability of blockchains to hijacking by overwhelming mining power had always been acknowledged, even in the original Bitcoin paper by Satoshi. Such attacks have even been observed on other alt-coins in the wild, most notably Bitcoin Gold in May 2018. To recap how such a double-spending attack works in the abstract using the standard cast of cryptographic characters:

1. Alice and Bob agree to trade using cryptocurrency.
2. Alice pays Bob by broadcasting a transaction on the Ethereum Classic (ETC) blockchain
3. Bob waits until this transaction has been “mined” and confirmed, getting buried several blocks deep in the chain history
4. After the transaction is confirmed, Bob in return supplied Alice with a product or service, such as shipping her a painting or even giving her a bundle of USD cash.
5. Unbeknownst to Bob at this stage, Alice had been secretly mining an alternative history of the ETC blockchain, with more hash-power than all other miners combined. In this parallel universe, the transaction sending ETC from Alice → Bob never happened.
6. Given that Alice commands a majority of the hash rate on the network (so-called “51% attack”) her alternative chain will eventually catch up and overtake the existing chain, measured in terms of the objective metric used by all participating nodes to pick a winner among competing histories.
7. When the blockchain “snaps” to this alternative version created by Alice, Bob no longer has possession of the ETC funds he believed Alice had sent; that transfer has effectively been erased from history.
8. Alice meanwhile still has the cash Bob provided in exchange, in addition to her original ETC funds.

There is one technicality here: as stated, the transaction broadcast in step #5 would still be valid on the new, revisionist history orchestrated by Alice. That means Bob could try broadcasting it again, after Alice stops mining new blocks and control of the network reverts back to honest miners. To lock in the theft for good, Alice would include another transaction in her version of events to break compatibility. Even a seeming useless transaction sending the same funds back to herself (Alice → Alice) will do the trick; although, the scenario gets more interesting if the same funds are used for another third-party transaction, as we will shortly see. That is the origin of the slightly confusing term double-spending, since the same money is seemingly being used twice. Even though any single version of blockchain history only allows single spending, by creating temporary confusion about what the “true” version of history is, Alice convinces different people at different times that the funds are theirs.

Attacker perspective: ideal targets

Is this attack feasible? It depends on the relative cost of achieving 51% of hash-rate “temporarily,” compared to the expected benefits measured by the value of the goods/services purchased without having to fork over any Ethereum Classic. Hash-rate costs are subject to complex dynamics, involving the specific design of the proof-of-work function used in a blockchain and available spare capacity up for grabs for the higher-bidder on markets such as NiceHash. But assuming an attacker can assemble enough fire-power to revise blockchain history, there is a natural choice of target to go after, a stand-in for the character “Bob:” cryptocurrency exchanges. Alice can deposit ETC on an exchange, trade that to a different cryptocurrency such as Bitcoin (BTC) and withdraw BTC. Note that the 51% attack on ETC chain has no effect on BTC, short of any general market unease caused by an unrelated coin being attacker. (In fairness, there is strong correlation across different cryptocurrencies and past events such as the Ethereum DAO debacle have caused broad declines across the market, even in asset classes having nothing to do with buggy smart-contracts.) The attacker gets to keep the Bitcoin, while the exchange is out of ETC after the deposit is reversed. There is no doubt an interesting legal question here on whether the exchange will eat the loss or if those losses can somehow be passed on to counter-parties involved in the BTC/ETC trade. But that is immaterial for our purposes: the bottom line is that someone has been scammed.

This is the exact playbook observed in the ETC double-spend attack. One of the primary targets has been identified as the exchange Gate.IO, with the attackers converting the proceeds to bitcoin for withdrawal. To the extent there is any element of surprise here, is the fact that such an attack could involve a relatively major currency in the top 20 by market capitalization. It is one thing to prey on Bitcoin Gold or some other thinly-traded altcoin with negligible hash rate. It is another level of capability to amass enough hash-rate to overpower Ethereum Classic, with the unspoken question: which other cryptocurrencies are vulnerable to copy-cat attacks?

Wrong assumptions about costs and benefits

The existence of economic limits to the security of blockchains is not exactly news. It is an accepted risk that Bond villains with unbounded resources can amass sufficient hash-power to overwhelm any blockchain. Without disputing this fact, the standard response to these arguments has been around economic incentives: why would an attacker spend that much money if they can not recoup even greater value by carrying out the attack? Putting aside the fact that this is not an entirely comforting answer— some “attackers” may be motivated by ideology, with the standard example being governments willing to sabotage public blockchains for the greater cause of enforcing capital controls, even when that undertaking would be extraordinarily costly— it leads down the rabbit hole measuring costs and benefits.

Notable, this attack on ETC debunked two premises that go into these models:

1. Attacker costs include devaluation of their own holdings. It has been an article of faith that miners would not collude to execute a 51% attack because doing so would lead to decrease of confidence in the currency, resulting in the notional value of their own mining rewards going down. In effect, 51% attacks are treated as short-sighted move that may temporarily boost returns but only at the cost of much greater losses down the road. This was rooted in an implicit assumption that perpetrators of the attack are still wedded to that particular cryptocurrency— after all, Alice in the example above is still holding ETC after her double-spend attack has been successfully executed. But the presence of public cryptocurrency exchanges with high liquidity in their order books voids that assumption. Alice can wash her hands clean of ETC, fully cashing out all of her holdings to some other cryptocurrency with nary a care for how far ETC plunges in the aftermath.
2. Attacker costs also include the depreciation of their specialized mining equipment, which has zero value for any application except mining that specific cryptocurrency. Because the most efficient way to mine Bitcoin involves highly-specialized ASIC hardware that is useless outside that specialized application, the perceived “cost” for an attacker mounting 51% attacks would include both capital expenses to acquire those rigs and more subtly, depreciation for the equipment caused by decline in currency price. Recall that if the price of Bitcoin goes down and mining rigs are good for nothing besides producing more Bitcoin, the expected value provided by a rig over its lifetime also takes a dive. This may have been a reasonable assumption when Bitcoin was the only game in town. Today there are hundreds of alt-coins, including several “families” sharing the same proof-of-work function: mining rigs built for Bitcoin can be diverted to also mine Bitcoin Cash/Gold/Diamond/Tin/Scrap-Metal/etc.**

[continued]

CP

** The last two remain hypothetical at the time of writing, but can not be ruled out if forks continue to create value out of thin air.