Let’s talk about the ETC 51% hashrate attack

Arrangement: Sherry, Jin Xiaojia; Calibration: Xiao Jie

Since the birth of digital currency, 51% attack has been a hot topic of discussion. The biggest security risk of digital currency with proof of work as the consensus mechanism is the possibility of 51% attack. If someone holds more than 51% of the computing power of the entire network, he can launch an attack. This attack can cause money to be spent twice, or change the consensus state that has been reached.

The Bitcoin network has been running for more than ten years. Many people think that 51% attacks are only theoretical and rarely happen. But this time, it really happened, that is, the 51% attack on ETC.

In this episode, the hosts of Fork It (Terry, Daniel, Kevin) will have a good chat with everyone about the ins and outs of the ETC 51% attack.

The ins and outs of the ETC 51% attack

Daniel: The 51% attack on ETC was an organized, premeditated, and carefully planned attack. On January 6, 2019, an exchange called Bittrue announced that they had discovered an abnormal withdrawal worth 13,000 ETC. That is, the transaction that was deposited was rolled back, but the transaction balance was discovered when the exchange was withdrawn and was intercepted.

After further investigation, Coinbase officials discovered a larger-scale reorganization of the ETC network.

Knowledge point: The so-called network reorganization (Block Reorganization) means that six to eight blocks or even longer blocks in the network have been mined by miners, but these blocks are suddenly removed, and some new blocks are generated to replace these confirmed blocks.

Coinbase’s official blog immediately released three relatively large-scale network reorganizations that were suspected of having problems. Later, a well-known exchange, gate.io, was exposed to have suffered a 51% attack. Hackers made two large deposits in this exchange, which were removed through network reorganization. Hackers sold their coins in the exchange or exchanged the coins deposited into the exchange for other currencies and then withdrew them. Gate.io then issued an announcement saying that the attack caused a loss of about $200,000.

After this incident was exposed, some technology enthusiasts, especially domestic security organizations such as SlowMist and PeckShield, began to investigate the attack. They found that the computing power of the 51% attack came from a website called NiceHash, where hackers could rent a certain amount of computing power and then launch attacks on the ETC network.

At that time, more than 112% of the computing power of the ETC network could be rented, and the rented computing power could be used for ETC mining, or anything else you want to do. The hacker used the NiceHash website to rent computing power to launch the attack.

The reason why ETC is vulnerable to attacks is actually based on two characteristics of ETC.

The first feature is the low cost of attack . Let's assume that the computing power of the ETC main network is 100, and now we need to rent 101 computing power to attack the ETC network. The hacker caused an exchange to lose about $200,000 through the attack, which means that the hacker earned $200,000 from the attack. How much do you think it would cost to rent a computing power that exceeds the ETC main network to launch an attack and earn $200,000?

The answer is that the hacker's attack cost only about $5,000 per hour. From the day of the attack to now, the market value of the ETC main network's computing power has further declined. Now it is cheaper to rent computing power to attack the ETC network than the previous attack.

In the previous Fork It 2, we know that ETC is a chain forked from THE DAO incident in 2016. For a long time, ETC's computing power was about 1/20 of the total Ethereum network computing power, and its coin price was also about 1/20 of the Ethereum network. However, as time went by, ETC's network computing power became less and less, and its coin value became lower and lower, and now it has just reached a state where it is particularly vulnerable to attacks.

Another feature of ETC is its good liquidity . Ethereum is a mainstream digital currency supported by most exchanges around the world. ETC and Ethereum have the same origin, so exchanges support ETC very well. Although its price is low and its computing power is low, given its liquidity, hackers have at least two ways to make money by performing a 51% attack.

The first way is a double-spending attack: first transfer an amount to the exchange, and then change the consensus of the transfer on the chain through a computing power attack. At this time, the exchange still retains the transfer record, so there will be a sum of money that does not actually exist in the exchange that can be cashed out. Another way is that hackers successfully carry out a 51% attack, which will be a very big negative news. It can affect the futures market. Hackers can make money by shorting the futures market in advance to realize arbitrage.

Is the consensus foundation of PoW shaken?

Terry: In fact, this PoW 51% attack is not the first time. Many small coins have been "knocked down" as soon as they were launched. The so-called "knockdown" is to use computing power to attack. Whether it is a new currency or a small currency, when their computing power and market value are not high enough, hackers can attack a chain at a relatively low cost, which makes it particularly unsafe.

Then I have a question: After this incident, there have been a lot of news about PoW, the most representative of which is: " ETC suffered a 51% attack, has the consensus foundation of PoW been shaken? " (a bit of a headline party) What I want to ask is, have you lost faith in the PoW consensus algorithm? Or do you think it really has problems?

Kevin: First of all, PoW is a way to prevent witch attacks. Its consensus algorithm is very simple, which is to select a natural random number to achieve complete fairness.

Knowledge point: Sybil Attack: In a peer-to-peer network, a single node usually has multiple identities, which weakens the role of redundant backup by controlling most of the system's nodes.

If there is a malicious node in the network, the same malicious node can have multiple identities. The data that originally needs to be backed up to multiple nodes is deceived into being backed up to the same malicious node (the malicious node disguises itself as multiple identities). In this way, the malicious node may be able to gain control of the network.

Another is openness. Any node can participate in the consensus. Miners only need to buy a mining machine and plug it in to mine directly. If the network itself has a very high computing power, the advantage of PoW is still very obvious. However, PoS has many constraints. It may be necessary to stay online and purchase tokens. During this process, some IP addresses containing personal information may be exposed. The entire PoW system ensures that each miner must submit a block on the longest chain, which makes each miner motivated to broadcast it as soon as possible after mining a block. These are all very good properties of Bitcoin Nakamoto Consensus.

However, any consensus mechanism has its security model and there is always the possibility of being attacked . It’s just that people are more familiar with the attack model of PoW and know how it can resist attacks. People don’t fully understand other consensuses, especially newer companies. In many PoS projects, the method adopted is that foundations and other related groups hold 50% of the tokens to ensure that they will not be attacked. PoS, which has truly grown in the "wild", has been in operation for a very short time, and people are still in the process of exploring, but it is a direction that is very worth studying.

Daniel: Yes, for the consensus mechanism we don’t understand, we are more worried about unknown attack methods, and we don’t have mature solutions for these attack methods. For PoW, we know very clearly how hackers will launch attacks.

Terry: Vitalik once tweeted that he thought it was philosophically correct for ETH to switch to PoS. Of course, there were many opposing voices. The founder of SlowMist Technology once said that no matter what algorithm is used, as long as it is solving the Byzantine Generals Problem, it has its own security model. Just like Kevin said, different security assumptions will have their own problems , and PoS also has many unresolved problems. In fact, we also have a lot of understanding and cognition of the PoS consensus algorithm. We can talk about PoS specifically in future programs.

But what I want to say now is that replacing PoW with PoS is not a solution to the problem, or it may lead to many new problems. From the perspective of practical problem solving, some people have proposed some real solutions, such as the BCH community launched a reorganization protection for the chain reorganization problem (in BCH, ABC 0.18.5 version added reorganization protection, which can exclude reorganizations of more than 10 blocks).

There are two ways of PoW mining now. One is to mine with ASIC mining machines, such as Bitcoin, and the other is to mine with GPU mining machines (hereinafter referred to as graphics card mining), such as ETC. One thing that must be admitted is that the computing power liquidity of graphics card mining is relatively high, because it can mine more currencies, and it is easy to rent computing power to attack a certain currency. After attacking a certain currency, even if the currency collapses, miners can still earn income by mining other currencies. So the question is, with such high computing power liquidity of graphics card mining, will it affect the security of the chain mined with graphics cards to some extent?

Daniel: Based on the fact, the entire computing power market is a stock market . In the current market environment, few people will invest in the graphics card market to buy graphics cards and increase computing power. On the contrary, more miners will choose to shut down their mining machines because the prices of all currencies are very low and mining is not cost-effective.

All miners can freely choose which coin to mine, and usually rational miners will choose those that can make money. The final result is that all coins will return to a relative break-even point, or the profit from mining each coin may be similar. Therefore, the computing power behind each coin is now maintained in a stable state.

In this stable state, the higher the value of some currencies, the greater their computing power, and it is very difficult to rent more computing power than the main network to attack. However, those currencies that are not valuable enough or mining is not economical, resulting in few miners mining them, are very unsafe, and attackers can easily rent computing power to attack them.

Any project, especially one that chooses PoW as the consensus protocol, will go through an unsafe stage in the initial computing power growth phase after going online. Therefore, how to transition from a dangerous state to a safe and mature stage becomes particularly critical.

ASIC Friendly or Not?

Terry: We have seen many projects with different attitudes on whether to use ASIC mining machines for mining. Some are opposed, some are neutral, and some are friendly. So if a small currency is mined with ASIC, is it safer?

Kevin: It depends on how you define security. There are two criticisms of ASIC-Friendly in small currencies . One is that it is assumed that an ASIC mining machine for a new project can be made in a very short R&D cycle, and everyone is optimistic about the project. Then the following problems may arise:

Generally speaking, a project will disperse coins the fastest in the early stage, and the fastest bonus period will be given to miners with ASICs, so these miners are likely to be centralized. It may even happen that after the ASIC manufacturer develops the mining machine, it does not sell it, but mines coins by itself, which will lead to the concentration of tokens itself. If the token is too concentrated, the community will be very concentrated, and then if there is a need to vote with tokens or use computing power for online governance in the future, problems may arise. Even more, if there is a situation like Bitcoin ASIC mining machine manufacturers, the manufacturer can produce mining machines first, mine the most tokens, and then sell the tokens, and reinvest the funds obtained in production and research and development, and it will be ahead of others. So this is where everyone criticizes ASIC Friendly.

Another possibility is that some projects will adopt the ASIC mining algorithm of other projects (such as Bitcoin mining machines). There are already a large number of ASIC mining machines on the market mining Bitcoin, which is very unsafe for the project. Because once the project is online, Bitcoin miners can directly attack the project with a reduced dimension. As long as these Bitcoin miners have enough computing power, it is easy to launch a 51% computing power attack on the project.

Therefore, the best way is to adopt a new algorithm , whether it is mining with graphics cards or ASIC Friendly mining.

However, there are also some problems for projects that adopt a new algorithm. If it uses graphics cards for mining, since graphics cards are the same, hackers can attack them by installing mining software. If it uses ASIC mining machines for mining, it is difficult to directly attack existing ASIC mining machines in the initial stage, but this may bring some other problems, such as mining centralization.

Let's take Grin as an example. Grin's mining design is very interesting. It has two algorithms based on Cuckoo Cycle (a graph-theoretic proof of work invented by John Tromp, which we will introduce in the next issue of Fork It). One is ASIC-resistant (mining through graphics cards, it is difficult to mine with ASIC), called Cuckaroo29; the other algorithm is ASIC-friendly, called Cuckatoo31+.

At the beginning, Grin used a large number of graphics cards for mining and let miners distribute the coins. Because Grin uses a new algorithm, the existing graphics cards can switch their computing power, but there is still a certain degree of difficulty. At the same time, Grin does not exclude ASICs. A certain number of coins are mined by ASIC mining machines. As time goes by, the proportion of coins mined by different mining algorithms will gradually change.

If graphics cards are compared to mercenaries, then ASIC mining machines are like the Royal Guards. Optimized ASIC mining machines will no longer be able to mine tokens of other projects, as these devices can only mine one project. If other miners want to join in, they can only do so by purchasing mining machines. From this perspective, Grin is a relatively good project. Although ASIC miners may be somewhat centralized, as long as miners are mining Grin's tokens, they have the motivation to protect the project (because their chips have no other function besides this).

Terry: Yes, suppose a new ASIC algorithm for a new project is created, and many people are mining this coin, miners are not necessarily willing to attack it by renting computing power. Although it may be profitable in the short term, in the long run, if the coin has no value, all the mining machines are just scrap metal, and the loss will be greater. However, miners who use graphics cards to mine coins will not consider this situation, because even if this coin is attacked, miners can still mine other coins. This also reflects the loyalty of ASIC mining, which is a difference from graphics card mining.

We just mentioned Grin's mining, which is a very interesting design. At the beginning, 90% of Grin mining used Cuckaroo29 (anti-ASIC), and 10% used Cuckatoo31+ (ASIC Friendly). And this ratio will change, the proportion of ASIC mining will become larger and larger, and the proportion of graphics card mining will become smaller and smaller. This change shows that Grin is neutral to ASIC, which is very consistent with our view.

I have heard the view of a senior mining machine manufacturer. He believes that as long as the project is good enough, ASIC is inevitable. There are only two ways to avoid it. One is the project party's coercion. As long as you dare to make ASIC, I dare to fork and change the algorithm. The other is "cheating", just like ETH has been saying that it will switch to PoS. I don't agree with the "cheating" statement, but I think since others say this sentence so sarcastically and humorously, the point of expression should be that as long as the benefits are big enough, ASIC can definitely be made, whether it is friendly or unfriendly.

Although I cannot judge whether all algorithms can be made into ASIC from a technical point of view, if the benefits are large enough, I believe someone will do research on ASIC for this project. According to some gossips I know, Zcash, Monero, etc. actually have ASIC mining machines, but the community has different attitudes towards ASIC mining machines.

Daniel: Yes, after the Monero community had ASIC mining machines, they quickly reached a consensus and switched the algorithm, and the previous ASIC mining machines became scrap metal.

Terry: OK, I need to make it clear here that we are not recommending the Grin project. Even if our program recommends it, it is its technology. However, the MimbleWimble protocol behind the Grin project is indeed very legendary. In addition to Grin, another implementation of the MimbleWimble protocol is the Beam project, but it has made some so-called "improvements" based on the original protocol. Whether this "improvement" is good or bad may need time to judge. In comparison, I think Grin has implemented MimbleWimble in a more fundamentalist way. In addition, I heard that some domestic teams are also planning to implement MimbleWimble, which may cause a small trend.