On 51% Attacks: The Architecture Of Aggression

Following a recent announcement made on the r/CryptoCurrency subreddit, that a 51% attack on the Einsteinium blockchain will be launched and live streamed a week later, a number of us, blockthirsty spectators, gathered at the given Twitch channel at the announced time. The stream started, and after 20 or so minutes of audio and video stream quality adjustments and reading the Satoshi paper, the prospective attacker tried to launch the planned attack, then switched to Bitcoin Private and tried to attack that blockchain, then got banned and no attack happened at all.

Image credits: Wikipedia

This time the double spend attack didn’t even start, let alone happen or succeed, but successful double-spending attacks are not a novelty in the crypto world. There has been several successful documented attacks, including against crypto exchanges— Monacoin, Bitcoin Gold, the three-time’s-a-charm Verge and Litecoin Cash — which led to loss of funds between several tens of thousands up to 18 million USD and a number of other problems for development teams and holders of affected crypto currencies.

Double spend or 51% attacks are intrinsic to the concept of blockchain. The blockchain is a distributed public ledger governed by a consensus protocol which stores data about transactions. The integrity and immutability of the data stored in the ledger (or in the blockchain) depends on honest nodes (as per the Conclusion stated in the Satoshi paper) and the consensus they reach. Malicious nodes may appear on the network, but as long as the majority of network participants are honest nodes, the data stored on the blockchain remains safe and immutable. The consensus is maintained by always extending the longest chain, which happens by adding new blocks of transactions, after sufficient proof of validity of transactions has been performed by nodes.

The Timeline Of A Double Spend Attack

The purpose of double spend attacks is exactly that — double spending of funds stored on the blockchain. It starts by a miner or a node having 51% of the resource needed to reach the consensus forking the chain without broadcasting the new block to the rest of network participants.

The malicious node forks off the chain at block height 667 without broadcasting blocks to the network

The malicious node will now perform a transaction on the public chain — in block 668. As the private chain doesn’t broadcast transactions or blocks, the account which performed the transaction in blue block 668 still holds the funds in block 668 on the private chain.

The transaction in block 668 happened on the public chain, while in the forked chain the pertinent account still holds the funds.

At this point, the quantity of resources available to the malicious miner/node comes to play — after executing the transaction on the public blockchain, the malicious miner has to start issuing blocks on the private blockchain, still without broadcasting them to other network participants, at a faster rate than they are being issued on the public chain.

Blocks are issued at a faster rate on the private chain than on the public chain, thanking to the malicious miner, who has more resources for mining blocks than the rest of the network.

After the attacker has produced enough blocks on the private chain to exceed the blockheight of the public chain, they will broadcast the blocks from the private chain and the transactions contained within them to the network.

The attacker broadcasts the forked chain to the network.

As the consensus of the blockchain always extends the longest chain, the forked chain and blocks produced by the attacker now become the public chain. As the now longest chain has no record of the transaction executed in block 668, the funds that were already spent are available to the attacker to be spent again.

The forked chain now becomes the longest chain, where there is no record of transaction from block 668.

The Cost Of A Double Spend Attack

The main reason for launching 51% attacks are financial gains — so the initial feasibility study has to include the expense of preparation and execution of the attack. Depending on the consensus type utilized by the blockchain that is to be attacked, the decentralization of it (the number of nodes/miners securing the blockchain) as well as on the price of the crypto currency that can be obtained through the attack, the cost of launching an attack vs. the financial gains can greatly vary.

There are many Proofs-Of-Something implemented into currently running blockchain projects. By the type of resource used to produce blocks, three major group of proofs can be identified: proof of work, proof of stake and proof of capacity.

Proof Of Work

Proof of Work consensus is the original and the most widely used consensus type. It is based on miners performing real time hashing in order to mine the next block. This type of computation requires fast CPUs and GPUs — raw hashing power. By the courtesy of the authors of the Crypto51 website, we can see their estimates on the cost of renting raw hashing power to launch an one hour long 51% attack on selected blockchains that use the Proof of Work consensus. As expected, the most expensive is to attack the most-mined Bitcoin blockchain with a price of close to 600.000 USD per hour, while attacks on smaller chains, such as the Einsteinium, are estimated to cost less than 20 USD per hour. Even though all documented successful 51% attacks have been executed against Proof of Work blockchains, it is necessary to notice, especially after the failed attacks that inspired this article, that raw hashing power is not enough to succeed. Some skill and knowledge are also a requirement, as well as not announcing the plan to attack to the general public a week ahead.

GPU mining rig. Source: ToughNickel.

Proof Of Stake

The Proof of Stake consensus requires the participating nodes to hold a certain amount of crypto currency in order to forge a block. Based on the amount of the staking coin they hold, nodes have a better chance of signing a block. Consequently, the cost of launching a double spend attack against a blockchain using this type of consensus would amount to the price of the required crypto currency — 51% of the supply of it. The implications on the price in case someone would actually attempt to buy 51% of a coin supply — one can just guess — would probably take the price through the roof, especially if the acquisition would be attempted in a short period of time.

Proof Of Capacity

The Proof of Capacity consensus algorithm utilizes storage space for mining. In the same way as more hashing power gives Proof of Work miners a better chance to mine a block and more staking coins give a better chance to Proof of Stake nodes to forge a block — more storage capacity enables Proof of Capacity miners to mine blocks more often. Due to the specific method of mining setup, the estimate of the cost of 1 hour of double spend attack on a Proof of Capacity governed blockchain has to be elaborated starting with the process of plotting.

In order to mine blocks on the Burst blockchain, the only blockchain that uses the Proof of Capacity consensus, miners first pre-compute Shabal256 hashes and store them to hard disks. Hashes are grouped in nonces each of which contains 8192 hashes and takes up 256 KiB of storage space. Plotting can be done using CPUs or GPUs.

Plotting using CPU (Intel Xeon CPU E5–2650 with 2x10cores/20 threads) and GPU (GeForce GTX 1050Ti) — producing cca 70.000 nonces/minute, screenshots courtesy of Haitch.

After the plotting has been completed, the mining software reads plot files searching for hashes that can be used to sign the next block and calculates deadlines, the shortest of which determines the miner who will mine the next block.

In a post inspired by the announced plan to attack the Einsteinium blockchain, rico666, the spokesperson of the anonymous developer group Proof of Capacity Consortium, which drives the development of the Burst blockchain, made an estimate of the cost of a 51% attack on Burst.

Per this estimate, based on the current size of the network of Burstcoin miners, the prospective attacker(s) would need to acquire and plot 240 PB of storage in order to deploy a double spend attack on the Burst blockchain.

In case the storage was rented from AWS at publicly available prices, and the plotting was done as soon as possible — within 2 hours using 1.688 accelerated computing p2.8xlarge instances, the expense would amount to a bit above 5 million USD.

Images courtesy of admins of Burst-Team and .RO Burstcoin pools

In case one would try to buy hard drives and set up Proof of Capacity miners — two of which are shown in images above, with the lowest price of 20 USD/TB and all other necessary equipment — racks, rigs, cables — the cost of deploying a double spend attack on the Burst blockchain would rise to above 6 million USD.

As the development of the blockchain technology progresses, more and more complex consensus algorithms are being designed and implemented — with the intention to improve project performance and security. There are projects such as the Block Collider — which uses a consensus that is a hybrid of Proof of Stake and Proof of Work for mining blocks, which certainly isn’t going to make double spend attacks easier or cheaper in terms of “war material”. Some blockchains have security mechanisms — such as storing snapshots of the blockchain at every n-th block, which prevents blocks mined before that block from being changed in case of a double spend attack — thus reducing the potential damage of the attack, if it happens. There is no doubt, however, that there will always be “malicious nodes” that will find financial and “king of the hill” motives to attempt an attack on a chain. The outcome of such attacks, with the ever increasing need for mining resources is yet to be seen.

The text of the article is available on the Burst blockchain, and is retrievable using the CLOUD-QJ6D-U4G3-G2JK-5M3U2 CloudBurst ID.

On 51% Attacks: The Architecture Of Aggression was originally published in Data Driven Investor on Medium, where people are continuing the conversation by highlighting and responding to this story.