Skip to main content

Why the Ethereum Classic hack is a bad omen for the blockchain

Why the Ethereum Classic hack is a bad omen for the blockchain

/

The 51 percent attack is real, and it’s easier than ever

Share this story

Illustration by Alex Castro / The Verge

On Saturday, the Coinbase security team noticed something troubling. Someone had made a deep reorganization in the distributed ledger for Ethereum Classic, a smaller spinoff from the Ethereum coin. The attackers had pulled off the cryptocurrency equivalent of writing a bad check. The initial fraud reported by Coinbase on Monday was $460,000, but in the days that followed, the total amount rose to over $1 million, spread over 15 different transactions.

Coinbase told The Verge that no wallets controlled by the company or its customers were involved. The company’s security team only detected the attack because, as security engineer Mark Nesbitt told The Verge, “whether or not it was directed at us, it could have been.” The company severed its connection with the Ethereum Classic blockchain in the wake of the attack; it’s still the connection when be restored.

Cryptocurrency wallets get hacked all the time, but this hack was different, striking at the blockchain itself. The attackers were able to rewrite the supposedly permanent ledger of transactions, something that should be impossible. Cryptocurrency developers have known attacks like this were possible for a long time, but they’ve only recently become something exchanges have to defend against. That raises hard questions about the future of the blockchain, particularly for smaller coins.

WHAT JUST HAPPENED?

In the most basic terms, the attackers disrupted Ethereum Classic in order to spend the same money twice. They sold Ethereum Classic coins for cash, then rewrote the blockchain so that they came away with both the cash and the coins. In a conventional payment system, it’s up to banks and other central enforcers to stop double spending, but there’s no such figure in cryptocurrency. Instead, transactions are enforced through a distributed ledger, produced collectively by currency miners.

“Somebody can always show up out of the blue with more computational power than everyone else.”

But if miners work together, there’s a way to write transactions out of that ledger. All they have to do is split the blockchain at the right moment, and only build on versions of the chain that don’t include the unwanted transaction. All they need is enough mining power to overwhelm the rest of the mining pool — hence, 51 percent. It’s a fundamental weakness in the way cryptocurrencies work, acknowledged since the earliest writing on cryptocurrency. Bitcoin and its siblings all rely on a critical mass of what Satoshi called “honest miners.”

In this case, the 51 percent attack was used to execute a double-spend: writing a bad check and then muscling it out of the ledger. But that’s not the only bad thing you can do once you’re in control. In a paper last year, NYU cryptographer Joseph Bonneau raised concerns about majority attackers wreaking havoc on a coin’s ledger to crater the price and fulfill a short position, something he called a “Goldfinger attack.”

Attacks like this have hit a string of smaller currencies in the past year, double-spending a total of $20 million in 2018, but Ethereum Classic is the most prominent victim so far. With so many competing cryptocurrencies, Bonneau says it’s simply too easy to overwhelm a smaller coin. “Somebody can always show up out of the blue with more computational power than everyone else,” he told The Verge. “The question is, do we see a trend where these attacks are being mounted against bigger and bigger coins?”

AS COINS GET WEAKER, ATTACKS GET EASIER

The attacks are particularly tempting because cryptocurrency prices have plummeted over the last six months. As prices drop, currency mining becomes less lucrative, which makes cheaper and easier to rent out the quantity of computing power you’d need to take over a coin. It’s even easier when you can repurpose mining hardware from a major coin, like ETH (mainline Ethereum), to take over a smaller one, like ETC (Ethereum Classic).

“The feasibility of a 51 percent attack is dependent solely on the availability and cost of mining equipment,” Cornell cryptographer Emin Gün Sirer told The Verge. As that equipment gets cheaper and more available, the attacks become more common. “Bear markets also cause hashpower to be turned off,” Sirer continued, “which then can be rented and used for attacks.”

At the same time, the price drop makes cryptocurrencies like ETC easier to mine. At the time of the hack, the difficulty of mining a block of ETC was roughly half of its September peak, which means you need a lot less mining hardware to get to 51 percent than you would have four months ago. The result is a perfect storm for attackers, who can rent idle mining resources to take over whichever coin is weakest at the moment.

A BLEAK FUTURE FOR SMALL COINS

None of this is likely to affect Bitcoin, which has a large enough mining pool to resist most 51 percent attacks and a chip-specific protocol that makes it less amenable to repurposed equipment. But smaller coins are inherently vulnerable, and the risk is only increasing.

For Nicholas Weaver, UC Berkeley ISCI professor and Bitcoin skeptic, it comes down to a question of how fast miners are burning through electricity. As Weaver puts it, it’s “a nice illustration of how proof-of-waste schemes cannot be both efficient and secure.” The more it costs to mine a block, the more expensive it is to outspend the honest miners for long to reverse a transaction. Electricity prices vary from miner to miner, but Weaver estimates that the Bitcoin network currently runs through about $300,000 in electricity each hour, while the smaller Ethereum network runs at roughly $100,000 per hour. For Weaver, any coin much smaller than that is at risk of a 51 percent attack. Ethereum Classic clocks in at roughly $5,000 per hour.

“Any coin not burning $100,000 per hour should probably be considered insecure in the face of attackers, and should not be supported by any exchange,” Weaver said. “That Coinbase supported a coin that has just $5,000 per hour of protection is negligence.”

Coinbase wouldn’t comment on whether the attack would affect its support for Ethereum Classic, citing insider trading concerns. (Coinbase support has a huge impact on the price of smaller coins, so such statements are ripe for market manipulation.) But Nesbitt, the engineer in charge of managing those attacks, disagreed that the support was negligent. “Weaver’s correct that there are different risk profiles on different currencies,” he said. “I don’t necessarily see why you would draw the line above Ethereum Classic.”

Correction: An earlier version of this post misstated the number of total transactions in the attack, and mistakenly said Ethereum derivatives could be targeted as standalone coins. The Verge regrets the error.

Today’s Storystream

Feed refreshed 1:05 PM UTC Striking out

A
Andrew Webster1:05 PM UTC
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.


A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
J
Twitter
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.


A
External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.


A
External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.


E
TikTok
Spain’s Transports Urbans de Sabadell has La Bussí.

Once again, the US has fallen behind in transportation — call it the Bussí gap. A hole in our infrastructure, if you will.


J
External Link
Jay PetersSep 23
Doing more with less (extravagant holiday parties).

Sundar Pichai addressed employees’ questions about Google’s spending changes at an all-hands this week, according to CNBC.

“Maybe you were planning on hiring six more people but maybe you are going to have to do with four and how are you going to make that happen?” Pichai sent a memo to workers in July about a hiring slowdown.

In the all-hands, Google’s head of finance also asked staff to try not to go “over the top” for holiday parties.


E
External Link
Insiders made the most money off of Helium’s “People’s Network.”

Remember Helium, which was touted by The New York Times in an article entitled “Maybe There’s a Use for Crypto After All?” Not only was the company misleading people about who used it — Salesforce and Lime weren’t using it, despite what Helium said on its site — Helium disproportionately enriched insiders, Forbes reports.


J
Youtube
James VincentSep 23
Nvidia’s latest AI model generates endless 3D models.

Need to fill your video game, VR world, or project render with 3D chaff? Nvidia’s latest AI model could help. Trained on 2D images, it can churn out customizable 3D objects ready to import and tweak.

The model seems rudimentary (the renders aren’t amazing quality and seem limited in their variety), but generative AI models like this are only going to improve, speeding up work for all sorts of creative types.