Bittrex delists Bitcoin Gold after uncompensated 51% attack
Without clear legal precedents, the response to a 51% attack seems to be to play the blame game.
Bitcoin Gold (BTG) holds the dubious honour of falling victim to one of the largest 51% attacks in cryptocurrency history when BTG, worth about $18 million at the time, was double-spent. The attack is believed to have involved the use of rental hashpower to successfully take control of the majority of Bitcoin Gold's hashing power and to walk back transactions after they were performed.
These types of attacks have been relatively common and many coins are still vulnerable to the exact same attack. Strangely, the markets as a whole seem unusually willing to just shrug off most attacks.
BTG's delisting is significant as one of the clearer examples of an attack's aftermath, giving some insights into what goes on behind the scenes following a large 51% attack.
Based on the Bitcoin Gold delisting statement, it might be most succinctly described as a blame game. There's no clear legal recourse for anyone affected by a 51% attack, which means the entire thing either has to go unsorted or carefully handled behind the scenes – either amicably or less so.
This time it seems to have been less so, with Bitcoin Gold and Bittrex apparently blaming each other for the loss.
According to Bitcoin Gold, Bittrex was one of the main victims of the attack, losing up to 12,372 BTG which is currently worth around US$266,000 but was worth almost US$700,000 at the time. The actual amount lost is not known since it all depends on how much the attacker actually withdrew, but it could quite well be that maximum.
In the aftermath, Bittrex supposedly demanded 12,372 BTG in compensation for the loss, citing the Bitcoin Gold team's failure to "take responsibility for [their] chain." The Bitcoin Gold team refused to pay.
Bittrex then came back with a counter offer of 6,000 BTG, saying they would cover part of the loss as long as Bitcoin Gold compensated them for the remainder. Bitcoin Gold once again refused the offer and instead offered a loan of 6,000 BTG, with unknown terms, "to help Bittrex address short-term liquidity problems."
Bittrex declined and said Bitcoin Gold would either make an outright payment or that it would be delisted. Bitcoin Gold declined to pay and so was delisted.
The blame game
Bitcoin Gold's very passive-aggressive-sounding statement suggests that the blame game was played extensively during negotiations, with the help of lawyers on both sides. Highlights include the following:
- "Bittrex announced this decision today based on a double-spend attack they suffered back on May 19th, despite all our efforts to assist them" (bold added for emphasis) The same language is repeated throughout, with the statement consistently describing the incident as Bittrex's 51% attack.
- "Everyone knows 51% attacks and Double-Spends have always been a known risk in the PoW blockchain world. The attacks on exchanges in May were not the result of any fault or flaw in the BTG blockchain or code... the attackers bear responsibility for their attacks."
- "The Bitcoin Gold team is not responsible for security policy within private entities like Bitrex (sic); those who earn revenue running a private business must manage the related risks and are ultimately responsible for their own security."
- "Bittrex allowed them [the attackers] to trade that BTG and withdraw some amount of other coins."
- "We do not know the net value of Bittrex’s loss since they have not disclosed the value of the coins they allowed to be withdrawn."
- "It's clear that we took every reasonable step to try to help ensure Bittrex's safety against this threat."
It's not clear what the legal implications of the loss are or whether any party fancies having a go at the other in court. But it seems reasonable to assume Bittrex has little choice except to swallow the losses or to try to recoup them in another way as they did by approaching Bitcoin Gold for compensation.
In terms of actual responsibility though, it's hard to deny that Bitcoin Gold did almost nothing to prevent the attack, choosing instead to wait until it happened before responding. With Bitcoin Gold's low hashing power, without any real ASIC resistance, with credible rumours of secret Equihash ASIC miners and with the rentable Equihash hashing power being widely available, it was obvious that Bitcoin Gold was vulnerable to a 51% attack. It was only a matter of time.
There aren't really any immediate implications to the delisting except that BTG is delisted from Bittrex. But in the long run, it might spur exchanges to be much more careful with the coins they list and the procedures they follow for suspicious transactions.
Exchanges will typically be the victims in double-spend attacks and listing vulnerable coins might not be worth the risk. The clear threat of delisting from exchanges might be enough to spur cryptocurrencies to improve security measures where the distant threat of an attack doesn't.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.