Ethereum Classic hit by seeming 51% attack, ETC team suggests selfish mining instead
Signs point to a 51% attack with evidence of $500,000 ETC of double spending.
- Ethereum Classic has experienced several deep blockchain reorganisations with about $500,000 of ETC double spent in total
- The Ethereum Classic team has suggested that it may not have been a 51% attack, and has not conceded that there was any double spending
- The preponderance of evidence suggests a distinct series of 51% attacks
Update 9 January: It's confirmed to have been 51% attacks, with the Gate.io exchange announcing losses.
Ethereum Classic (ETC) has been struck with some kind of block reorganisation attack, likely either a 51% or a selfish mining attack. Coinbase seems to have been the first to spot it, picking up unusual activity from 5 January.
The first sign was an unusual reorganisation 4 blocks deep and 7 blocks long. This means the blockchain was "wound back" 4 blocks, and then replaced by 7 new blocks. No double spends were detected with it, but it was enough to put up some red flags. Another reorganisation, 5 blocks deep and 6 blocks long, followed 12 hours later. Both reorganisations were still below the usual transaction confirmation threshold, so were worrying but harmless.
Then, about three hours later, the ETC blockchain experienced a reorganisation 57 blocks deep and 74 blocks long, accompanied by a 600 ETC (about US$3,000) double spend. At this point Coinbase pulled the plug on all its ETC blockchain interactions. There were eight more major blockchain reorganisations over the next couple of days, during which about half a million dollars of ETC was double spent.
News started circulating, but ETC (or at least whoever's running the ETC Twitter account) initially brushed them off. A few hours later they changed course and publicly advised exchanges and mining pools to raise confirmation times on deposits and withdrawals to at least 400 blocks.
In simple terms
An attacker with a lot of Ethereum Classic mining machines seemingly created a secret fork in the Ethereum blockchain. This is just like a fork in the road.
All the normal miners kept following the main road as usual, but the attacker used all their mining power and a few tricks to run down their secret road really fast, so they could overtake the other miners.
Once they were far enough ahead, they jumped out and shouted "surprise" and announced that their secret road was really the main road all along. Because of the way it's programmed, the blockchain has no choice but to agree. That secret road retroactively becomes the real main road.
This kind of thing can be profitable money because an attacker can keep making trades along the main road even as they build their secret road. Because the secret road is their own personal road and they can build it however they want, they can choose not to build those trades into the secret road.
The end result is that when their secret road becomes the real road, those trades they made are suddenly undone and they get back all the money they spent on the main road while still keeping all the goods they purchased along the way.
- This is typically known as a 51% attack because one party typically needs to have at least 51% of the network's total mining power in order to build that secret road fast enough.
- Building a secret road is expensive, and the longer you have to build it the more expensive it is. Blockchain security is dependent on ensuring that building a secret road will always be unprofitable.
- The biggest secret road in this spate of attacks had a depth of 123 and a length of 140. This means the secret road was 140 blocks long, while the main road was only 123 blocks long at the time.
- Confirmation times refer to how long someone waits before finalising a blockchain transaction. The waiting time is done to make sure they are actually on the real road. This means an attacker needs to build a longer road if they want to successfully attack. This is why the first response to a suspected 51% attack is to advise everyone to increase confirmation times when transacting.
Occasionally a blockchain will create various forks in the road naturally. For example if two miners accidentally find the same block at the same time, and then each goes on building their own separate road out of their own identical block. The blockchain is programmed to automatically follow the longest road as the real one to ensure that the majority has a kind of democratic-ish control over the blockchain.
Who's doing this?
The only realistically possible suspect is this chap here. That's a private mining pool, which is basically a bunch of ETC mining machines working together on building the same road.
Here's what that mining pool's hashrate has been doing over the last couple of days. Hashrate is how much mining power a network has, which is basically its road-building power.
And here's what the ETC network as a whole looked like during about the same period of time. You can probably see the correlation.
Now look at the exact numbers. At its peak the private mining pool had a hashrate of about 6,350 HS/s (6.25 TH/s).
And at its peak, the entire ETC network had a hashrate of slightly over 10 TH/s.
No matter how you slice it, that private mining pool managed to achieve more than 51% of the total network hashrate while the reorganisations and double spend attacks were being reported. As such, this incident has all the hallmarks of your everyday 51% attack.
For its part, Ethereum Classic has most recently disagreed with Coinbase's assessment of double spends, and instead suggests that it's a selfish mining spree during tests from mining firm Linzhi, which has recently made some high-powered Ethash mining machines capable of building an ETC blockchain road much faster than anything else on the market.
Selfish mining is essentially a kind of lesser and still largely theoretical form of attack, first theorised in 2013. It's kind of like a poor man's 51% attack.
A 51% attack is all about building a very long road to replace the real one, while a selfish mining attack is more about creating many smaller forks in the road, some of which will statistically be able to become the real ones on a short enough timeframe.
Most of the fake roads will be puny things that immediately get laughed right out of the blockchain, but a few of them can statistically hold their own over short sprints. For each of these little forks that does manage to succeed in the short run, the mining rewards are essentially diverted towards the "selfish" miners who worked on those fake roads, at the expense of the miners working on the real roads.
For a selfish mining attacker it's all about knowing when to hold or fold each of those secret roads to maximise the mining revenue stolen from the main chain.
In general this strategy will net an attacker less mining revenue than they would get if they just mined as normal. The first reason someone might do it anyway is because it takes profits from the competition and so might be strategically useful in specific situations. The second reason is because when this strategy is correctly executed by someone with at least 25% of a network's hash power it becomes more statistically profitable for other miners to actually join forces with the selfish miners than just stick with the main chain.
As this starts happening, it becomes increasingly profitable for the remnant to join the selfish miners and they eventually build up majority control. So, if you assume that miners are 100% motivated by profit and that there are no other factors in play, the hashrate decentralisation threshold for blockchain security is actually more like 25% than 50%.
Is this selfish mining or a 51% attack?
The most pertinent factor is that no matter how you slice it a single mining pool has successfully managed to achieve 51% control over the Ethereum Classic network. Regardless of whether this was a 51% attack or a selfish mining spree, Ethereum Classic is vulnerable to attack and highly centralised.
Also, the main point of selfish mining as theorised is to eventually achieve majority control over the network and presumably use that control to then initiate a 51% attack. It would be pretty weird for someone with majority hashrate to launch a selfish mining attack rather than a 51% attack.
The remaining theory then might be that this was a non-hostile test rather than an attack on the network. There are (at least) two strange things about that idea:
- Reorganising someone else's network without permission is pretty darn hostile and quite detrimental to that network, as evidenced by ETC's plunging prices in the wake of these attacks. If someone's doing that, they clearly don't really care about the wellbeing of the network and so might as well just launch a double spend attack.
- Coinbase has discovered some fairly clear evidence of double spending, contrary to what the Ethereum Classic team is asserting.
What a double spend looks like
The proof is on the blockchain. The reorganisations are clear and the largest individual double spend of 24,500 ETC, for example, can be seen here and here. What you're basically looking at there is the same block on each fork of the road.
The first one is the original block but now shows as an "orphan", meaning it's been invalidated. It's full of transactions as one would expect from an organic and real block. The second one is its counterpart, the secretly-mined block. And that second one only contains a single transaction – that 24,500 ETC.
It's identifiable as the same transaction because it comes from the same address in both blocks.
You can see the exact transactions below. The top one is from the original block that was later over-written by the reveal of the secret road, while the bottom one shows the same lone 24,500 ETC taking place on the secretly-mined block.
What you're looking at is literally the same money being spent twice, hence the name "double spend".
If all this is correct, then what can be said beyond any reasonable doubt is that ETC was for brief periods taken over by a single entity with majority hashrate control, and that this entity used that majority hashrate control to double spend funds.
The main question to answer now might be who the victim was. The victim, if there was one, is whoever accepted all those ETC payments which were later invalidated. As far as they're concerned, the ETC payments they accepted would simply have vanished.
It's still possible, but unlikely, that it was a non-malicious set of double spend tests rather than a targeted attack. Either way, it's bad news for Ethereum Classic.
Its prices have responded by dropping only 8% in the last 24 hours, which is a lot less than one would expect from a network that was basically just proven to be vulnerable and centralised.
That's par for course though. This isn't the first apparent 51% attack and won't be the last, and one thing all have had in common is that their price impacts have tended to be limited.