The AurumCoin cryptocurrency says it was hit with a 51% attack
Who's responsible for 51% attacks? It's another incident with no answers.
AurumCoin says it's been hit with a 51% attack, which resulted in the loss of AUD$15,752.26. It currently seems to be in the process of finger-pointing – a process that sometimes follows these developments.
"We do not 'blame' Cryptopia, but coins were stolen from their wallet. That is a fact," it said on Twitter. It's also disavowing responsibility elsewhere by saying, "Cryptopia exchange was hacked... Aurum coin network is not the responsibility of anyone, same as Bitcoin network, it is open source distributed cryptocurrency. What's worse is that Cryptopia exchange do not admit it. This is not the way to solve this problem."
So, AUD$15,752.26 is missing, and it didn't just grow legs and walk away. Whose fault is this? Where the blame lies in 51% attacks is an interesting question that doesn't really have any clear answers yet.
Opinion: It's the fault of xyz
A 51% attack (pictured) is when someone takes the majority of a blockchain network's hashing power. This can then be used to steal money.
Basically, the miner with all that hashing power can fork a coin's blockchain and secretly mine it alongside the real chain. When the time is right, they can reveal this secondary chain and use it to replace the real chain.
The fork basically serves as a point in time that the attacker can return to later, functionally rewinding time to that point, and then fast forwarding it along their own newly revealed chain.
To use this in an attack, someone might create that point-in-time fork, then sell a bunch of coins on the original chain and pocket the profits in fiat currency or a different cryptocurrency. Then they rewind time back to the fork, and re-run it along their own chain on the timeline where they never sold the coins.
Now they have both the profits from selling the coins as well as the coins they sold. The victim is whoever bought the coins before the attack went back in time. As far as this person is concerned, the coins they purchased have simply disappeared.
You can probably see why this is something of a legal grey area.
The blame potentially lies with three different parties:
- The 51% attacker. This entity is naturally most responsible, but no one knows who they are and there's probably a near 0% chance of identifying them or recovering the funds from them.
- AurumCoin. There's an argument that the coin should have been aware of its vulnerabilities and should have taken steps to protect itself or warn people.
- Cryptopia. There's an argument that the exchange should have been aware of AurumCoin's vulnerabilities and taken steps to protect itself.
The argument against AurumCoin
AurumCoin is a project that wants to return the world to a gold standard. It aims to do this with a cryptocurrency whose price is pegged to gold prices. The main difference between AurumCoin and the many other gold-backed cryptocurrency projects out there is that AurumCoin apparently isn't actually backed by anything. Rather, it just says it intends to be backed with gold in the future.
Blame-wise, it's worth noting that AurumCoin's assertion that "Cryptopia exchange was hacked" is factually inaccurate. Assuming this is a 51% attack, then the AurumCoin blockchain is the thing that got hacked. From this angle, Cryptopia is the victim and AurumCoin is the one that let an attacker in.
Second, this coin is using the SHA-256 mining algorithm which means it's an extremely easy target for 51% attacks. AurumCoin's hashrate is an average of about 80 PH/s, which would have made it extremely easy to overwhelm. Specifically, you can rent almost 500 PH/s of SHA-256 mining power on NiceHash, for about US$9.13 per PH/s per hour. So using rented hashing power alone, someone could have attacked the coin for a mere US$375 per hour. AurumCoin is extremely vulnerable to 51% attacks.
Third, AurumCoin's argument that it can't be the responsibility of anyone because it's an open-source distributed cryptocurrency doesn't hold water. Using open-source code doesn't magically absolve one of all responsibilities for anything bad. If there is a concentrated and identifiable company or group behind AurumCoin that is profiting from it, then that group might be reasonably held responsible for the coin.
AurumCoin's trade volume has been consistently low for most of its life. That someone is apparently willing to buy $15,000 is unusual. At the same time, the AurumCoin block explorer shows a profound lack of interest in anyone actually transacting with the coin. The action appears to be almost entirely from miners pulling in block rewards in the form of a coin with few buyers.
So, if you control a large chunk of AurumCoin's hashrate and want to make some real money instead of just continuing to mine a coin no one wants, what do you do?
You might try selling a bunch of AurumCoin to yourself, launch a 51% attack to reverse your own purchase, then try to make enough noise that someone refunds the money you stole from yourself.
This is just a hypothetical version of events. You'll have to make up your own mind about what actually happened.
The argument against Cryptopia
Cryptopia is one of New Zealand's largest cryptocurrency exchanges, and it's attracted a good deal of attention globally in part due to its extremely wide range of coins. It has a unique value proposition through the combination of its generally good reputation as a professional exchange, coupled with its willingness to list projects like AurumCoin that many other exchanges wouldn't. As Cryptopia CEO Alan Booth has said, the exchange aims to create opportunities for everyone.
But this strategy might come with some risk, and there are good reasons why many exchanges won't list things like AurumCoin. One might argue that the combination of AurumCoin's hashrate and mining algorithm should have tripped some red flags and seen the coin delisted. Of course, Cryptopia de-lists a lot of coins as a natural consequence of listing so many. AurumCoin might simply have slipped the net.
But while AurumCoin might be largely centralised, Cryptopia is a business and cybersecurity is one of its responsibilities. The chance of a 51% attack is one of many new hazards to be aware of, and one might argue that one part of listing a coin is understanding the security measures which need to be put in place for that listing.
But hashrate, 51% attack vulnerability, the amount of rentable mining power and other variables are all changing constantly. A coin that was secure when first listed might not be so solid a month or year later, and at a certain point, it's not realistic to expend all the resources needed to be sure of every single listing.
There's an argument that a coin itself should reasonably be responsible for its own security, but there's also an argument that exchanges are responsibility for ensuring the security of coins they list. These two sides of the argument have been raised in the wake of many other 51% attacks – and there have been a lot.
But by extension, one might suggest that the buyers of cryptocurrencies like AurumCoin should be taking similar precautions, and should avoid buying coins which can be easily snagged away by a 51% attack. Should an exchange be responsible for protecting users from poor purchasing decisions?
And the winner of the blame game is...
No one. Everyone loses here.
But the moral victory might go to everyone except AurumCoin itself because its announcements on the topic are a little... unhinged.
It's also going out of its way to avoid even mentioning the issues of hashrate or the issues which actually made it vulnerable to this kind of attack. It has also insistently and repeatedly said "Cryptopia exchange was hacked."
To be crystal clear, that is absolutely not correct. Cryptopia was not hacked. AurumCoin itself was hacked.
There might be no solution here, except to note that touching something like AurumCoin comes with a risk of getting burned. This is exactly why it's so important to know what exactly you're buying and whether it's at risk of a 51% attack.
Past performance is no guarantee of future returns, and cryptocurrency purchases come with a chance of total loss – especially if you're buying a SHA-256 coin with a hashrate under 100 PH/s.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.
- Tim Draper: Bitcoin ahead of schedule to hit $250,000, may be as early as 2022
- France to pilot national digital currency in Q1 2020, the first in Europe
- Bakkt CEO Kelly Loeffler appointed to US Senate, will depart Bakkt
- Dash cryptocurrency: How Moocowmoo’s alleged exit scam could destroy Dash
- Self-sovereign cryptocurrency private key recovery introduced by Squarelink