With energy prices rising, switch to a cheaper plan
Compare Prices Now

Vertcoin cryptocurrency hit with 51% attack again, but this time the attacker lost money

Posted: 3 December 2019 2:33 pm


Vertcoin has experienced another 51% attack, almost 12 months to the day after the last one.

Vertcoin has been struck by a 51% attack, again, almost a year to the day after its last large 51% attack.

A 51% attack is one of the few techniques for "hacking" a blockchain.

How a 51% attack works

Essentially, an attacker secretly forks a blockchain and then starts mining their own secret chain. If they have enough mining power (typically at least 51% of the total, hence the name "51% attack"), their secret chain is actually able to overtake the real one becoming longer than the "real" blockchain.

When the time is right, the attacker can reveal their secret chain. And because it's longer than the old-real blockchain, it automatically becomes the new-real one. The reason it automagically becomes the real blockchain is because mini-forks are a natural feature of blockchains, so there always needs to be a way for miners to reach agreement, independently of each other, on which prong of a fork is the real one. The go-to rule for agreeing on this is that the fork with the most accumulated proof of work (which will typically be the longest) is the real one.

In this way, transactions made on the "real" blockchain between the time the attacker started secretly mining their own chain and when they revealed it can be undone.

One reason to launch a 51% attack is because it lets the attacker get all the block rewards from the blocks they've secretly mined instead of having to fight other miners for it. But this alone will typically not be worthwhile because if you can mine fast enough to launch a 51% attack, you can make a solid profit from mining normally, without the risk of devaluing the cryptocurrency you're mining by attacking it.

That's why the big money in a 51% attack usually comes from using it as a springboard for double-spend attacks.

How a double-spend attack works

A double-spend attack, as the name suggests, lets you spend money twice.

When used in conjunction with a 51% attack, someone can sell the 51% vulnerable cryptocurrency and then reveal their secret chain to undo that transaction. But because they only undo the transaction on the vulnerable blockchain, they end up getting their original cryptocurrency back, while keeping the money they sold it for.

As far as the buyer is concerned, the cryptocurrency they purchased simply disappears like leprechaun gold.

The new Vertcoin 51% attack

In this most recent Vertcoin 51% attack, the attacker spent about 24 hours mining their secret chain, using mining power rented from a site called NiceHash.

The reason they spent a full day doing this is probably because Bittrex, one of the few remaining Vertcoin exchanges, requires Vertcoin deposits to sit for a full day before they can be spent. This requirement is imposed specifically to prevent this kind of attack. By requiring longer waiting times on deposits of 51%-vulnerable cryptocurrencies, the potential attacker has to spend more time and money mining their secret chain.

So, by requiring longer waiting times before deposits can be spent, with longer waiting times for larger deposits, you can be more certain that the depositor isn't planning to just sell their coins then reveal a secret side-chain to yank their money back.

That full-day requirement should have been a perfectly good assumption in this case. Here, it's believed that the total cost of the attacker's rental mining power over the day was somewhere between US$3,700 to $7,300.

In the process, they pocketed about $3,230 equivalent of cryptocurrency in mining rewards, and when they revealed their secret chain they used the opportunity to reverse $29 of transactions with an unknown party.

It wasn't a profitable attack, so the attacker's motives remain unknown.

One theory is that it was an experiment or a proof of concept. Another is that it's a kind of anniversary present for Vertcoin, coming almost exactly a year to the day after Vertcoin's last 51% attack.

But in the absence of any evidence, one theory is as good as any other, so you might as well just make up a fun one. Maybe it was a jilted online shopper who decided to double spend on a merchant rather than just leave a poor review?

We may never know for sure, but we do know for sure that Vertcoin is still vulnerable to 51% attacks.

Also watch

Disclosure: The author holds BNB and BTC at the time of writing.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site