ZenCash hit with 51% doublespend attack, $600,000 stolen
Another one bites the dust.
The age of 51% attacks is now well and truly in full swing. ZenCash has become the latest victim, succumbing to an attacker who managed to double spend 19,900 ZEN worth almost US$600,000, according to the ZenCash statement on the incident.
The attack took place on 2 June at about 2:45am UTC. The team was first alerted to it by a mining pool operator and quickly took steps to resist the attack by increasing the number of confirmations required for a successful transaction. This might have cut the attack short.
How a 51% attack works
A 51% attack is when an attacker manages to control more than 50% of the hash power in a proof-of-work blockchain. This essentially gives them majority control of the blockchain, allowing for exploits such as double spending. This basically means spending the same funds twice, by selling them then re-organising the blockchain to pull the funds back to one's own wallet. The victim is usually an exchange, or someone else who agreed to purchase the coins before having them disappear from their wallet.
In this case, it was an exchange.
Increasing the number of transactions helps resist attacks by increasing the attacker's required expenditure. A successful attack depends on consistently maintaining control of the network (which is very expensive), so increasing the number of confirmations will slow transactions, but increase the attacker's required expenditure.
It's not known who was behind this attack, but it could be almost anyone. ZenCash also runs on the Equihash algorithm, just like Bitcoin Gold which was recently struck with a massive $18 million double-spend attack that similarly targeted exchanges, so it might be the same crew using a private supply of Equihash miners to carry out the attack.
ZenCash also made a recent appearance on a list of coins that are highly vulnerable to 51% attacks, which might have made it more of a target.
The ZenCash statement speculates that the attackers used their own Equihash miners, backed up with rented hash power, but they wouldn't necessarily have needed to. At the time of the attack, the ZenCash hash rate was estimated to be 58MH/s, so an attacker would have been able to just rent the power they needed.
Bitcoin Gold (again), Bitcoin Private and ZClassic currently have even less hash power than ZenCash, so they could clearly get hit at any time. Exchanges are probably going to start being very cautious when dealing with large transactions of those coins. Luckily for the attackers, ZenCash prices haven't seemed to respond to the 51% attack in any way.
Vulnerable coins can temporarily stave off future attacks by forking to change the mining algorithm, but this bandaid only lasts a few months and ties up valuable developer time and delaying progress elsewhere.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and NANO.