The cryptoverse just saw another example of a so-called 51% double spending attack and it might be not the last one.
This time, Vertcoin, a peer-to-peer cryptocurrency currently ranked 187th by market capitalization, has suffered four distinct 51% attacks that resulted in the malicious actor double-spending an estimated USD 100,000. According to a blog post by the company, the developers are close to implementing a fork to mitigate the damage.
The incidents first started in October, with the first lasting from the 12th until the 18th of October. The last one started 29th November and was supposedly ongoing at the time of the report on December 2nd.
Price chart of Vertcoin:
“I am not aware of the victim or culprit, but several members of the Vertcoin community and developers are keeping a close eye on the network and I would advise everyone to do the same thing,” wrote one of the Vertcoin developers in a Medium post addressing the issue, adding, “Different members of the team and community have approached exchanges with the request to increase deposit confirmations and the developers have been working on two bespoke algorithms.”
One of the two algorithm changes – and what the team considers the more important one – is implementing stricter resistance to application-specific integrated circuit (ASIC) chips, which can mine more efficiently than GPUs (graphics processing units) and CPUs (central processing units).
The Vertcoin team argues that the usage of ASICs centralized the hashpower, or flooding the renting market with cheap hashrate, meaning that anyone who can afford to rent hashpower (or computing power) can perhaps stage a 51% attack on the network.
The team’s official response concludes, “Finally, I want to say that Vertcoin is here to stay. We will NOT compromise on decentralization by implementing centralized controls and we will not give up on fighting ASICS. We ambitiously aim to become the dominant mining algorithm for GPUs in the future.”
According to Crypto51.app, a website that calculates how much a 51% attack might cost, one hour of such attack on Vertcoin costs USD 181.
Expect to see more
51% attacks occurred in Bitcoin Gold, Verge, and Monacoin earlier this year.
"This is merely another incident that shows that threat actors exist that are both resourced and sophisticated enough to execute this kind of attack," Mark Nesbitt, security engineer at Coinbase, wrote in Medium post.
According to him, exchanges make an ideal target for this sort of attack.
"This is because exchanges allow deposits to be quickly traded into different assets and then withdrawn. An attacker can make a soon-to-be-reversed deposit, trade for another asset, move the new asset off platform, and then reverse the original deposit," Nesbitt explained.
He concludes that as long as exchanges are willing to provide customers with assets in response to the deposit of a reversible currency, there’s no reason for attackers to stop this behavior.
"Expect to see more of these attacks", the security engineer said.
How it works
A malicious miner with enough computing power can mine enough coins in private, without telling anyone else, that their chain becomes the legitimate one. This is called selfish mining. When other miners find this longer, “selfish” chain, they will discard the “honest” one that they’ve been working on, thus also discarding any transactions in those blocks, and start working on the new one. This is called a chain reorganization, or “reorg.” All reorgs have a “depth,” which is the number of blocks that were replaced, and a “length,” which is the number of new blocks that did the replacing.
The discarded chain now contains transactions that are no longer valid, even though the funds potentially already went through – and including the same transaction in the new, longer chain means that the same funds are being spend again. This is called a double spending attack.
In the case of Vertcoin, one of the reorgs went quite deep – with a depth of 307 blocks and a length of 310 blocks. The total number of reorgs, spanning these four incidents, was 22, and 15 of those included double spending. The total value of the double spends was over USD 100,000.
51% attack cost