Proof-of-work cryptocurrencies solve the Byzantine General's Problem and allow for the coordination of a decentralized network of nodes, where some of those nodes may be bad actors. This does, however, creates an attack surface for proof-of-work cryptocurrencies, known as a 51% attack.

In a 51% attack, an attacker accumulates the majority of a cryptocurrency's hashrate. This is typically used to reverse transactions they've made on the network, and double-spend coins.

Exchanges typically bear the cost of these attacks because they are the easiest way for attackers to profit from forking a chain.

If an attacker is targeting Ethereum Classic, he can deposit Ethereum Classic to an exchange, convert it to another cryptocurrency, and quickly withdraw it. Because the attacker has a majority of the network's hashpower, he can mine a competing chain that doesn't include the deposit transactions. Once the competing chain grows longer than the original chain, he can force the network to accept this corrupted chain as valid—cancelling his original deposit(s) to the exchange.

While currencies with the high hashpower such as Bitcoin and Ethereum have never been successfully 51% attacked, many coins with smaller market capitalizations can't count on this advantage to fend off attackers. Over the last year, the rise of cloud mining and the ability to temporarily lease hashpower has led to a spate of increasingly successful 51% attacks.

In this article, we'll walk you through a brief history of some of the most significant 51% attacks in crypto history.

Coiledcoin - January 6, 2012

Coiledcoin was a short-lived clone of Bitcoin that supported merged mining and the opcode OP_Eval. The client was released on January 5, 2012. A day later, Bitcoin developer Luke Dash Jr. posted to the Bitcoin Talk forum:

Coiledcoin permitted merged mining, which means that miners hashing Bitcoin's Sha-256 algorithm could simultaneously mine Coiledcoin, making the coin much easier to 51% attack.

At the time, Luke Dash Jr. ran the Eligius mining pool, which led some in the community to accuse him of using contributed hashpower to attack CoiledCoin—a claim he denies. Luke Jr.'s main rationale for attacking CoiledCoin was that he believed it was a scam and a pyramid scheme that would “discredit and harm Bitcoin's reputation.”

Luke-Jr shouldn't have killed off CoiledCoin, and CoiledCoin was incompetent for creating a merge-mined sidechain. https://t.co/TfMFTt5CG0 — Peter Todd (@peterktodd) July 24, 2016

The CoiledCoin attack is interesting as it didn't appear to be economically motivated, but purely political. While the move drew some outcry from the community, it showed how vulnerable smaller SHA-256 proof-of-work currencies with low hash power were to attack.

Feathercoin - June 8, 2013

Feathercoin, a Scrypt-based coin modeled around Litecoin, launched on April 16, 2013. Feathercoin was very similar to Litecoin, with two differences. The first was that the total supply of Feathercoin was increased to 336 million, from Litecoin's 84 million. Feathercoin also adjusted it's difficulty level for mining more frequently than Litecoin.

Seven weeks later, on June 8, Feathercoin was hit by a 51% attack. Prior to the attack, Feathercoin was operating at a network hashrate of .2 GH/s, which increased over 7x to 1.5 GH/s during the attack. After 31 hours, one analysis shows that the attacker made off with 580k Feathercoin—worth $63,800 at the time—most likely by double-spending coins on an exchange.

While it's unclear where the attacker double-spent the coins, several Bitcoin Talk users noted at the time that exchanges were slow to suspend trading, and that the now defunct BTC-E exchange processed several large orders following the attack.

Interestingly, the price of Feathercoin was not immediately affected by the successful attack, and it would continue to rise in the following months. At the time of the attack, one Feathercoin was worth $.11. By the end of the year, the currency spiked to an all-time high of $1.29.

Peter Bushnell, the creator of the coin, commented that this hashpower could have been redirected from any Litecoin mining pool, or pools for any other Scrypt-based currencies. Using the same hashing algorithm as a more popular coin created a vulnerability to 51% attacks, which would be magnified in the coming years with the rise of cloud mining.

Krypton - August 26, 2016

Krypton was an Ethereum clone with the exact same features—smart contracts, scripting, and more. Krypton claimed to offer lower fees than Ethereum, which basically meant that because Krypton was less valuable than Ethereum, the price of computing power denominated in Krypton was lower.

Like many altcoins with low hashpower, Krypton was extremely vulnerable to 51% attack, which subsequently was taken advantage of on August 26, 2016. The attackers launched an attack with over 51%, which was combined with a DDOS attack on the network. They made off with a total haul of 21,465 KR from Bittrex by double-spending transactions, worth around $3,434. The attack was likely part of a larger effort to exploit vulnerabilities in Ethereum-based coins, including Shift and Expanse.

The attackers sent a ransom note for the stolen funds to the Krypton team:

“We have a chain going on Krypton that we can fork at anytime. It is 7000-8000 blocks because Bittrex wallet was down 2 days ago. While we do want to make bitcoin our intention is not to wreck a project.



We have sold our remaining 20,000 kr today and will give be you the opportunity to end us messing with you if you want. We aren’t asking for anything more than would cover our cost. 7 BTC and we will close our fork. That is the price of the 20,000 kr plus the 8000 blocks and mining cost.



If you agree let us know and we will never mess with you again. If not we will fork the 8000 blocks.”

Krypton refused to pay the ransom, and, following the attack, Krypton founder Stephanie Kent announced that the currency was transitioning to a proof-of-stake consensus model to deter future attack. That move appears to have been unsuccessful: The project was abandoned a few months later.

Verge - April 4, 2018 & May 22, 2018

Verge has the dubious honor of being the only coin on our list to suffer not one but two successful 51% attacks. Verge was designed as a “secure and anonymous” privacy coin. It began as a fork of Dogecoin, and its claim to privacy stems from the fact that it routes transactions over Tor, as well as the “wraith protocol” which basically means that you can use subaddresses with Verge. These features actually did very little to protect user privacy, but the currency nevertheless spiked in December 2017, with a market cap north of $3 billion.

The first attack occurred on April 4, 2018. Verge employed an algorithm called “Dark Gravity Wave” to adjust the difficulty level on the network, using the average block-confirmation time over a 30-minute window. The Verge attack was pretty sophisticated, in that the attacker spoofed time stamps on the chain to lower the difficulty level of Verge and successfully attacked it with far less than 51% of the network hashpower. Before the attack, Verge's difficulty was around 139093, and it dropped down to a low of .00024414 during the attack.

In response to the attack, the Verge team updated the protocol but accidentally initiated a hard fork on the network that then had to be rolled back.

The team's efforts to fix the protocol didn't amount to much, because on May 22, the same exploit was used to attack Verge, for a much larger sum of 35 million Verge, or $1.7 million.

As Abacus Solutions founder Daniel Goldman points out in a write-up of the attack,

“In both cases, this hack presents a strong argument for tending towards sticking to things proven to work and to be wary of overcomplicating things and thereby introducing unnecessary risks when people’s financial assets are involved.”

The Verge attack can be attributed to the complexity of the protocol, which perhaps needlessly reinvented the wheel by allowing miners to use five different hashing algorithms and deploying features with names like “Dark Gravity Well.”

Bitcoin Gold - May 16, 2018

Bitcoin Gold is a hard fork of Bitcoin that aims to foster decentralization through ASIC-resistance.

Upon launch, Bitcoin Gold used the Equihash mining algorithm, which is also used in ZCash. Equihash is a memory intensive algorithm, which Bitcoin Gold selected to promote GPU mining on the network. Unfortunately, as we've seen in previous 51% attacks, it also made Bitcoin Gold particularly susceptible to 51% attack. Rather than purchasing their own hardware, an attacker could simply rent GPUs from a hashrate marketplace for the duration of the attack.

On May 16th, an attacker launched the first attack on the network, with the last attack occurring three days later, on May 19th. These attacks were used to double-spend Bitcoin Gold on exchanges, making out with around 12,239 BTG, which was valued at around $18 million at the time.

The address of the suspected attacker on Bitcoin Gold, showing 12,239 BTG worth around $18 million at the time. Source: Bitcoinist

Upon detecting the first attack, the Bitcoin Gold development team advised exchanges to require 25 confirmations or more to secure transactions. Two days letter, the team increased this recommendation to 50 confirmations.

In response to the attack, the Bitcoin Gold team eventually hard forked the currency to support ZHash a hardened version of Equihash intended to be even more ASIC-resistant. But this doesn't solve Bitcoin Gold's underlying problem. Because ZHash is mined by general-purpose GPUs which can be leased on a hashrate marketplace, and Bitcoin Gold has a low network hashrate of 2.85 MH/s, it seems only a matter of time before the currency is attacked again.

Ethereum Classic - January 5, 2019

Ethereum Classic is a hard fork of the Ethereum Protocol, which occurred following the DAO hack of 2016. Ethereum Classic is a decentralized computing platform with an emphasis on immutability.

The 51% attack on Ethereum Classic began on January 5, 2019, and over the next two days lead to fifteen block reorganizations, with the attackers making off with a total of 219,500 ETC, or around $1.1 million. According to Crypto51, the cost of the attack would have been around $5,473 per hour. Following the attack, Gate.io announced that it was one of the exchanges that had been compromised, losing 40,000 ETC.

Like Ethereum, Ethereum Classic uses the Ethash mining algorithm, which rendered it particularly vulnerable. At the time of the attack, the network hashrate of Ethereum was around 183 TH/s, or nearly 25 times higher than the Ethereum Classic's 8.75 TH/s hash rate. This meant that an attacker could easily lease hashpower from a cloud mining provider and attack Ethereum Classic without having to invest in any actual hardware.

Following the attack, ETC Dev member Donald McIntyre commented:

[The successful 51% attack on ETC] is a significant setback, but I think ETC still has a unique positioning as a PoW + Turing-complete network with an active community, with sound principles. The question is whether a recovery in the medium or long term is plausible or if the network, unless it grows significantly, is perpetually vulnerable, therefore unusable.

Months later, Ethereum Classic remains vulnerable to attack. Currently Ethereum Classic still uses Ethereum's Ethash algorithm, and its network hashrate is 9.6 TH/s—only a little bit higher than it was at the time of the attack.

51% attack is a feature, not a bug, of crypto

51% attacks are a form of “survival of the fittest” for the cryptocurrency market. They incentivize new coins and new proof-of-work algorithms to evolve, which attracts investment in specialized hardware, making a chain more secure the more capital that's invested into it. Mining Grin, for example, is a memory-intensive process, and developers intended to keep raising memory requirements. This rewards people who deploy hardware specifically for the Grin ecosystem, and devalues older ASICs.

While 51% attacks are often pointed out as a flaw of proof-of-work currencies, they're a feature rather than a bug. 51% attacks provide an incentive for new coins to innovate and weeds out weaker coins on the market. They reward exchanges that are able to quickly shut off transactions during an attack, while punishing those who are slow on the uptake. Finally, they allow for decentralized consensus, because those who choose to mine on the majority chain are choosing to vote with their hashpower to secure and empower the network.