Maybe you’ve heard about the recent attack on Bitcoin Gold exchanges, where the attackers stole some BTG using a form of double-spend attack.

Now, you might start to wonder: How is that possible? The genius of blockchain is in preventing exactly this type of attack. But this crucial property holds only under certain network conditions. Let’s explore how such an attack is possible and what you can do to protect against it.

What is double-spend?

A double-spend problem is an issue of any electronic token exchange system, which stems from the digital nature of the asset. When something is digital, it means it can be copied and you cannot distinguish the copy from the original. Double-spend simply means, that you make a copy of a digital asset and try to spend both the original and the copy (probably in different shops). In order to prevent this type of attack, you have to make sure the token can be spent only once.

There are two ways, how to cope with this: centralized and decentralized. In the centralized, everyone has to register with a trusted third party and this party keeps the central registry of the assets and makes sure double-spend does not happen. An example of such a system is the central shares depository, which keeps the registry of everyone owning company shares. If I want to sell one Apple share to Bob, the registry first verifies that I have at least one share and then decreases my share count and increases Bob’s share count in an atomic transaction. I cannot sell the same share to anyone else.

But what about decentralized system, such as Bitcoin? This is where the blockchain comes in. There are three essential elements at play here.

Everyone sees every transaction and everyone can verify, that the transaction is cryptographically valid. The order of transactions is determined by ever growing linked chain of blocks, meaning the transaction in block 1 is guaranteed to have happened before the transaction in block 2. And this chain cannot be tampered with, once there is another block in the chain. Essentially, you cannot replace any transaction in any block without exchanging all the blocks that go after it. Exchanging the block is very expensive, because the valid block can be generated only by investing large amounts of work (energy) into mining it.

This concept was revolutionary when published in the original Nakamoto’s paper and was the first valid solution to the double-spend problem in a trustless decentralized system.

Why “51%”?

The ratio of 51% refers to a situation, where one miner controls more than 51% of the total hashing power in a given proof-of-work scheme. It means, that one entity is able to generate more work in the proof-of-work system than everyone else combined. This, by itself is still not dangerous as such. After all, the miner cannot generate valid transactions involving addresses the miner does not control. They cannot steal your Bitcoin from your private key or any other coin with this system. The miner can only decide, whether to include the individual transactions in the block or not. However, this situation can be (and was) exploited, as we will describe further on.

Mounting the attack

So if the malicious miner cannot steal money by generating transactions, how did they do it. I have no verified information how they in fact did it, but I will describe how such an attack can be made.

The main prerequisite is, that the malicious miner must consistently control over 50% of the hashing power on the give chain. The higher the rate, the better the odds of success. In theory, 51% should be enough, if it can be maintained for a longer periods of time.

At a certain point, lets say block 500000, the miner starts mining blocks in private using his majority hashing power. He does not publish these blocks to the main network. The blocks can be empty, it does not really matter.

In the meantime, the miner places a significant deposit on a liquid exchange, let’s say 100 BTG from his address A, using the main network, in block 500001. The exchange will usually wait for several confirmations (in other words, blocks mined after the block where the transaction was included). Let’s assume they wait for 10 confirmations, which is more or less standard for altcoins. We are at block height 500011 on the main network at this point.

The deposit is confirmed and miner now exchanges the BTG for BTC (or any other currency, really) and makes immediate withdrawal on Bitcoin network. Let’s assume we are at block height 500012. Now comes the time to spring the trap.

Because the miner controls majority hashpower, his private chain, which he’s been mining in secret, is longer than the 500012 on main network. As I said, the blocks can be empty, but there is one transaction that the miner includes for sure and it’s a transaction, which transfers the 100 BTG from address A to another address controlled by the miner. This is the double-spend transaction, because the coins from address A have already been spent when sending the funds to the exchange.

The miner now submits all the blocks from his privately mined chain to the network and because it’s longer than the chain on main network — it could be at block height 500014 for example — it’s automatically accepted by the other nodes as the one true chain. All the transactions in the blocks 500001 to 500012 are invalidated and returned to the mempool. That includes also the transaction transferring the money from address A to the exchange. But because there is already a transaction from A to another address in the new valid chain, this one is marked as double-spend and discarded.

The exchange does not have the 100 BTG, because that transaction was rolled back, and is also robbed of the exchanged Bitcoin, because it was withdrawn before the attack was made public. Boom!

Prevention

Here comes the sad part. There is actually not much the exchange can do to prevent such heist. It can only make it more difficult, but at the inconvenience of the users and it can take steps to detect such an attack.

The exchanges can increase the number of confirmations they require before considering the deposit as valid. This also increases the waiting time for legitimate users, of course.

Another often used protection is delaying withdrawals. If the exchange withheld the Bitcoin after it was exchanged, it could have denied the withdrawal and the miner would come up empty. But again, this inconveniences legitimate users.

The exchange can also monitor for sudden drops in network hashrate. This is caused by the miner starting to mine his private chain with more than half the hashpower. This detection is not effective in cases where the miner is mining other coin before and starts mining the private chain immediately after switching coins.

Is Bitcoin safe?

If Bitcoin Gold is vulnerable, is the real Bitcoin safe? Fortunately, the answer is yes. The problem with Bitcoin Gold is similar to many other small altcoins and that is it shares the algorithm with a much larger network. BTG uses Equihash, the same algorithm as much more popular Zcash. So if a miner controls 10% of Zcash hashing power, the total hashing power of Zcash network is 1000 and the total hashing power of Bitcoin Gold is 50, suddenly directing the 10% of power from Zcash to BTG makes the miner control 66% of BTG. In this scenario, Zcash is safe from this kind of attack, but the smaller network is not.

The same thing can happen to any altcoin which uses the same proof-of-work algorithm as Bitcoin. If you own a decent Bitcoin mining operation, controlling 1% of Bitcoin hashrate, you can completely take over such altcoin. Of course, you lose the mining reward in Bitcoin, during the time you use your mining equipment for playing god on altcoin networks.

This is most probably what happened here. If a big player starts accumulating the hashing power on a large network such as Bitcoin or Zcash, people notice. Similar situation happened in Bitcoin few years back and the situation was resolved fairly quickly, because even the miners realized that if someone held over 51% it would destabilize the whole ecosystem and their significant investment in mining rigs would be devalued.

This is also why Bitcoin is the safest cryptocurrency by a huge margin. Simply because it’s much more difficult to influence, one way or the other. If you are dealing with altcoins, always check if the same PoW algorithm is not used on some much larger network and adjust your confirmation requirements accordingly.