Introduction

In this article I will explain with case studies how PoW consensus can be misused by some cryptos and brings false sensation of security, some recommendations will be made to detect critical flaws.

I will not be able to explain how cryptocurrency, difficulty targeting, PoW or any consensus mechanism works in this article. I assume you got a good understanding of these. Sorry for that.

There are many consensus mechanisms. I consider PoW as the most secured and decentralized of all. Bitcoin demonstrates it. But few people grasp that every PoW cryptos are not equally secured. I am a firm believer of PoW superiority as a consensus mechanism when properly applied. But some bad implementations and designs can cause massive flaws which bring to the uncanny fact that some cryptos bear the bad efficiency trade-off of PoW with a lesser security than PoS

Let’s dig in…

What went “wrong” in the past (case studies)

Bitcoin Cash

Bitcoin Cash is a fork of Bitcoin launched on 1st August 2017. It uses the same hashing algorithm for mining than Bitcoin : SHA-256. Bitcoin Cash implemented a mechanism called “Emergency Difficulty Adjustment” (EDA) in order to keep the chain working if hash rate drops significantly. As a fork of Bitcoin, the difficulty of Bitcoin Cash inherited it at the beginning of the split. Because of price incertainty, it was hard to predict its future profitability and hashrate. Bitcoin retargets difficulty every 2016 blocks and adapts it in order to keep a 10 minutes block time. Usually it takes two weeks between each new difficulty adjustment . The main issue is that if the hashrate drops significantly, it can take a long time to discover blocks until reaching the retargeting block. Fewer blocks means fewer rewards, fewer money for miners. Fewer miners leads to more time to reach the retargeting block and so on…

Such a mechanism was mandatory and it “succeeded” in the case of Bitcoin Cash, but it produced as well some weird effect on the hash rate and new block rate production.

image from fork.lol

DARI stands for Difficulty Adjusted Reward Index. What happened is that miners gamed the system by leaving the chain on purpose in order to activate the emergency retargeting system which reduced the difficulty drastically. It mades Bitcoin Cash profitable again. As the emergency system works only downward it’s a valid strategy. The problem is that by leaving the chain, they stuck block production, which could be a problem for services as they expect a steady validation time. (For more details [1])

Every coin sharing mining algorithm with a bigger one in terms of mining power has to implement such a system. We can list “Kimoto Gravity Well”, “Dark Gravity Well”, “digishield”. The thing is : no matter how you treat the matter, sharing mining algorithm always brings problems that weakened the game theory behind Proof Of Work consensus.

Monero

Monero’s hashrate following the asics PoW fork

Monero forked last April and changed his mining algorithm in order to counter ASIC mining. The result was clear, more than 50% of the hashing power was produced by ASICs machines. But here’s the problem. During the whole year 2017, no Monero ASIC was saled to the open market. It meant that mining power was in few hands. Why ? Because ASIC resistance doesn’t help [2] [3]. It limits competition among ASIC manufacturers, and brings shadow mining.

An ASIC friendly mining algorithm eases competition, which annihilates shadow mining incentives. In fact, if one competitor choose to sell his product to the market, it will force others to do the same. Selling a new ASIC instantly matches a high demand as it is way more profitable than GPU mining and gives a substantial advantage at the beginning. This demand brings more money to that manufacturer to produce and sell more. Manufacturers who choose to shadow mine will be limited by their own funds (the difficulty will goes up, reducing his earnings while his competitors are profitable with sales only) His share of the total hashrate will plummet, and no 51% attack will be possible.

However, that simple economic reasoning fails to reach some developers who persist in the ASIC resistance illusion.

Verge

The hacks of the Verge network began in April 2018. The hacker used the fact that the retargeting system named Dark Gravity Wave used a weighted average of the rate of block confirmations over a moving 30 minutes window while the network allowed a 2 hours timestamp error for new mined blocks. The result was that by spoofing bad timestamps it was possible to publish blocks out of the scope of the retargeting system but still valid, hence reducing drastically the difficulty of the network.

Moreover, five mining algorithms were available, each with its own difficulty :

Scrypt

X17

Lyra2rev2

myr-groestl

blake2s

Guess which one was chosen by the attacker ? Scrypt

Scrypt is one of the oldest mining algorithm. It has a very developed and mature mining industry. It’s cheaper to get a lot of mining power with Scrypt than with others. As Verge is not the most valuable coin using Scrypt, the risk of mining hardware losing value after a 51% attack is small, the game theory is set to let such an attack occurring. In the case of Verge, 10% was enough to perform a hack due to the fact that owning only one among the five mining algorithms was sufficient.

For more information about the Verge Hack : [4]

Bitcoin Gold and Monacoin suffered as well a 51% attack because of a mix of the reasons explained. (Both ASIC resistant)

Recommendations for a secured PoW

The mining algorithm needs to be ASIC friendly . It brings competition, competition is good and reduces the risk for a bad manufacturer to shadow mine.

. It brings competition, competition is good and reduces the risk for a bad manufacturer to shadow mine. The mining algorithm needs to be “new” (the algorithm should be well-known and tested but not already used by a more valuable PoW crypto). Using an already used algorithm weakened the game theory behind ASICs. It prevents their owners to make a 51% attack by linking the value of the hardware with the value of the coin.

(the algorithm should be well-known and tested but not already used by a more valuable PoW crypto). Using an already used algorithm weakened the game theory behind ASICs. It prevents their owners to make a 51% attack by linking the value of the hardware with the value of the coin. Retargeting and timestamp variance needs to be properly managed. 2 hours variance is good for Bitcoin with its 10 minutes between each block and retargeting occuring every 2 weeks. But it’s hardly à good choice for every coin. Beware of fancy retargeting systems, complexity doesn’t bring security. Letting miners play with difficulty can be dangerous because it reduces the value of work within one block. Vendors and exchanges need to know how many blocks to wait to confirm a payment. (Remember, amount of cumulated work provides security, not number of blocks)

Conclusion

Now I hope you will be able to tell why some PoW cryptos are hacked and others not. We did not explore all the subject, getting all these recommendations applied doesn’t provide certainty about the security of a coin. More due diligence has to be done, but I observed a pattern among all crypto currencies attacked recently and these could have been avoided with these recommendations.

[1] : https://steemit.com/bitcoin-cash/@dhimmel/bitcoin-cash-averaging-less-than-a-block-per-hour

[2] : https://medium.com/@alexandre.vinot/asic-resistance-worse-than-useless-d9d09ba08e11

[3] : https://blog.sia.tech/the-state-of-cryptocurrency-mining-538004a37f9b

[4] : https://blog.theabacus.io/the-verge-hack-explained-7942f63a3017