Without Trustlessness, We Have Nothing

February 2020
Blockchain technology has many potential benefits, but when Bitcoin first made its debut, one of its primary purposes was the provision of a system which would allow trustless online payments to be made; it provided the ability to conduct business without risk of financial fraud due to the immutable and unhackable nature of the blockchain and the way it was coded to prevent against double-spend attacks. One of the first sentences in the Bitcoin whitepaper reads as follows: “We propose a solution to the double-spending problem using a peer-to-peer network.” It is therefore troublesome, to say the least, when a blockchain falls victim to the very thing it is designed to protect against.

The Bitcoin blockchain itself has never been hacked or been the victim of a successful double-spend attack. Given the value of bitcoin and its history as the first cryptocurrency, this is an amazing feat in itself, and one that does not seem likely to be surpassed. Unfortunately, not all blockchains can claim this perfect record. 

Bitcoin Gold originated in a fork of the Bitcoin blockchain in October of 2017 in an effort to decentralise some of the perceived power that large bitcoin mining pools had over the Bitcoin blockchain ecosystem. Like most cryptocurrencies and blockchains, Bitcoin Gold has had its share of criticism, but the most significant issue in its history arose in May 2018 when the Bitcoin Gold blockchain was the victim of a 51% attack.

A 51% attack on a Proof of Work blockchain occurs when an attacker is able to control so much computing power that they can take control of more than half of the blockchain, effectively allowing them to decide which transactions are approved or even reverse some transactions, opening up the possibility of double-spending. Whilst they are in control of the network, they would also be rewarded with the value of the cryptocurrency that is mined during that period. Despite this, people holding cryptocurrency and older information on the blockchain are typically not affected or the prime target, exchanges being the preferred victim of the attackers due to the high volume of cryptocurrency being traded, and older blocks needing too much computing power to rewrite. 

When the Bitcoin Gold network was subjected to this type of attack in 2018, the attackers reportedly ended up stealing in excess of $18 million in bitcoin gold despite efforts taken by the blockchain and exchanges to thwart them. Eventually, it was brought under control, but last week, Bitcoin Gold suffered the same type of hack again. 

Brought to light in a post on GitHub by James Loverjoy, lead maintainer of Vertcoin, a second and third 51% attack took place on Thursday 23rd January 2020 and Friday 24th Jan 2020. Criminals apparently managed to twice revert deposits of bitcoin gold which had been made to an exchange (suspected to be Binance in this case). In these two instances, which are believed to be the work of the same attacker due to the cryptocurrency addresses involved, a total of approximately 7,167 bitcoin gold was double-spent when the blocks involved were manipulated (worth around US$72,000). From Tweets sent out by Bitcoin Gold Organization account the following day regarding the exchange, the organisation said they believe the mining power for the attack was purchased through the crypto-mining marketplace Nicehash, and it is unknown whether the attackers managed to withdraw their funds to profit from the event. According to the GitHub post, the hashing power required for this would have amounted to around $1,700; this amount would have been recouped by the value of the block rewards for the period in question, so even if the target of the exchange was not financially profitable for the attacker, their losses would have been recouped from the blockchain mining rewards.  

There are methods to guard against this attack; as outlined in another tweet from the Bitcoin Gold Organization, exchanges can take measures, such as setting larger numbers of confirmation blocks required for withdrawals, leading to a larger response window and making it more financially prohibitive for attackers to maintain their control of the network for the required length of time to rewrite or replace the blocks. In addition, the last tweet that the Bitcoin Gold Organization sent out about the incident read as follows: 

“We have been working on a novel 51%/Double-Spend resistant decentralized consensus algorithm since last year. We plan to release it in 2020, Q1. 4/4” 

A few days later, a draft whitepaper was released, titled: “CCBN: a Cross-Chain Block Notarization Protocol. Proposing a Decentralized Notarization Approach to Thwart Double Spends Made via Secret Mining 51% Attacks” which can be found here

Whilst each kind of blockchain consensus mechanism has its own strengths and drawbacks, this highlights one way in which the Proof of Work method can be brute-forced. Bitcoin Gold’s ecosystem was vulnerable due to the relatively small amount of computing power needed to take control of over half of the network; the original Bitcoin blockchain still maintains a prohibitively large barrier to entry for attackers, with the sheer amount it would cost to take control of 51% of it. 

One interesting outcome of the event which was not predicted was the price of bitcoin gold. It would be reasonable to assume that, once hacked, the price of the cryptocurrency would decrease dramatically; however, the price of bitcoin gold actually increased in the days following the attack, and is still maintaining a higher level than before. The reason for this is unclear. 

Regardless of the details and outcome of this incident, it is important to note that cryptocurrencies and blockchains need to have an inherent value in them to be worth creating or using. For Bitcoin this was its originality - pioneering the space. For ethereum, it was the focus on smart contracts. Other blockchains may add different benefits or possibilities but the basis for their existence should be scrutinised and notably different from what existing blockchains offer. In the same vein, specialised applications and use cases may require a unique or custom blockchain if the limitations and requirements of existing ones do not provide the most adequate working conditions. But in any of these situations, the security of the ecosystem must be paramount; the entire point of a blockchain system is moot and pointless if it is able to be hacked - it provides no benefit over traditional, established systems. Without the safety of a trustless environment, blockchain has no meaning.