It was not so long ago that the idea of a successful 51% attack seemed unrealistic and far-fetched. While experts acknowledged that they're theoretically possible, most people assumed that 51% attacks would be so difficult to perform that they didn’t present a legitimate threat.
Now, all of that has changed. Over the last few years, a number of successful 51% attacks, including a few on reputable blockchains, have proved that the threat is real. 51% attacks are no longer an abstract concern. Every single blockchain project must put security before all else.
Security always comes first at Komodo. In fact, with Komodo’s delayed Proof of Work (dPoW) security mechanism, every integrated chain receives the same level of security as the Bitcoin blockchain itself.
This post will explain exactly how a 51% attack occurs and how Komodo’s Blockchain Security Service can prevent one.
A Brief Introduction To The 51% Attack
Put very simply, a 51% attack occurs when malicious actors gain control of more than 50% of a blockchain's peer to peer network hash rate, hence the name. Since the attackers have at least 51% of the network’s hash rate, they can force the rest of the network to erase blocks that contain their transactions. This means attackers can maliciously use their majority power to spend coins or tokens more than once.
Attacks of this nature are also called “double-spend attacks” because the attackers are able to spend their coins or tokens twice and then sell the counterfeit currency for profit.
It’s worth noting that only blockchains using a Proof of Work consensus mechanism are susceptible to 51% attacks. This is true because cryptocurrency mining is open to everyone and attackers can join a PoW blockchain's network with a massive amount of hash rate to gain control of the network and thus the ledger.
Blockchains that use a Proof of Stake consensus mechanism are vulnerable to a similar variety attack, called a Nothing-At-Stake attack. However, Nothing-At-Stake attacks are distinct from 51% attacks.
The most popular blockchains, like Bitcoin and Ethereum, are also not at risk to 51% attacks, despite both being Proof of Work blockchains. This is true because gaining more than 50% of either network’s hash rate is not feasible. Even the largest mining pools are not close to attaining majority power of these networks.
Blockchains with smaller networks, however, are extremely vulnerable. An attacker wouldn’t even need to invest the money into purchasing the hardware necessary to overpower a small network. Instead, the bad actor could simply rent the hash power necessary to launch an attack from a site like NiceHash.
One blockchain enthusiast even created this website to show how vulnerable many blockchains are. There are dozens of blockchains that can be successfully 51% attacked for less than $500 USD an hour. All you would need to do is rent the hash rate and fire away.
Of course, Komodo does not advocate for attacking blockchain projects. The point is that many, if not most, Proof-of-Work blockchains are vulnerable to attack.
Successful 51% Attacks In 2018 & 2019
There were a number of successful 51% attacks in 2018 and the trend is continuing in 2019. Here is a list of 51% attacks that have occurred over the years, along with the amount of funds lost in each hack.
- June 2013: Feathercoin (FTC) attacked for ~$1,400.
- July 2013: Terracoin (TRC) attacked for unknown losses.
- August 2016: Krypton Network (KR) attacked for a loss of ~$4,200.
- April 2018: Electroneum (ETN) attacked for unknown losses.
- April 2018: Verge (XVG) attacked for a loss of ~$1.1 Million.
- May 2018: Monacoin (MONA) attacked for a loss of ~$90,000.
- May 2018: Verge (XVG) attacked again for a loss of ~$1.75 Million.
- May 2018: Bitcoin Gold (BTG) attacked for a loss of ~$18 Million.
- June 2018: ZenCash (ZEN) attacked for a loss of ~$550,000.
- June 2018: Litecoin Cash (LCC) attacked for unknown losses.
- September 2018: FLO Blockchain (FLO) attacked for a loss of ~$27,500.
- September 2018: Pigeoncoin (PGN) attacked for a loss of ~$15,000.
- November 2018: Aurum Coin (AU) attacked for a loss of ~$500,000.
- December 2018: Vertcoin (VTC) attacked for a loss of ~$100,000.
- January 2019: Ethereum Classic attacked for a loss of ~$1.1 Million.
That's 15 successful 51% attacks over the last seven years, adding up to more than $23 Million in losses. That's an average loss of over $1.5 Million per attack. And, as you can see, the problem of 51% attacks seems to have gotten worse over time. There were 11 attacks in 2018 alone.
It's important to note that these are only the 51% attacks that were revealed publicly. It's quite likely that many more attacks occurred away from the public eye and were never publicized.
It's also important to note that all of the figures quoted above are estimates and, in some cases, disputed. It can be difficult to determine the true losses and various sources report different information.
In any case, the losses listed above include only the amount of money spent twice. There are a number of additional losses not included in the above estimates, including:
- a surge of negative press coverage
- reduced trust in the blockchain
- being delisted from crypto exchanges
- a substantial reduction in the price of the currency
- decreased likelihood of future investment in the project
All of these consequences make a 51% attack a catastrophic event for any blockchain project.
The Anatomy Of A 51% Attack
Before learning how Komodo’s security service mitigates the risk of a successful 51% attack, it’s helpful to understand exactly how an attack of this nature unfolds. There are six steps.
First, an attacker gains control of a simple majority of a blockchain’s peer to peer network. As noted above, this is not as difficult or costly as you might imagine.
Second, the attacker begins to secretly mine blocks on an alternate blockchain. This second chain runs parallel to the chain on which the rest of the network’s nodes are mining. When the attacker mines new blocks, he does not announce it to the other 49% (or less) of the network. Thus, they do not know that the alternate version of the blockchain exists.
Third, the attacker transfers a sum of coins or tokens native to the blockchain he is attacking. Most often, attackers send funds to a centralized exchange, where they can be traded for other assets and liquidated. Note that this transaction only takes place on the ‘true’ version of the chain. The fraudulent chain (the one being mined privately by the attacker) does not acknowledge this transaction at all.
Fourth, the attacker continues to mine blocks on the private chain as fast as possible. Again, this is done without announcing any of the blocks to the rest of the network. And with more hash rate than the rest of the network combined, the attacker is able to mine blocks at a faster rate than the other 49% of the network. The fraudulent chain continues to grow and eventually becomes longer than the ‘true’ chain.
Fifth, the attacker announces the fraudulent chain to the rest of the nodes on the network. Because of the longest chain rule, a rule that assumes the longest version of a blockchain to be the ‘true’ version of the chain, the rest of the network is forced to accept the attacker’s fraudulent blocks. The honest nodes implicitly assume that their version of the chain is incorrect and convert to the attacker’s chain.
Finally, since the attacker forced the network to accept the chain on which his transaction from step three never took place, he is free to spend those funds again. It’s as if they never left the original wallet, despite the fact that they also arrived in the address to which they were sent.
The attacker sends the funds a second time, swaps for other coins, and then washes and/or liquidates them. The rest of the network is left scratching their heads. That's how a 51% attack takes place.
Komodo’s Blockchain Security Service
Komodo Platform’s delayed Proof of Work (dPoW) security mechanism protects chains with the power of the Bitcoin hash rate. To put it simply, the dPoW mechanism stores backups of your blockchain onto the Bitcoin ledger. Here’s how the process works.
First, the dPoW mechanism takes a block hash of every chain employing Komodo’s Blockchain Security Service. Then Komodo's Notary Node network saves these block hashes are notarized onto the Komodo blockchain.
Next, the dPoW mechanism takes a block hash from the KMD chain, which already contains all of the block hashes from all the other chains using dPoW security, and saves it onto the Bitcoin blockchain. Just as before, this is made possible with a notarization transaction performed by Komodo's Notary Node network.
After the notarization transaction is offically mined into a block on the Bitcoin blockchain, Komodo's Notary Node network informs both the Komodo network and network of every dPoW-protected chain that the notarization was successful. At that point, according to the consensus rules written into the dPoW security mechanism, no blocks or transactions that occurred prior to a notarization can be re-orged or changed. This makes the blockchain completely immutable.
Finally, the process repeats itself. This entire dPoW process occurs every ten minutes and once it takes place, a hacker would need to overpower the Bitcoin network before altering or destroying the backups.
In essence, the dPoW mechanism provides a form of insurance for your blockchain. Your chain's decentralized peer to peer network still comes to consensus and decides which blocks and transactions are valid. Adding dPoW simply makes your network's true version of events immutable. An attacker would need to take down both the BTC and KMD networks before they could alter, disrupt, or destroy the backups of your blockchain.
Moreover, as this process occurs every ten minutes, the window of opportunity for an attack to take place is impractically small. There simply isn’t enough time between notarizations to launch a successful 51% attack.
It may also be helpful to think of the dPoW mechanism as a form of two-factor authentication (2FA). It’s simply an added layer of security to deter potential attackers from targeting your blockchain. If you were a malicious actor, would you choose to attack a blockchain that was being notarized onto the BTC ledger every ten minutes? Probably not. It’s just not sensible, especially when there are so many easy targets available.
If you’d like to integrate Komodo’s dPoW security mechanism to your chain, kindly send an email to [email protected] and we will promptly begin your security integration process. Komodo’s Blockchain Security Service is available to any UTXO-based blockchain.
To get all the latest updates from Komodo, join the monthly email list. On the first Friday of every month, you'll receive a newsletter with information about all of the most important developments from the previous month. You can also join the Komodo Discord server to chat with other community members and the Komodo team.