Part 1: Proof-of-Work
In this article, we will focus on two hosts for distributed applications: Proof-of-Work Ethereum and Bitcoin. After defining majority attacks, their costs and potential motives, we will explore how dApps affect the security of Ethereum and whether the economy that can be built on top of Ethereum is limited by the market cap of Ethereum itself.
If you are familiar with Majority attacks, jump to chapter III.
Part 2 will be published later this month and will adapt the analysis to Proof-of-Stake and interoperability solutions (e.g. Polkadot) on the safety of decentralised infrastructure.
I. Majority attacks in Proof-of-Work: theory, motives, and prevention
Bitcoin and Ethereum, in their current design, are secured by Proof of Work. These networks are permissionless, meaning that anybody can run their copy of the ledger, and anybody can compete to add new transactions to the ledger by solving a mathematical problem faster. This activity is called mining a new block (hence blockchain), and it is currently rewarded with 12.5 btc / block (~ $50k / 10min) or 3 eth per block (~ $450 / 15 sec ; equivalent to $18k / 10min). Proof-of-Work is required to prevent double spending, and it has been successful for 10 years with Bitcoin.
The purpose of this article is not to review consensus algorithms, however the key takeaways of Proof-of-Work for us are the following: miners invest capital in purchasing computing power and energy to be elected as a leader and choose the next block. If miners with less than 50% of the hash power try to cheat, their block proposals will eventually be rejected, leaving them with no rewards for their deployed capital. (Note: Whilst Selfish & Uncle Mining can be profitable attacks with <50%, they do not compromise the whole network and will therefore not be considered in this article)
Let’s now consider what could happen if an actor or group of actors controlling over 50% of the network resources decide to use them maliciously.
Consequence of a majority attack
The most efficient and potentially lucrative way to benefit from a majority attack (sometimes referred to as 51% attack) is by double-spending network currency, which is best explained through the following Bitcoin Gold example. Note that an attacker can invalidate old blocks (potentially reverting their approved transactions to pending), censor transactions, but it cannot move coins which it does not control (i.e. steal).
In May 2018, an attacker deployed significant hash power on Bitcoin Gold and used it to double-spend 380,000 BTG (~$18M at the time). In brief, the attacker sent these coins from Attacker_Wallet_1 to Attacker_Exchange_Wallet(s). For example’s sake, let’s say that the attacker’s transaction was included in block #1000. The attacker had to wait for the deposit transaction to be validated for several blocks for the exchange(s) to accept the deposit(s) — and once approved, the BTG were traded for BTC and withdrawn from the exchange. Let’s say that this process took 10 BTG blocks, so we are now at block #1010.
While this was happening, the attacker was mining a parallel chain, starting from block #999, in which the 380,000 BTG were not sent to any exchange, but instead were sent from Attacker_Wallet_1 to Attacker_Wallet_2 at block #1000. Since the attacker had well over 50% of the combined active hash power on Bitcoin Gold (i.e. attacker alone had more hash power than the rest of the network without him/her), it was able to solve the mathematical problems to correctly mine blocks faster than all the other participants. The attacker thus managed to write a parallel valid chain faster, which it currently kept to itself. Again, for example’s sake, let’s say that the attacker is currently at block #1015, while the Bitcoin Gold blockchain is at #1010 only.
Once the bitcoin were withdrawn from the exchange(s), the attacker broadcasted its chain from block #1000–1015 to Bitcoin Gold miners. Since this “chain” was valid and longer than the current one being worked on, miners dismissed their 10-block chain and continued mining from the attacker’s #1015 block, thereby reverting all transactions that were originally validated in the 10 blocks to the mempool, including the 380,000 BTG transfer to the exchange(s). Later, when the honest miners tried to confirm the 380,000 BTG transaction from Attacker_Wallet_1 to Attacker_Exchange_Wallet(s), the funds had already been transferred to Attacker_Wallet_2 in the “new” block #1000, and the transaction logically failed…
This is analogous to an attacker purchasing soda from a vending machine and pulling its coin back, in a world where the crypto exchange owns the vending machine (and is the direct victim of the double-spend), and where token holders own the vending machine brand that was compromised (and are indirectly affected as their brand is perceived as less secure and their token lose value). Note that in this world, it is not a 25¢ coin but several millions to offset the hardware & electricity loss…
Majority attack prevention
The main mechanisms to prevent majority attacks are:
- the need for attackers to own the network currency to double spend,
- and the prohibitive cost of an attack.
In the Bitcoin Gold example above, if the attacker had only mined 9 blocks in its local chain whilst the network mined 10, the attack would have failed, netting him an energy loss and most likely a poor trade on its large BTG → BTC conversion, thus the attacker must be confident in its capability to mine faster.
Proof-of-Work mining is probabilistic: >50% of hash power will eventually result in a longer chain given enough time, but an attacker seeking a quick return on investment will likely need more than 51% of the hash power to guarantee faster mining on a short period of time (~ hours).
- Cost of a majority attack on Bitcoin:
The total hash power on Bitcoin fluctuates, but 40M TeraHashes per second is currently a fair estimate.
Case #1: An attacker with no hardware must
Acquire 40,000,000 TH/s to match current mining
- ~ $1,200M investment in hardware ($900M for 2.85M S9i ASIC or $1,400M for 1.74M T15 ASIC)
- ~ $414,000 per hour in electricity (~$0.11/kWh)
- Acquire BTC to double spend to make the attack worthwhile…
Case #2: An attacker with access to hardware must
Compromise 20,000,000 TH/s
- access to ~ $600M worth of hardware
- ~ $207,000 per hour in electricity
- Acquire BTC to double spend to make the attack worthwhile…
If the significant double-spend attack compromises confidence in Bitcoin’s blockchain, dedicated ASICs hardware will lose most resale value. An attack of this scale is a one-off attack, thus for it to be “worth the hassle”, one must be able to (double) spend very large quantity of bitcoin, potentially >$1 billion which, through centralised exchange and OTC exchanges, is very difficult to do in several hours.
To profit from an attack:
The last cost is especially relevant when mining rewards are low (e.g. 21M bitcoin already in existence) if the short-term benefit of an attack outweighs the long-term losses from future block rewards.
The risk/reward of such an attack is fairly low for Bitcoin due to the complexity of acquiring the hardware and required liquidity to make the double-spend attack worth it, making such attacks impractical and unlikely to be profitable.
Nota Bene: It is even less likely that a group of rational actors find sufficient financial incentives in performing a censorship attack without double-spending (e.g.: mining empty blocks), as they will rapidly incur large costs and little rewards.
2. Cost of a majority attack on Ethereum
Acquire 200 TH/s to match current mining
- ~$1,700M in hardware (3.4M Radeon R9 295 X2 at 58MegaHashes per machine ; or ~1,800M with 7.4M GTX 1070)
- ~$190,000 per hour in electricity ($0.11/kWh)
- Acquire assets (ETH + ERC20) to double spend to make the attack worthwhile
or Compromise 100 TH/s
- access to ~850M in hardware
- ~$95,000 per hour in electricity
- Acquire assets (ETH + ERC20) to double spend to make the attack worthwhile
Similarly to Bitcoin above, the large upfront costs make majority attacks impractical. The graphic cards can be repurposed and are thus likely to retain more value post-attack than Bitcoin’s ASICs. The double-spent assets are likely to lose significant value post-attack.
From these figures, Bitcoin and Ethereum have similar hardware acquisition costs to perform a majority attack. However, this is an approximation as it might be easier to find or repurpose GPUs to mine on Ethereum. In both cases, we are talking about several million units, which is extremely hard to assemble. Since hardware performance and efficiency evolves, the safety from network hash power is relative to the realistic hash acquisition cost.
The best protection for Bitcoin and Ethereum is therefore their market capitalisation: when the value of their native currency increases, miners are willing to spend more to earn the block rewards, which gradually increases the total network hash power. In turn, mining suddenly becomes probabilistically faster, and the difficulty is increased to maintain a block period of ~10 min in BTC or ~15 sec in ETH. It then also increases the difficulty to assemble 51+% of the increasing hash power.
In conclusion, double-spending a bitcoin worth $10,000 might be 10 times more appealing than when it was $1,000, but it is also several times more challenging to do so, and thus the risk of double-spending should not significantly increase with time (see Table). This approximation is of course dangerous in times where mining rewards are reduced (or eliminated when there are 21M bitcoin in existence!).
The latest example of 51% attacks happened to Ethereum Classic this week: an estimated $1.1M in ETC were double spent. With a $540M market cap (3.4% of ETH), ETC was secured by 9TH/s (4.7% of ETH). The important difference is that Ethereum hashpower can be redeployed over ETC to rapidly gain a large hash-share, which is less relevant the other way around.
We can confirm that there was a successful 51% attack on the Ethereum Classic (#ETC) network with multiple 100+ block reorganization. We recommend all services to closely monitored the chain and significantly increase required confirmations.
II. Mining Pools
In Bitcoin and Ethereum, only a handful of players indirectly control 50% of the hash power. In a mining pool, participants combine their processing power to increase the frequency of their payouts and they are paid pro rata. In doing so however, they reduce the number of block producers and delegate their decision power to the pool organisers who can be bribed to perform a cheap 51% attack!
In the case of Bitcoin, Bitmain controls ~ 30% of the hash power ; but they have invested a lot in Bitcoin, through their own hardware production and mining operations. They have too much to lose to be easily convinced to participate in a majority attack.
Ethermine & SparkPool together represent over 50% of Ethereum’s hash power. This is also a significant re-centralisation risk over two teams, but if they ever become corrupt, they would destroy all their future revenue. So far, they have not been incentivised to do so. Hopefully, they never will…
III. The final ingredient: a drizzle of dApps
As the Bitcoin and Ethereum networks grow, both the desire and difficulty to perform double spend attacks increase somewhat proportionally. Eventually, passed a certain threshold of market capitalisation, one might speculate that they become impractical/impossible to attack for a new participant, as :
- existing miners will not allow themselves to be compromised given their long term interest in protecting their future block rewards and hardware investment.
- The upfront hardware investment will eventually be either too onerous (bad risk/reward), or actually impossible to purchase in a timely manner.
There is however a special case mostly applicable to Ethereum as more dApps and tokenised assets are deployed over its network. If the security of a network is proportional to its value,
to what extent can the value of an economy leveraging Ethereum’s security exceed the value of the Ethereum network without compromising safety?
(Note that this is also applicable to Bitcoin wish RSK and Tether for example)
Ethereum Network Facts on 5 Jan 2019
- Value secured by the Ethereum network: $24.1 bn
- Value of Ether: $16.4bn at $157/eth on 5 January 2019
- Value of ERC-20 worth over $2m: $7.7 bn (47% of Ether)
Example of more sophisticated double-spend attack on Ethereum using dApps and their assets:
- Borrow as much ETH as possible with USD or BTC as collateral wherever possible, especially from anonymous decentralised marketplaces, to lower cost of attack, as you can sell loan amount and double-spend it by repaying loan…
- Send Ether to multiple centralised exchanges (which will be double spent, see BTG example above)
- Take margin short position on ETHBTC with bitcoin as collateral, as successful attack will probably impact Ether price.
- Take short position on ERC20 assets with high dependence/correlation with Ethereum (e.g.: MKR/DAI/ZRX better suited than BNB here unless double spending is performed on Binance) as they stand to lose value after attack. Take position either at derivative exchanges with BTC as collateral or by borrowing the ERC20 assets, which you can later repay after double spending them.
- Convert all these assets into Bitcoin or Zcash and withdraw from exchanges.
- Later convert double spent assets to untraceable assets (privacy coins)
- Significant selling of Ether likely to have bearish pressure on price, especially if near important resistance. This can rapidly cascade and later compromise ether-backed debt on Maker Dao or erc20-debt on Dharma or Compound, allowing the attacker to profit more from the ETHBTC short.
The purpose of this non-exhaustive list is not to give ideas to attackers, but instead to show how incentives to double-spend assets on Ethereum may grow faster than the safety of the network, which is proportional to Ethereum’s block rewards only.
Indeed, Ethereum miners only partially benefit from the value created by assets living on the Ethereum network, when they generate gas-paying transactions or when their ICO increases the value of Ether, but they in turn must bear the risk of increased attractiveness to double spend more valuable assets on the network.
The rate at which value is created on Ethereum will eventually exceed Ethereum’s growth, so in other words, the attractiveness for double spending grows faster than the security of the network…
Is there a threshold at which the value secured by Ethereum becomes too large relative to Ethereum market capitalisation to sustainably discourage attackers?
Currently Ethereum is roughly twice as valuable as the tokens living on Ethereum, but can Ethereum be considered widely successful if the network is more valuable than all assets on the network? What would happen if there are $100bn worth of assets secured by a $20bn network? $500bn on $50bn? Does that put an upper bound on how many stablecoins (Dai, trueUSD, …) and security tokens can be issued on Ethereum?
Is double spending even illegal if caught?
Intuitively, there seems to be a conflict between network success and network security. The purpose of Proof-of-Work, rather elegantly, was to make attacks extremely difficult compared to their potential reward. PoW Ethereum has successfully replicated the design, and will continue to do so:
- as the value of assets on Ethereum does not significantly outsize Ethereum itself, or
- if the existing hash power is either too significant to re-acquire or too difficult to corrupt.
Finally, note that the main victims of double spend attacks are centralised counter-parties with no recourse (centralised exchanges, online-stores accepting cryptocurrency , …). In a decentralised exchange with atomic swaps, double-spending is not possible as one of the two transactions must fail. A value-based approach on the number of block confirmations required to reach economic finality in a centralised setup might be enough to further reduce the appeal of double-spend attacks. While an attacker might be able to create more accounts to counter that, there is still an upper limit to how many transactions can fit in a block. Regardless, we are still far from a world where we can easily double-spend $10bn in several hours…
IV. Social coordination as last resort majority attack recovery?
Bitcoin and Ethereum were designed to ideally never require off-chain social coordination. However, it may be tolerable to have off-chain coordination in exceptional circumstances like Ethereum’s DAO (14% of all ether compromised, which led to ETH and ETC). One of those other exceptional circumstances might be a mining pool turning rogue, in a very large 51% attack. The difference between the two events is that in the DAO’s, token holders would be stolen, and in a 51% attack, a centralised company is stolen and the trust in a network is affected. Given that one or more centralised entities are the main victims in this scenario, it seems unlikely that miners would agree to revert some blocks (e.g. Parity wallet freeze).
The risk of majority attacks in a permissionless network cannot be eliminated. Bitcoin and Ethereum in their current Proof-of-Work design have reached significant sizes and are relatively difficult to attack. We have shown that the security of a network is correlated to its market capitalisation, so the infrastructural layer must capture some value in order to sustainably secure the network .
There is likely to be a critical threshold in market capitalisation above which new hardware investment would be either prohibitive or impossible, and at which existing miners would not want to compromise their source of revenue. This threshold in Proof-of-Work is likely to evolve asymptotically with the value secured by the network.
Ethereum is likely to transition to Proof-of-Stake before the risk/reward of an attack in PoW becomes sufficiently attractive, so in part 2, we will focus on Proof-of-Stake and assess whether the dynamics are changed. Proof of Work indeed had the merit of imposing physical limits for attackers trying to acquire hash power, so intuitively there might have been a tolerable significant ratio between total value on Ethereum versus Ethereum value, but this is of course perpetually evolving with hardware costs, electricity costs, and the growing size of the prize: how valuable would ether need to become to trustlessly secure a stablecoin supporting a substantial economy..?
I would like to thank Max Mersch, Richard Muirhead and Julien Bouteloup for their valuable feedback.
Will successful dApps compromise their host? was originally published in Fabric Ventures on Medium, where people are continuing the conversation by highlighting and responding to this story.