Proof-of-work blockchain networks rely on decentralized mining for consensus and for protection from double-spending. Bad actors may try to gain a large proportion of the network hashpower to engage in what’s known as a 51% Attack. By controlling a majority of hashpower the double-spending protection can be overcome. We review proof-of-work mining and the ways that blockchains can remain safe from 51% attacks.
Blockchain Network Basics
Let’s step back a moment and review the structure and workings of a permissionless, distributed, proof- of-work blockchain to learn how 51% attacks are possible.
Distributed blockchain networks consist of many computers running the same code while connected to each other via the Internet. Each computer is called a node and nodes can be located anywhere in the world.
The biggest networks have thousands of nodes with each node carrying a full copy of the entire blockchain. All nodes are in constant communication with each other. Each node communicates directly with the nodes they are nearest to and those nodes communicate further with other nodes they are nearby so that information is spread throughout the network as quickly as possible. Think of a blockchain as a distributed ledger of transactions.
Mining Is Proof-of-Work
Miners are special nodes on the network that use computing power to process transactions and protect the network. This computational power is referred to as hashpower.
When a transaction is sent to the network, your wallet app first checks the validity of the transaction by verifying that you have the coins to spend. Then, your request to spend coins is broadcast to the network of nodes. Miners put the transaction request in a mempool, which is a sort of holding area for pending transactions. All miners constantly check each other’s mempools for the latest transactions.
Proof-of-work blockchains are constructed by linking blocks of data one to another in a single, time- ordered chain. The links connecting one block to the next are vitally important to the validity of the data being recorded so they are constructed using a cryptographic hashing algorithm.
Hashing algorithms take any input and produce an output as a string of numbers and letters, known simply as a hash. The specific algorithm used by bitcoin, for example, is called SHA-256. Hashing the same data will always produce the same output, but changing one digit in the input will produce very different output. Any attempt to modify data in a block would be detected immediately because the hash of the block would change and all ensuing links would be broken. So we can see that the hashing algorithm secures data in a blockchain.
Miners select a number of transactions from the mempool that would fit within the block size for the particular network. They add a hash from the previous block and a special number, called a nonce, to the transaction list and run a cryptographic calculation on the whole block of data. The goal is to find a certain nonce that will produce a hash value that is lower than some target difficulty value. It may take thousands of calculations to find a winning hash and the first miner to do so broadcasts their solution to the network for the other miners to verify. The lucky miner is rewarded with the block reward and the transaction fees for the transactions inside their winning block. It makes sense for miners to select transactions with the highest fees to put in their potential blocks.
As a blockchain grows more computing power is drawn to the network. Miners spend their resources of computing hardware and electricity to gain the reward of finding a winning block. With more miners in a network increasing the hashpower block solutions will be found more quickly. To maintain a regular block time, like 10 minute blocks in bitcoin, the target difficulty value is raised or lowered to accommodate changes in hashpower on the network. Networks vary in how often the target difficulty value is changed, ranging from every block to approximately every two weeks as is done with bitcoin.
By chance two miners may broadcast winning blocks to the network at the same time. When this happens two versions of the blockchain exist for a brief time. Miners continue mining for blocks as usual and when a new block is found they build upon the longest chain. Eventually, one version of the blockchain becomes longer than the other and it is accepted by the network as the true chain. All transactions in blocks that were not a part of the longest chain are returned to the mempool to be included in a different block. Blocks that were part of the shorter chain are called orphan blocks. The version of the chain that contains the most proof-of-work is the real chain.
Over time we’ve seen the hashpower required to solve a block increase substantially. Bitcoin was first mined with a single computer’s central processing unit, CPU. As more miners came onto the network finding a block became easier with the increase in network hashpower. The difficulty target would be adjusted by the protocol to accommodate the change in hashpower in order to keep the block time to 10 minutes.
Graphical processing units, GPU, were added to computers and put to work to increase hashpower even more. The miners with greater hashpower would gain more rewards so computers were rigged with half a dozen GPUs or better to gain even more power.
Beyond multi-GPU rigs we have Field Programmable Gate Arrays, FPGA, and Application Specific Integrated Circuits, ASIC, which are special-built computers that do nothing but mine specific algorithms. Some mining algorithms are only fruitful while using ASICs, but a concern with ASIC mining is that it centralizes a lot of hashpower into a few entities who can afford the hardware and electricity.
Successful blockchains have a lot of hashpower protecting them. With bitcoin we’ve seen a race in the network hashrate from mega-hash/s to giga-hash/s on up to exa-hash/s in early 2020. Hash rates are expressed in different ways, depending on the blockchain and mining algorithms used, so they’re not comparable across blockchains.
It’s not too surprising that real world 51% attacks have been perpetrated against small blockchains due to the fewer resources required to be successful.
How 51% Attacks Allow Double-Spending
Open, permissionless networks allow any actor to join the network. We assume that the majority of participants will act in good faith, but always must guard against bad actors who would seek to destroy the network or try to gain an unfair advantage in winning the mining rewards. Otherwise, who would trust the network?
The idea of a 51% attack is simple. Take control of a majority of the network hashpower and have your way with it. Accept the transactions you want to go through and cancel the ones you don’t. Double- spending is easy if you know how and have deep pockets.
A miner acting in bad faith must have the technical ability, resources and patience to pull off an actual heist. The goal of a 51% attack would be to show off that they have the capability or more likely to make off with some funds.
It would be impossible to rewrite the history of the chain, due to those cryptographic links connecting each block in the chain, but it is possible to gain control of the chain in a 51% attack. If a bad actor, which could be a mining pool or a single miner renting hashpower, attains a simple majority of a network’s processing power, they can try to double-spend or stop other nodes from validating transactions.
Double-spending is stealing and it’s actually one thing blockchains are supposed to protect us from. A double-spend occurs if coins are spent in a transaction, the transaction reversed, and the coins spent again – thus spending the coin twice.
By having control over more hashpower than anyone else the attacker has the advantage to find winning blocks faster. If they can mine selfishly, meaning they secretly mine successful blocks but don’t broadcast them to the network, they can build up a number of blocks and when ready broadcast a longer chain of blocks to the network. All the miners would favor building on the longer chain.
Meanwhile, the attacker would have sent some of the coins they mined previously to an exchange using the chain that is seen publicly. Once their deposit is confirmed, the attackers are able to exchange their mined coins for other coins that they’ll quickly withdraw from the exchange.
Then, the longer chain that was mined in secret is broadcast to the network. The longer chain would contain a transaction using the same coins that were deposited to the exchange.
Now that the miners see the longer chain they will build blocks at the tip of the longer chain. This has two effects. One, the blocks in the shorter chain are now orphaned and their transactions dumped back in the mempool. That means the transaction to the exchange was reversed like it never happened and the exchange was effectively robbed of the withdrawn coins. Two, the attacker’s second transaction gets completed, in effect spending the same coins twice.
So, to recap, by sending a transaction on the original public chain, then mining secretly to construct a longer chain, the attacker attempts to reorganize the blockchain. We call this a chain reorganization, or reorg.
Chances of occurrence of 51% attack is nil with big established chains, like bitcoin or ethereum. Knowing there is too much at stake to allow this type of attack to occur, the communities of BTC and ETH are vigilant and assure that hashpower stays distributed. It would be prohibitively expensive and very risky to attempt a 51% attack.
Small blockchain networks could be attacked for a few hours at much lower cost, but an attacker would have to determine if it’s worth the effort when there’s low liquidity on cryptocurrency exchanges for dumping the gains of an attack.
Solutions to Avoid a 51% Attack
When code isn’t working as intended and when there’s gains to be made financially, it’s only a matter of time before hackers will try their luck. We all know that hackers are a constant threat so we have to be creative and ever vigilant in seeking means of protection.
A blockchain project can rely on three means of protection from 51% attacks, namely:
- Hard Forks
- Chain Crosslinks
- Block Delay Penalty
When a network has been attacked, the developers search for some offending code that could allow the attack to occur. Corrections to the code that result from a hack attempt will create a hard fork. Hard forks are employed to force all actors on a network to use newly modified code. This way, anyone mining with the old code would be kicked off the network.
Hard forks can also be employed as a preventative measure. By routinely changing the mining algorithm(s) a network can try to stay one step ahead of attackers. Monero and Ravencoin are two top 100 coins that routinely update their code with new mining algorithms. The goal here is ASIC-resistance to avoid centralization of mining.
Preemptively hard-forking to new code consumes time and resources. PoW mining has seen hashpower increases through time as hardware has improved so a constant effort would be needed to stay ASIC-resistant.
Chain crosslinks from one blockchain to another more secure blockchain will bring immutability to the weaker chain. It involves the regular recording of the hash of a block from a smaller chain onto a larger chain in a means of notarization.
Chain crosslinking is offered by Komodo, KMD, as a way to secure production blockchains and to successfully ward off 51% attacks. Any blockchain could use a similar technique to harden their chain by linking to another stronger chain.
Komodo’s delayed Proof of Work entails a few steps to protect the smaller blockchains. First, special nodes on the Komodo network, called Notary Nodes, select a block from the small chain to be protected. The small chain assures the block is a valid one ready for notarizing.
The KMD nodes make a transaction on the KMD network using the OP_RETURN command to record the hash of the selected small chain block, which is now notarized on the KMD chain.
The same type of notarization is made of a KMD block to the bitcoin blockchain. The notarization success is broadcast to the KMD network that complete immutability has been provided to the notarized block and all blocks that came before it. It’s now impossible to move or alter the notarized KMD block. Notary nodes will not accept a chain reorg that includes or removes a notarized block.
A final step is to make a similar announcement to the small chain that their selected block has been notarized and is protected from 51% attack. Block notarization occurs every 10 minutes and that provides bitcoin-level security to all chains protected with Komodo’s dPoW.
An attacker attempting to 51% attack a small blockchain that is notarized on the bitcoin blockchain would also have to attack the bitcoin blockchain. Notarized blocks are immutable.
SafeCoin is a much smaller project that expands Komodo’s dPoW to notarize block hashes to multiple blockchains, including Bitcoin, Ravencoin and Bitcoin Gold. SafeNodes verify all transactions.
Block Delay Penalty
In a 51% attack the hacker will typically mine in private to attain a longer chain than the publicly seen chain in hopes of double-spending coins. Cryptocurrency exchanges are often the target of the hack due to their deep pockets and acceptance of coin deposits and withdrawals.
Horizen, ZEN, developers modified the Satoshi Consensus to impose a penalty on miners who submit a delayed chain of blocks. In the normal course of mining small chain branches are resolved quietly with the modified consensus in place, but attackers are penalized so severely that it makes an attack very unlikely.
The number of blocks that are mined in secret and the reorg length are counted to get a penalty score. For the attacker’s chain to be accepted as the true chain the attacker must continue mining in public after submission of their longer chain until their penalty score is brought to zero. Each block that the network mines reduces a penalty score by one.
This way the attacker has to keep mining for the length of time they mined in secret to cover up their theft attempt and that makes it prohibitively expensive to spoof the chain.
Introducing the block delay penalty also gives a project’s developers time to react to any ongoing attack, should one be attempted. UTXO-style blockchains would be wise to adopt the modified consensus to harden their blockchain against 51% attacks.
It’s up to the participants of a blockchain project to monitor the health of the network. Watching the network hashrate and mining pool hashrates is a minimum effort. Communication with exchanges and mining pool partners gives the advantage to the blockchain project that does this well. Involving community members to mine helps to decentralize the network and that brings stability to the blockchain.