ETC 51 % attack – what happened and how it was stopped

Ethereum Classic (ETC) is the latest digital currency to fall victim to a 51 percent attack. According to the analysis by blockchain intelligence firms and exchanges, the attack began on January 5, and went on for three days, finally halting on January 8 with estimated losses of $1.1 million.

A slow start

On January 7, digital asset exchange Coinbase reported that its systems had detected an unusual amount of reorganization activity on the Ethereum Classic blockchain, and as a result of the suspicious activity, the trading platform was suspending all ETC trades in order to protect user funds.

Interestingly, according to the security engineer at Coinbase Mark Nesbitt, the platform’s systems had detected this activity as early as January 5, a couple of days before the reports began to gain steam in the media.

Prior to the blog post published by Nesbitt, publicized by a tweet from Coinbase’s official Twitter account, there had been rumors circulating on social media that there was a deep chain reorganization, which included a double spend going on in the Ethereum Classic network.

On January 6, responding to a question about the rumored attack, well-known ETC developer Donald McIntyre stated: "Well, ETC is still small and has many enemies so an attack with sufficient GPU power may be plausible." He further alluded that the only cause for concern at the time was Coinbase’s halting of ETC trades on its platform.

Additionally, the official Ethereum Classic Twitter account denied all allegations of any malicious activity. Though the tweet has since been deleted, ETC developers contended that the unusual activity detected by Coinbase could be attributed to the testing of new mining machines.

Moreover, they denied any double spends or any losses stemming from the activity. The tweet stated: "Regarding the recent mining events. We may have an idea of where the hashrate came from. ASIC manufacturer Linzhi confirmed testing of new 1,400/Mh ethash machines #projectLavaSnow. Most likely selfish mining (Not 51% attack). Double spends not detected (Miner dumped bocks)."

More reports come in

While ETC developers continued to deny the allegations, more reports and evidence began to trickle in from blockchain analysis firms as well as other digital asset trading platforms. Gate.io was the first exchange to corroborate Coinbase’s fundings.

On January 8, the exchange published an article confirming that ETC was indeed experiencing a 51 percent attack. Gate.io stated: "Gate.io Research confirmed that the ETC 51% attack happened successfully. In the analysis, Gate.io detected 7 rollback transactions. Four of them were created by the attacker and in total 54,200 ETC were transferred.

Gate.io further corroborated Coinbase’s findings that the attack was not just an innocent deep chain reorganization – which are plausible happenings in blockchains. In this instance, research indicated that the deep-chain reorganization was being used by the attacker to execute double spends. Gate.io said its systems had been able to flag the attacker’s transactions initially but due to the reorganization, subsequent transactions stood up to scrutiny and were thus accepted by the exchange.

Revealing the attacker’s wallet addresses as well as other information pertinent to the malicious transactions, Gate.io also explained the attack had resulted in losses amounting to $40,000. However, the exchange said it would not pass on the losses to its users. It also raised the confirmation number for ETC transactions and called on the ETC developers to change the consensus mechanism for the blockchain in order to avoid another attack.

In simple terms, the confirmation number is the number of confirmed blocks deep a transaction is. Typically the number of confirmed blocks required to confirm a transaction is 3 to 6 — although some exchanges require more confirmations for higher value transactions.

Following the Gate.io revelation, more exchanges began to either limit ETC trading activity on their platforms or to increase the confirmation limit. Some of these include CoinCheck, and Bitflyer as well as the mining pool Etherchain. Concurrently, ETC developers finally confirmed the presence of a 51 percent attack, referencing a report that a single party had been able to acquire over 50 percent of the networks’ hashrate.

The losses accrued

The ETC developers revealed they were working with Chinese blockchain intelligence firm SlowMist in order to understand and further research the details of the 51 percent attack.

On January 9, SlowMist published a report with in-depth analysis of the attack. The firm found the first attempted malicious transaction was carried out on the trading platform, Bitrue. The attacker executed a double spend worth $14,000. This was corroborated by Bitrue’s twitter account.

Appearing to confirm Coinbase’s estimate of $1.1 million lost as a result of the attack, Slow Mist said that the attacker halted its activities due to the actions of exchanges. "Based on continuous tracking, we found that, in view of the increase in block confirmations and the ban on malicious wallet addresses by exchanges, the attacker’s 51% attack on ETC has stopped after that."

Slow mist further added that the attacker could be brought to justice through a collaborative effort. "Through our intelligence analysis, the identity of the attacker can be finally located if the relevant exchanges are willing to assist."

Due to its decision to halt ETC trades, Coinbase was able to avoid any losses and was able to protect its users from falling victim to the double spends initiated by the attacker. However, there is controversy about how Coinbase handled the disclosure of the attack with the official ETC twitter account tweeting: "Regarding @coinbase account of recent events: they allegedly detected double spends but unfortunately did not connect with ETC personnel regarding the attack."

Cost benefit analysis of a 51 percent attack

Considering that ETC is among the top 20 digital assets by market capitalization, the news of a successful 51 percent attack reverberated throughout the cryptocurrency community. It may be that because ETC employs the same mining algorithm as Ethereum, but is a smaller network, it was relatively easy to temporarily transfer hashing power from mining ETH to mining ETC and thus gain a majority hashrate.

However, the simple explanation is that with the rise of the ‘hashrate for hire’ phenomenon, it is becoming increasingly easy to launch such an attack. In fact, the site Crypto 51 has gone so far as to list the estimated cost to a would be attacker of renting the necessary hash power from NiceHash — a cloud mining centre that buy and sells computing power on demand.

The comparatively low cost of attacking even major cryptocurrencies rightly has the industry on alert. An hour long attack on Ethereum Classic, for example, could be done for around $5000. Similarly, Crypto 51 says a Litecoin hijack would cost around $20,000 an hour – and even Ethereum itself could fall victim at a cost of around $80,000 an hour.

Since reports of the 51 percent attack began to gain steam on January 7, the price of ETC has fallen substantially.