What laws could be violated by launching a 51% attack?

Source: Medium

Author: Josh Lawler

Compilation: First Class

51% of attacks are equivalent to terrorist attacks in the blockchain world. Attackers will not only bring some direct threats (illegal use of the blockchain), but also some indirect hazards, such as seriously undermining public confidence in the attacked blockchain, and even affecting people outside the circle on the blockchain The view of technology. In addition, an attacker may short a cryptocurrency on an exchange before announcing a successful attack, which can make more money than directly attacking. This ill-gotten wealth is also harder to track. Although 51% can cause so much damage, laws and regulations may not be ready to apply to the prevention and claims of 51% attacks.

It does not happen often, but it can happen

About a month ago, the Vertcoin chain "successfully" suffered 51% of attacks. This proof-of-work-based cryptocurrency's genesis blockchain consisting of 603 "real" blocks was replaced by a chain of 553 artificial blocks. This is the second successful 51% attack in the past year. Vertcoin claims to be a Bitcoin alternative designed to decentralize the power of miners through user-friendly mining protocols. However, we should set aside the advantages and disadvantages of Vertcoin itself, and throw a question to hackers, which laws are violated when a single entity (or interest group) controls 51% of computing power and maliciously uses it? In the following, we will refer to the existing laws in the United States.

Some would say that 51% attacks are difficult to happen on some of the more mature blockchains. No, it doesn't happen often doesn't mean it can't happen. Here are some recent statistics that summarize the funds required to conduct an hourly 51% attack on some PoW blockchains.

BCH: $ 72,000 LTC: $ 64,000 DASH: $ 15,000 ETC: $ 10,000

At least two factors can contribute to a 51% attack:

1) A dedicated ASIC miner built for a specific PoW mining algorithm that can store hashing power centrally; 2) Utilizing services such as NiceHash to rent the hashing power from ASIC miners cheaply (no need for a large amount of hardware investment) ).

In fact, even Bitcoin and Ethereum may be subject to 51% attacks. Governments or very rich people in some countries have strong financial resources to launch attacks.

Is it legal to hold 51% computing power (even a public threat)?

There is no legal definition of "51% attack". But from a software engineering perspective, getting 51% control of the protocol's hashing power is bad. That is to say, from a legal perspective, this is not in itself illegal.

Once a single entity has 51% control, he can:

1) Delete or modify on-chain transactions; 2) Perform reverse transactions (also known as "double spend"); 3) Prevent any transactions from occurring on the network; 4) Prevent other miners from packaging and confirming blocks;

But he cannot:

1) Change the elements of the protocol, such as the amount of block rewards, create new coins or steal coins directly from other users' addresses; 2) Have other users double spend.

Legally speaking, holding 51% of the hash power (no other operations) does not violate any law. You can think of it as holding fishing gear by the lake outside the fishing season and using fishing gear to start fishing, you are breaking the law. Sitting there staring anxiously at the lake, you are still a law-abiding citizen. In contrast, acts involving direct theft are easier. Almost all states (and the federal government passed the Telecommunications Fraud Act) penalize intentional double spending (similar to a "double spend" on the chain).


Under what circumstances does a 51% hashrate constitute a crime?

What if an attacker blocks transactions on the network? Or what if the attacker prevents other miners from confirming the block? What if the attacker only shows publicly that he can do something more evil?

No act in the United States constitutes a crime unless required by law. Although lawmakers have turned their attention to digital assets and their transactions, effective laws do not specifically describe what acts of people with 51% computing power would violate criminal law. But the federal government does have some regulations.


51% Attack and Computer Fraud and Abuse Act

The regulation most relevant to this issue is the Computer Fraud and Abuse Act ("CFAA"). According to the CFAA, "deliberately causing the transmission of a program, information, code or command and causing damage to a protected computer without authorization" is a crime. Collusion or "attempt to commit" these acts is also a criminal act.

According to the CFAA, an offence is committed if all of the following conditions are met:

1) The existence of "transmission of programs, information, codes or commands"; 2) According to CFAA, "damage" means any damage to the integrity or availability of data, programs, systems or information; 3) the cause of the damage Is "unauthorized" 4) Damage is damage to a "protected computer", which includes "computers used or affecting state or foreign business or communications, including computers located outside the United States …"

After reading these conditions, one wonders how much protection CFAA can provide. The law explicitly focuses on the activities of specific computers (or groups of computers).

If an attacker with 51% hash power has the right to create new blocks of verified transactions, but does not transfer these new blocks to the verification node and add them to the blockchain, is there a "transmission"? Can an attacker also shut down the nodes it controls to reduce the processing speed of the blockchain? Is CFAA exempt from the lack of transmission?

How does blockchain as a distributed system comply with CFAA's definition of "protected computer"? Since damage to the blockchain may not involve "unauthorized" damage to a physical "protected computer", CFAA may not apply. Furthermore, CFAA may not be applicable if the attack is merely a public indication that an attack is possible.

In the field of public chain, the lack of authorization requirements of CFAA is also very vague. An attacker with 51% computing power has the right to control the node. Even if the concept of "protected computer" is extended to include blockchain, authorization is required. Blockchain protocols have considered malicious actors and adopted corresponding protection measures. Did these penalties prove that all actions were authorized and followed the penalties in the agreement. Blatant fraud or theft does not mean that miners have the right to confirm transactions in the way they like. If mining fees can be used to incentivize transaction confirmation speeds, why can't other miners' agendas play a role in their mining decisions?

In short, CFAA can prevent blatant theft and scams, but it cannot provide the ideal protection for the public who may suffer indirect losses (such as a sudden drop in the price of a token or a malfunction of a use case).

51% Attack and Commodity Trading Act

The Commodity Exchange Act (“CEA”) establishes the powers and duties of the Commodity Futures Trading Commission (“CFTC”). According to the CEA definition, the term “commodity” is extremely broad and generally applies to almost all digital assets (even digital assets that are considered securities are commodities) (although the CFTC and SEC have an understanding of what organizations have jurisdiction over most securities )). Of particular note is Article 6, which states that "any person's direct or indirect use or attempt to use any manipulation or fraud related to the sale of goods in interstate commerce violates the CFTC regulations." The disclosure of 51% of successful attack cases will create a market environment where the attacker makes a profit by trading digital assets, then CEA Article 6 seems to cover this.

However, the court may not agree. Although the 51% attack appears to be "manipulative" and may be fraudulent, legally obtaining 51% of the computing power of the blockchain protocol may not really trigger responsibility. The responsibilities under Article 6 of the CEA depend on the following four elements:

1) The alleged manipulator intends to manipulate the market price in a way that distorts the legal supply and demand forces; 2) The suspected manipulation of the market price of the commodity; 3) The existence of artificial prices;

It is the most difficult to prove that the attacker has manipulation intentions. The CFTC has stated in the past that "in order to prove that there is an intention to manipulate or intend to manipulate, the defendant's actions must be proven for the purpose or consciously affect the price in the market that does not reflect the legitimate supply and demand force." It is not enough to have an intention to affect the price; the CFTC must prove The defendant intentionally caused an artificial price.

In CFTC v. Wilson, the Southern District Court of New York significantly reduced the scope of the CFTC's penalties for market manipulation. The findings of the CFTC survey indicate that "in swaps, it is not illegal to be smarter than the counterparty, and it is not illegal to understand financial products better than the person who invented them."

The defendant in the Wilson case has reached an agreement under which the market price of a particular swap (calculated at the same time each day) determines the interest paid by the defendant to the counterparty. Then, the defendant made a high price during the period of the day, expecting the market to be so illiquid that no counterparty accepted the high price. As a result, the interest paid can be reduced.

In the context of a 51% attack, Wilson's decision seems to provide a convenient door for attackers, enabling them to cause market prices to fall through public statements. That's right, the system is indeed played by the attackers in the palm of their hands. This itself may not have violated CEA regulations.


51% attack with the Securities Exchange Act of 1934

If the Securities Exchange Act of 1934 and its promulgated rules and regulations (the “Transaction Act”) apply, more protection can be provided. Of course, whether a particular token is considered "securities" remains a question. First, there are few alternative trading systems where compliant stock exchanges or tokens can trade. In other words, in terms of market manipulation, securities law is much more sophisticated than CEA. In summary, Articles 10 (b) and 10 (b) -5 make it illegal for a person involved in the purchase or sale of securities to meet the following conditions:

"Manipulative or fraudulent means or measures that violate necessary or appropriate rules and regulations that may be required by the SEC for the purpose of public interest or investor protection."

In other words, where the CFTC must rely on CEA, the SEC can develop some flexibility to respond to new market manipulation . Then the question arises, is it enough to disclose that only 51% of attack capability is sufficient?

Simple cases should be included. Using a 51% attack to destroy a blockchain or a double spend token may be equivalent to a crime. To avoid violating CFAA and CEA, creative traders may find (currently) legitimate ways to take advantage of market reactions.


All in all, the advantages of a public decentralized blockchain protocol must come from the protocol itself. Relying on government protection is actually being regulated by the government, which is both ironic and blindly optimistic. Don't forget that even if the law catches up with cutting-edge technology cases, the US legal system will take years and cover a limited geographic area. After all, on-chain governance is the only real source of protection.