Anti-51% attack: Harvard MIT scholar proposes new theory of fighting double spend

Written ahead: 51% attacks have occurred in the blockchain world many times in history, and they all happened on small coins. According to researchers at Harvard University and MIT, they have observed 40 reorganization attacks. I also saw possible cases of counterattacks. In February 2020, multiple rounds of attack between attackers and defenders appeared on the Bitcoin Gold blockchain. In response, researchers proposed a counterattack against 51% attacks. theory.

Note: Original authors Daniel J. Moroz ∗ (Harvard University), Daniel J. Aronof (MIT), Neha Narula (MIT Media Lab), and David C. Parkes (Harvard University)


(Picture from

Here is the translation:

The economic security of Bitcoin and other proof-of-work (PoW) cryptocurrencies depends on the cost of rewriting the blockchain. If a 51% attack is economically feasible, the attacker can send a transaction to the victim, launch the attack, and then double spend the same coin. Satoshi Nakamoto believes that this will not happen because most miners find that it is more profitable to honestly abide by the agreement than to attack the blockchain.

Recent research has shown that the cost of attacking cryptocurrencies can vary greatly, depending on factors such as the liquidity of computing power, the impact on the price of the currency, and the time required to rewrite the blockchain. In some cases, the attack may even be free. As of March 2020, for blockchains like Bitcoin, miners have made a large amount of up-front investment in mining equipment, and they are unwilling to put a large proportion of computing power out for rent, so today they are investing in Bitcoin The cost of launching an attack can be very high . However, the situation of some other currencies is quite different. There is enough rentable computing power in the market to launch economical and efficient 51% attacks . In reality, we have observed that attackers launched on these currencies. Double flower attack. With a hash power market like NiceHash, buyers and sellers can easily dock.

Now, people generally think that low-powered currencies (lower-powered currencies in the PoW algorithm category) are vulnerable to cheap 51% attacks due to the existence of the power-lease market, and they are not secure .

In a recently published paper entitled Counterattack Against Double-Spend Attacks , we discussed a strategy to protect vulnerable PoW coins from 51% attacks: victims can launch counterattacks. We have proven that the victim has the ability to rent computing power and mine on the original chain, to catch up with the attacker chain when an attack occurs, which can prevent the attack from occurring in a balanced state. The results of the study are based on the following assumptions: (1) the victim suffered a moderate degree of reputational loss, while the attacker did not (for example, if attacked, the exchange may suffer negative reputation effects, while anonymous attackers do not), And (2) The net cost of an attack increases over time (such as a rise in computing power, etc.). Although at the time of writing this paper, there is no evidence to determine the existence of counter-attacks against double-spend attacks in the real world, we have indeed observed this possibility recently.


(The figure above shows the three stages of the counter-attack game. Green indicates the current heaviest public chain (that is, the canonical chain), and white indicates the smaller branch chain. The top stage shows the start of a 51% attack, where the attacker A sends a transaction to defender D, but this transaction is on an alternative chain, and its purpose is to invalidate the original transaction. The second stage shows the reveal of the double spend transaction, in which the attacker chain became the most Heavy chain (normative chain). The third stage shows the results of the counterattack of defender D. In this process, D is the mining on the original chain and exceeds the attacker A's blockchain.)

In June 2019, we implemented and ran a reorganization tracking program that monitored 23 of the currently most popular proof-of-work (PoW) blockchains. For each currency, the tracker will detect and save all data on the chaintip. As of now, it has observed 40 reorganization attacks of at least six blocks in depth on Vertcoin, Litecoin Cash, Bitcoin Gold, Verge and Hanacoin.

About Bitcoin Gold's restructuring attack and counterattack

Bitcoin Gold (BTG) was forked from Bitcoin on October 24, 2017. As of March 10, 2020, its market capitalization was $ 168 million. Bitcoin Gold does not use Bitcoin's SHA256 algorithm, but uses the ZHash anti-ASIC algorithm, which means that miners can use GPUs for mining. Unlike BTC, BTG makes difficulty adjustments for each block.

However, BTG suffered multiple double-spend attacks, the largest of which was 51% in May 2018, when 388,000 BTG (then about $ 18 million at the time) were stolen. In January and February 2020, BTG was attacked again by double spending. Through the reorganization tracker, we can observe 8 BTG reorganizations between January 23, 2020 and February 5, 2020. Four of these were double-spend, involving 12,858 BTG (about $ 150,000).

In February, we noticed that there seemed to be a counterattack game on the BTG chain. At first, this was just a typical reorganization attack, in which a transaction was reversed in a double spend, but then the double spend was reversed, which made the original transaction effective again. On February 8th, the attackers and counterattacks fought back and forth 4 times in 2.5 hours. In the end, the original blockchain was repaired, so this double spend did not succeed. On February 9th and February 11th, we observed a counterattack called "one-shot": the attacker created a reorganization, and the defender performed only one counterattack to restore the original blockchain.

In the counter-attack game that took place on February 8, the two sides competed for two transactions 757 and d5f. The attacker replaced them with transactions 50d and f38. AbC and AYP (note: address abbreviations) were stolen a total of 4390 BTG (about 44,000 US dollars), these coins were sent to GVe and GYz. The final restructuring depth is 23, which will bring miners about 290 BTG ($ 3,000) in block rewards and about 7% of Shuanghua's total revenue (for more details, see here ). Note that in each pair of transactions, the second transaction spends the output of the first transaction, that is, if the first transaction is invalid due to double spending, the second transaction will also be invalid. Therefore, we can think of them as a unit. Both units have the same input but different outputs, which we interpret as a stolen address.

Next, we will explain the mining dynamics of the counterattack game that took place on February 8. You can see a list of timestamped blocks from both chains here. We call these addresses "defenders". When the original chain is not the blockchain with the largest workload, the "defenders" will receive mining rewards on the original chain. And those miners who have been following the most workload chain (i.e., never mining on a few branch chains) are considered "bystanders" .

Our node observed 4 reorganizations starting at 06:56 UTC. The first reorganization replaced the last 9 blocks of the original blockchain with 9 new blocks. In the new blockchain, there are two attacker addresses in each block: GKGUq2p and Gh46Jw1, and there are double spend transactions in the first new block after the forked block (block 619935). Then, at 07:35 UTC, our node observed another reorganization, which mined another 4 blocks (more difficult) on the original chain. The defender is GbWi6y7 and GSsjeTZ. The two sides fought repeatedly. After that, the attacker ended up giving up and dug the last block at 08:58 UTC. Based on the timestamps in the block and the reorganized world observed by the nodes, our best guess on the timeline is as follows:

  1. At 4:04, the attacker started mining from a block at a height of 619934, and mined a block at a height of 619935, and performed double spending;
  2. At 6:55, the attacker dug 9 blocks, the chain of which was located exceeded the existing chain;
  3. At 6:56, our node observed and relocated to the attacker's blockchain. The "bystander" miner switched to the attacker's blockchain and extended it by 2 blocks;
  4. 7:20 The defender starts mining and extends the unattended blocks on the original chain (block height 619943);
  5. 7:33 The defender exceeds the attacker's blockchain after mining 4 new blocks;
  6. 7:35 Our nodes observe and reposition to the defense chain. "Onlooker" miners switch to the defensive chain;
  7. 7:53 The attacker starts mining again, expanding his attack chain, which has two additional "bystander" blocks;
  8. 8:22 The defender stops mining after 12 blocks;
  9. 8:58 The attacker also stopped mining after exceeding the defender's 11 blocks;
  10. 9:00 Our node observes and switches to a deeper reorganization chain of the attacker;
  11. 9:14 Defenders start mining again;
  12. 9:27 The defender continues mining after the original chain exceeds the attacker chain;
  13. 9:28 Our node is relocated to the defender's heavy chain;
  14. 10:20 Defenders reduce input computing power;
  15. 12:15 The defender stops mining;

Where does the computing power come from?

We do not have conclusive evidence to prove whether any of the BTG reorganizations observed was derived from Nicehash. This uncertainty is caused by the large fluctuations in the price and available computing power on the BTG in the absence of an active attack.

This is in contrast to the Lyra2REv3 (which leased computing power from the Nicehash market) we recently observed in the Vertcoin (VTC) double-spend attack, in which we clearly saw the price of computing power appear during the attack Soared, and returned to baseline after the attack.

The availability of computing power and the peak frequency of prices make it difficult to attribute the peaks we see to attacks. However, there is enough ZHash computing power on the market to perform BTG attacks, and there are peaks of computing power consistent with the detected reorganization events.


Nicehash ZHash market summary during the detected reorganization, the red line indicates the time of the reorganization event

Attack theory

In fact, the attack can be done by calling a command on the Bitcoin Core node, so the attacker may not need to write any new code.

For example, an attacker might do the following:

  1. Make a payment using the Bitcoin Core node and wait until it is included in the block;
  2. Call invalidateblock (at height 619935) on the block in the original chain containing the payment transaction;
  3. Disconnect from the peer-to-peer network and then clear mempool to delete existing payment transactions;
  4. Rescan on its wallet to make the output used in the original payment transaction available again and generate a new transaction, spending the same output to a new destination output, which will happen with the original transaction conflict;
  5. Mining normally until its chain has more workload than the original chain, and then reconnect to the peer-to-peer network to notify other nodes and let them participate in this alternative chain;

The defender only needs to call invalidateblock on the attacker block containing the double spend transaction, which will cause its nodes to continue mining on the original chain instead of relocating to the attacker chain.

It is possible that in the last two cases, the attacker immediately stopped the attack when he saw that the victim was fighting back. Perhaps the attacker knows that if the victim can fight back, it is not worth fighting against them. In almost all block battles, the defender's address is GSsjeTZ. This address was never used before February 1, and it was not used for mining after the counterattack.

However, this may not be an intentional revenge game. Here we discuss other possibilities.

Possibility 1: Test

One explanation is that the so-called counterattack is not actually a counterattack, but is simulated by an entity trying to test the counterattack software. As you can imagine, an exchange, merchant, or core developer has written an infrastructure to automatically counterattack when a deep reorganization occurs, and they want to test whether their software can work properly. This could explain why the counterattack that occurred on February 6 did not have any double spend.

Possibility 2: Battle of the Miners

Miners may have been fighting back each other, not because one or two of them were interested in recovering the double spent funds, but for theft and then recovering the block reward. Once again, the fact that there was no double spend on the counterattack on February 6 also supports this theory.

Possibility 3: Network division

This could be a brief, recurring network split in Bitcoin Gold. It is possible that at the same time, a client wallet broadcasts a transaction that doubles the output spent to the other end of the split chain. We don't know if there is any Bitcoin Gold wallet software that can do this. The block timestamp is inconsistent with this, which indicates that the miner is actively mining and then stopped several times. The existence of timestamps may also be fake. The addresses of the attacker and defender were not used before and after the attack.

Possibility 4: software vulnerability

It may be that there is some kind of vulnerability in the software involved in mining, which prevents them from mining on the longest chain, or they accidentally call invalidateblock .

Possibility 5: chance

Another possibility is that two large miners discovered the block at the same time, and the probability of such a split is very low. This seems less credible because the timestamp does not reflect this and the longest reorganization is 23 blocks;

in conclusion

The increasing development of the computing power market may undermine the security of Proof-of-Work (PoW) cryptocurrencies. However, although the existence of a mobile computing power market indicates that a weak chain is vulnerable to attack, the possibility of a counterattack by the victim may prevent the attack in a balanced state. If this balance of power is sufficient to protect the blockchain, then this raises the question, how much work is needed to prevent attacks?

In this research work, we only consider one rational attacker, and if there is an irrational attacker, they may not care about the money lost in 51% of the attack, which gives them an advantage over potential counterattack . For such saboteurs, the cost of a 51% attack may still be an important deterrent, as Bitcoin has today.

Acknowledgements: We would like to thank Dan Aronoff and David Parkes, co-authors of the paper The Counterattack Against Double Spend Attack. Thanks also to Tadge Dryja, Madars Virza and Gert Jaap Glasbergen for their helpful feedback on this work.

Author: James Lovejoy, Dan Moroz, Neha Narula