ZenCash is a “proof of work” (PoW) cryptocurrency based on the Equihash mining algorithm. On May 31, the ZenCash network experienced a 51 percent attack, meaning a single party gains control of the majority (51 percent) of the hash rate, enabling them to reorganize the blockchain and reverse blocks. According to a statement from the development team, this attacker was able to double spend two large transactions worth more than $550,000 at current rates.
According to 51Crypto, the attack on ZenCash cost the attacker around $30,000. That’s still a tidy profit.
This incident, along with the similar attacks on Bitcoin, Gold and Verge in the last few months, has put emerging cryptocurrencies using a PoW system on notice. Proof-of-work, or “mining,” is a requirement of certain cryptos to define the computation necessary to create a “block” on the blockchain. The “block” is a group of trustless transactions, like a page of a ledger or record book” where transactions are recorded and trust is distributed amongst the miners involved. Mining verifies transaction legitimacy and pays miners with a portion of the transaction as a reward for performing the mathematical work involved.
The Bitcoin network and most blockchains that require mining are open and not permissioned, meaning they don’t require a third party service to verify them, which can leave them more exposed to potential attackers. A group of people, large organizations or nation-states with the right computational power could take over the 51 percent majority of the network’s hash rate and gain control of which transactions are processed, delayed or even removed from the chain, as occurred with ZenCash.
At that point it is easy for them to allow their own coins to be spent multiple times, similar to stock fraud “pump and dump” operations. This kind of attack has potentially catastrophic impact on the cryptocurrency, quickly and exponentially decreasing or even negating its value.
Lines of Defense
Not only do incidents like these threaten the specific cryptos they attack, they also threaten the credibility and stability of all cryptocurrency. When the chief selling point of cryptos is their security, attacks like these undermine its very foundation. Fortunately, there are certain actions that coin developers could take to prevent or seriously reduce the risk of a 51 percent attack.
The first is to give up mining of coins altogether and switch to a “proof-of-stake,” protocol. Unlike the “reward for math” system of PoW, PoS determines creators of a new block depending on their wealth, or “stake.” While PoS systems can be cheaper to attack because they require less energy and computation, they are usually deemed safer because transactions are validated through security deposits, or stakes.
Unfortunately, such a shift requires substantial restructuring, and as such, is unlikely to be undertaken by most coins that already currently use mining. The Ethereum network feels like benefits are worth the effort, however, and is already planning to make the shift to ensure a cheaper distributed consensus and a more energy-saving process.
Emerging coins, however, could easily start out with PoS protocol, and help guard against these kinds of attacks, even if the ramp up requires more upfront investment.
For coins already established on the mining protocol, other methods of defense against a 51 percent attack include:
- Increasing the number of confirmations required – depending on the amount, the more confirmations, the less likely a payment is to be reversed. For amounts under $1,000, 3 is recommended, 6 for amounts between $1,000 and $1,000,000 and, beyond that, the more the better.
For example, BTC-e responded to a 51 percent attack on Feathercoin by increasing their confirmation requirements to 100 blocks. This will slow down an attack and require more computational power to carry it out, but may not entirely deter it.
- Blacklisting and blocking people/machines/accounts suspected as part of the attack – better safe than sorry, knowing potential bad actors no longer have access to the block before they are cleared of wrongdoing will help assure its stability.
Foundational security measures built into the coin will also create ongoing protection against all types of attacks. These might include:
- Authenticating identity of devices, users and software
- Binding devices with paired user accounts, encryption keys protecting accounts from unauthorized access
- Multiple layers of advanced computation protect data in transit from end-to-end
- Secure storage – encryption to protect data at rest
- Quantum encryption to guard against quantum computer attacks
- Verifying transaction integrity in case of interception
- Single use keys – ensure secrecy of future transactions by never reusing encryption keys
Part of the issue is that hundreds of new tokens have entered the market in the last years, and there is no standard for security within the industry yet, and no oversight to verify that a coin is as secure as it claims to be. Criminals have stolen about $1.2 billion in cryptocurrencies since the beginning of 2017, according to a May 2018 report from the Anti-Phishing Working Group, and that number is going to continue to rise, as cryptos are an attractive and lucrative target for theft.
Proof-of-work and proof-of-stake methods each have their pros and cons, but what is certain is that coins with end-to-end security will eventually weed out the weaker and less stable currencies to strengthen the overall market. Only coins that invest in multi-level encryption and strong validation protocols will emerge from attacks with value intact and enter the mainstream.