On December 1, 2019, Vertcoin experienced a 51% attack, in which an unknown attacker replaced the ledger’s history by changing 603 blocks. Vertcoin has gained questionable fame after being attacked multiple times in the past year. Previous attacks resulted in the theft of up to $100,000 via double spend of prior transactions.
In a double-spend attack, the attacker reorganizes the chain on which he has made a substantial purchase in one cryptocurrency and replaces it with a different blockchain version on which he owns the goods, but never paid for them.
In this case, the attacker would deposit VTC with a merchant (e.g. an exchange) to buy BTC (or another bearer asset with a short delivery time.) When the transaction is completed, he reveals a heavier blockchain that he had been working on in secret. In that timeline he sends the money that he previously spent with the merchant back to himself, leaving him with both the money and the merchandise.
A short introduction to security
To better understand the latest attack on Vertcoin, it is important to understand the main security concepts of public blockchains. In a paper by Hasu, Brandon Curtis, and James Prestwich, we introduce a blockchain security model and analyze it using these concepts:
- Miner-extractable value (MEV) describes any value that miners can extract from an attack, both on- and off-chain.
- Miner punishment (MP) describes the value miners would lose as a side-effect of attacking the chain (e.g. when the value of their mining hardware falls). MP is a function of miner investment multiplied by the punishment factor.
- Miner investment (sometimes called security budget) depends on the value of future block rewards and describes how much money an attacker has to invest to control a majority of hash power.
- The punishment factor describes how closely the value of the miner investment is tied to the health of the network. The higher the punishment factor, the more will an attacker lose from attacking the chain.
A system is secure if honest mining is more profitable than attack mining (MP > MEV.)
From this equation, we can see that network security can be maintained as long as miner punishment is higher than miner-extractable value. The first intuition would be to attempt to keep MEV low, however, this is surprisingly difficult for two reasons:
- Legal recourse for any transaction would substantially decrease the potential to steal with double-spend attacks. However, cryptocurrency is useful because it can be used without identity and permission, thus attracting merchants willing to take additional risk. This effectively adds to MEV, as increased network activity increases MEV.
- Moreover, attacks can be done for a different purpose than monetary goals. The more a network is used for illegal or other activity seen as unwanted by authorities, the higher the incentive to shut it down. In this case, authorities might take the role of an attacker, if they saw the network being used for increasingly high criminal activity. In this case, the MEV would be a societal benefit rather than a monetary incentive.
Hence, any economic activity in a network will generate a corresponding amount of MEV that will attract attackers.
When accruing of MEV cannot be averted, MP must be higher than MEV at all times – either by a high miner investment, or by increased punishment factor, or ideally by a healthy mix of both factors.
In this analysis, we look at Vertcoin’s architecture as well as the attack using the concepts introduced in the blockchain security model.
ASIC-resistance hurts network security by reducing miner punishment
The main reason for Vertcoin’s vulnerability to attacks results from its mining algorithm.
“Vertcoin was created as a GPU (Graphics Card) mined version of Bitcoin. This enables the greater spread of the long term security compared to ASICs. If enough devices mine the network, Vertcoin represents a viable alternative to the Bitcoin ASIC mined security model.” (Source)
Vertcoin currently uses an algorithm called Lyra2REv3, allowing Vertcoin to be mined with commodity hardware. Additionally, the Vertcoin community is committed to forking its hashing algorithm whenever ASICs are detected on the network.
However, there is an important reason to embrace ASIC: it makes a network more expensive to attack. If mining can be done with commodity hardware, the value of the hardware is not tied to the health of the network. An attacker can destroy the network and proceed to sell the hardware without significant slippage. For smaller networks, the attacker does not even have to buy hardware. Instead, it can be rented on the hash power marketplace NiceHash, or the more general computing marketplace AWS. There is strong evidence that the attacker used NiceHash to power his attack:
“Post-attack analysis of the Nicehash order book during the attack’s preparation shows a large upswing in hash rate rental price from the market equilibrium on both – their EU and US markets. Now that the attack is over, the rental price has returned to the baseline market equilibrium.” (Source)
Such marketplaces are unlikely to ever exist for ASICs, because they are not useful beyond mining a particular network. If a miner’s investment is tied to the health of a particular network, he is much more incentivized to protect that network.
Application-specific hardware represents the present value of future cash flows from the particular asset mining. By destroying the network, the price of the asset decreases to 0, and therefore, the attacker has lost the future revenues and the fixed costs of the hardware itself. ASIC creates a form of mutually-assured destruction: an attacker can still try to destroy the network, but only by destroying the value of his entire hardware in the process. This establishes a significant real cost that an attacker has to take on if he wants to damage the network.
ASIC-resistance policies become less harmful as the network grows in size. An example of that is Ethereum, where miners also use commodity hardware. However, Ethereum miners own so many GPUs that a crash in the price of Ether would still crash the price of GPUs. This replicates the benefit of mutually-assured destruction, however, in a weaker form.
User attentiveness improves network security by lowering MEV
While around $100,000 was stolen in previous attacks on Vertcoin, none was stolen this time. The attacker replaced ~600 blocks, which happens to be the confirmation requirement of Bittrex, the largest VTC supporting exchange. This indicates that the attack might have been aimed to double-spend a deposit there.
Interestingly, Vertcoin’s core maintainer James Lovejoy noticed that the attack was underway. He quickly notified Bittrex, recommending to disable deposits to their VTC wallet temporarily. While we cannot know if this reaction by Bittrex’s caused the attacker to give up, the underlying concept is sound. Spotting an attack in progress can decrease MEV and make a network overall more secure.
Preventing theft before it happens
When an attack in-progress has been spotted, merchants should selectively increase confirmation requirements or stop receiving transactions entirely. By doing this, they can protect themselves from losses incurred due to the attack, as the transactions during this time could be removed from the canonical chain by the attacker.
When an attack is performed with an internal hash rate, the hash rate would suddenly work on two chains instead of one, leading to significantly slower block production. To be safe, merchants can increase the number of confirmations for deposits. Unfortunately, this indicator is not very reliable, given that we cannot observe the hash rate directly. We can only guess it by observing the past number of blocks produced. Therefore it is hard to say whether periods of slow block production are an indication of an attack or simply the result of the natural variance.
When the hash rate can be rented, network participants should closely monitor the demand for it on markets like NiceHash. The recent Vertcoin attack was spotted by monitoring both – the peer to peer network of Vertcoin, as well as the market prices for hash rate on NiceHash:
“The attack was originally discovered by inspecting the work being sent from Nicehash’s stratum servers, which were sending work for non-public blocks” (Source)
In cybersecurity, intrusion detection systems (IDS) monitor cyber traffic for abnormalities to start the alarm when necessary. We would expect that the same type of systems could be developed for public blockchains to monitor all data available and to spot the attacks while, or even before they happen.
A factor to monitor could be derivatives markets. An attacker can generally hedge the risk of the damaged hardware by betting against the price of the coin using derivatives. However, if the attacker wanted to hedge a significant amount of his forced exposure, this would hardly go unnoticed by the market, driving up prices in the process.
In permissionless networks, transactions are not final until it is unprofitable for an attacker to reverse them. For example, in Bitcoin, the rule of thumb is to wait for six confirmations when receiving a payment (Gervais et al. attempt to generalize the framework to other PoW blockchains). The tip of the blockchain, where transactions are still possible to reverse, is sometimes called the scratch space of the consensus algorithm.
However, transaction reversion is not exclusive for attackers. Assume a hacker takes control of an exchange wallet and publishes a transaction to the network. If the exchange can detect this transaction in the local mempool, they can use replace-by-fee (if supported by the network) to send the same transaction back.
Even after a transaction is on the blockchain, the exchange could, in theory, bribe miners to advance a different chain where the money has not been stolen or one where the money is sent to miners instead of the hacker. While this has not been tried, Binance briefly considered to attempt it after losing 7000 BTC in a hack.
Finally, if Bittrex had noticed that an attack was in progress, but found it too late to disable their wallet, they could have started renting hash rate directly (similar to bribing miners in the previous example) and work on the already heaviest chain. This would have created a race with the attacker, in which both – Bittrex and the attacker had lost in the short-term. Exchanges that use this kind of “scorched-earth-policy” make themselves very unattractive targets for attackers in the future.
Our analysis shows that Vertcoin’s biggest weakness is its inability to punish attackers. In permissionless systems, miners are only incentivized by financial rewards and impeded by punishment. The idea of ASIC-resistance, which started as a form of the social justice movement, prevents any punishment as attackers can easily sell the hardware after an attack or even rent it on one of several general computing marketplaces. However, the Vertcoin attack also showed a positive sign for network security. Some future attacks may be possible to predict by monitoring important “vital signs” of a network, like a block production, derivatives markets, large recent deposits on exchanges, as well as the peer to peer networking layer.
We are grateful to Su Zhu, Leo Zhang, Nic Carter, Brandon Curtis, Tarun Chitra, Georgios Konstantopoulos, and Elizabeth Stark for their feedback.