SoylentNews is people
SoylentNews
Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase's popular exchange platform. Its blockchain, the history of all its transactions, was under attack.
An attacker had somehow gained control of more than half of the network's computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as "double spends." The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn't so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).
Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry.
In total, hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that's just what has been revealed publicly. These are not just opportunistic lone attackers, either. Sophisticated cybercrime organizations are now doing it too: analytics firm Chainalysis recently said that just two groups, both of which are apparently still active, may have stolen a combined $1 billion from exchanges.
(Score: 2, Insightful) by Anonymous Coward on Wednesday February 20 2019, @10:05PM (6 children)
it should read crypto with a small pool of miner are vulnerable to history rewrite from entity that represents a minimum of 50% of the mining powers
(Score: 0) by Anonymous Coward on Wednesday February 20 2019, @10:14PM (1 child)
Is the clickbat related to the wombat?
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @12:12AM
Only that both are more entertaining and secure than the Ethereum Classic blockchain.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday February 20 2019, @10:16PM (3 children)
Is it even 50% of the mining powers? It takes that to push through a block revision, I thought. But can't I get lucky a one corrupted block addition and then win a few times in a row to seal it and then go quiescent and let my corrupted proof get buried by layers of new confirmation from other innocent actors? (And yes, I may not understand that part of it as well as I should, so correction happily invited).
This sig for rent.
(Score: 4, Informative) by Snow on Wednesday February 20 2019, @10:27PM (1 child)
Nope, well yes... maybe.
If the corrupted block follows all the rules as to what a block is, then yes, you are good. This happened in 2010 with the value overflow incident [bitcoin.it]
Usually a 'corrupted' block violates one or more rules and will not propagate through the network. So, yes, you can build on it with your patched software, but no one else will receive it or build on top.
(Score: 2) by All Your Lawn Are Belong To Us on Thursday February 21 2019, @02:55PM
I thought there must have been something flawed with my thought, otherwise enterprises would already be doing it. I'm still a little hazy on how the new block acceptance pattern works - I've got a clue from all I've read but not enough to know what's possible and isn't.
This sig for rent.
(Score: 0) by Anonymous Coward on Wednesday February 20 2019, @11:27PM
https://www.crypto51.app/ [crypto51.app] has an explanation of the double-spend attack.
p.s. ty janrinok for cleaning up my submission and adding what must be a blockquote.
(Score: 5, Insightful) by Appalbarry on Wednesday February 20 2019, @10:22PM (5 children)
Is anyone even slightly surprised by this? Some of us have assumed that it was inevitable: if you can build it, there will be someone else who can break it.
Hint: They claimed that the Titanic was unsinkable. The same is true of any new tech that claims it's impervious to any and all attacks.
(Score: 4, Interesting) by mhajicek on Wednesday February 20 2019, @10:43PM (1 child)
As I understand it, the engineers and shipyard workers knew the flaws, but management hid and ignored them. Seems familiar?
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 2) by DannyB on Wednesday February 20 2019, @10:55PM
I seem to recall that engineers knew not to launch in cold weather because the O-rings might crack.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 1, Informative) by Anonymous Coward on Thursday February 21 2019, @09:55AM (1 child)
I don't even understand what's the new catch here. Crypto currencies have been stolen for years and years. I mean i guess there can be a new method for it, but cryptocurrency has never been safe.
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @09:06PM
damn, you people are stupid.
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @10:41PM
While this kind of vulnerability probably will be discovered, the article is pure garbage. The first listed attack is the 51% attack, which was a known design problem with most (all?) blockchains from day one. Every other attack was a crypto wallet hack or Ethereum dapp error. To put it in metaphorical terms, the article claims the crypto dollar has been destroyed. The crypto dollar is fine, it's just been pickpocketed from the owner by someone else. (But no, I'm not investing in blockchain tech in any way.)
(Score: 0) by Anonymous Coward on Wednesday February 20 2019, @11:32PM
But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry.
3rd time is the charm...
(Score: 1) by liberza on Thursday February 21 2019, @02:06AM (3 children)
Notice that this is Ethereum Classic (ETC) the article is talking about. Not Ethereum. (ETH) These are different cryptocurrencies, different networks.
Computing power for these networks is measured in hashes-per-second. ETC has about 8.5TH/s pointed at it for verifying its transactions. ETH has 151TH/s.
ETC price is hovering at about $4.50. ETH is $145.
Here's the thing: both use the same proof-of-work mechanism. If your mining rig gets XH/s on one network, it gets XH/s on the other as well.
Miners will normally point their rigs at whichever network is more profitable. A mining farm could have 10TH/s on the ETH network, because it's profitable to mine. This isn't at all close to the total network hashrate of 151TH/s. They probably would not point it at the ETC network, because it would just not be profitable when playing by the rules. But if you want to actually attack the ETC network, the only limit of profitability is the amount of value being exchanged on it, because you can just take it for yourself until someone notices and everybody stops using it.
Attacking ETH, on the other hand, is a different magnitude of beast entirely. 10TH/s isn't even close to enough, and it's in the miner's own best interest to play by the rules.
Moral of the story is: If you're transferring any amount of value that actually matters, don't use less-popular cryptocurrencies that just use the same proof of work as a wildly more popular one.
(Score: 4, Informative) by AthanasiusKircher on Thursday February 21 2019, @03:05AM (2 children)
So what? The article headline is NOT dishonest, as it doesn't mention either one. It merely says there are vulnerabilities in blockchain technology, which there are. From TFA:
Note that Ethereum Classic, despite your attempt to poo-poo this, is a top-20 currency with a market cap still in excess of $500 million. As TFA notes (and as quoted), there are well over a thousand currencies out there, and such an attack on most of them would be a lot easier. So, I don't think it's a disingenuous headline at all to note that this sort of vulnerability exists and it has now been used to target a currency in the top 1-2% of all cryptocurrencies.
So, when you say:
Nope. I think the moral of the story is cryptocurrencies are more vulnerable to lots of attack vectors that any of the pro-crypto folks like to admit. The 51% attack is only one of many vectors mentioned in TFA. Obviously most of the attacks are on exchanges, but TFA also notes cryptographic flaws in some complex protocols, bugs in major software clients handling cryptocurrencies, etc. The more valuable a currency gets, the more advantage there is for bad actors to try to exploit flaws in various parts of the process...
(Score: 1) by liberza on Thursday February 21 2019, @06:24PM
By saying it's a "Top 20 currency" you and the author are implying that it's widely used. It isn't. The vast majority of market cap is concentrated in the top 3 cryptocurrencies, BTC ETH and XRP, about $100 billion between the three. By comparison, ETC is not even $0.5 billion.
To say it is in the top 1-2% of cryptocurrencies is like saying LHS 288 is in the top 1-2% of stars that are close to us. Sure... but the sun is quite a bit more important...
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @09:09PM
no, everyone with half a brain knows about the risks and takes them into account. it's only bankster and taxman whores who try to act like these possible attack vectors are news.
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @03:13AM
Proof of Work is the problem here. Use a different consensus model such as Proof of Stake or even a Clique style Proof of Authority and 51% is not possible.
We're getting to the point now where any proof of work mechanism is no longer sufficient to protect any chain, no matter how convoluted, plus it just wastes energy.
But change the consensus algorithm (even ETH is looking to change), and this problem goes away.
As for the damages, nothing really happened to Ethereum Classic itself. The problem rests firmly with the exchanges which did not verify the transactions were valid.
Had they validated the transactions instead of just assuming the transaction was valid because it was coming from lots of places, they would have lost nothing.
If your transaction is valuable, then wait, make sure it stays in the blocks and validate all the incoming blocks, rejecting any that would be invalid. This is true regardless of the network.
(Score: 2, Insightful) by Anonymous Coward on Thursday February 21 2019, @04:19AM
This possibilty has been known since before bitcoin was released and has been widely discussed since.
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @12:30PM (2 children)
If you double spend with a blockchain, then there has to be a record of both transactions for all to see.
If you have a rule that makes second second transaction invalid, then how is double spending possible?
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @02:14PM (1 child)
Because there is no central authority that can say "this blockchain is the real one, and all others are fake". Instead, roughly speaking, the blockchain with the most activity is assumed to be the real one. If you manage to generate the most activity yourself (by gaining 51% of the mining power), then you essentially can dictate which blockchain is the right one.
Now if you spent cryptocoins on the real blockchain, and then through your mining power replace it with an alternate version in which your transaction never happened, you effectively get your coins back, and can spend them again.
(Score: 0) by Anonymous Coward on Thursday February 21 2019, @09:11PM
this is a pretty good explanation for the layperson. kodos (and kang) to you sir.