Proof-of-work cryptocurrencies solve the Byzantine General's Problem and allow for the coordination of a decentralized network of nodes, where some of those nodes may be bad actors. This does, however, creates an attack surface for proof-of-work cryptocurrencies, known as a 51% attack.

In a 51% attack, an attacker accumulates the majority of a cryptocurrency's hashrate. This is typically used to reverse transactions they've made on the network, and double-spend coins.

Exchanges typically bear the cost of these attacks because they are the easiest way for attackers to profit from forking a chain.

If an attacker is targeting Ethereum Classic, he can deposit Ethereum Classic to an exchange, convert it to another cryptocurrency, and quickly withdraw it. Because the attacker has a majority of the network's hashpower, he can mine a competing chain that doesn't include the deposit transactions. Once the competing chain grows longer than the original chain, he can force the network to accept this corrupted chain as valid—cancelling his original deposit(s) to the exchange.

While currencies with the high hashpower such as Bitcoin and Ethereum have never been successfully 51% attacked, many coins with smaller market capitalizations can't count on this advantage to fend off attackers. Over the last year, the rise of cloud mining and the ability to temporarily lease hashpower has led to a spate of increasingly successful 51% attacks.

In this article, we'll walk you through a brief history of some of the most significant 51% attacks in crypto history.

Coiledcoin - January 6, 2012

Coiledcoin was a short-lived clone of Bitcoin that supported merged mining and the opcode OP_Eval. The client was released on January 5, 2012. A day later, Bitcoin developer Luke Dash Jr. posted to the Bitcoin Talk forum:

Screenshot 2019-04-12 12.00.21.png

Coiledcoin permitted merged mining, which means that miners hashing Bitcoin's Sha-256 algorithm could simultaneously mine Coiledcoin, making the coin much easier to 51% attack.

At the time, Luke Dash Jr. ran the Eligius mining pool, which led some in the community to accuse him of using contributed hashpower to attack CoiledCoin—a claim he denies. Luke Jr.'s main rationale for attacking CoiledCoin was that he believed it was a scam and a pyramid scheme that would “discredit and harm Bitcoin's reputation.”

The CoiledCoin attack is interesting as it didn't appear to be economically motivated, but purely political. While the move drew some outcry from the community, it showed how vulnerable smaller SHA-256 proof-of-work currencies with low hash power were to attack.

Feathercoin - June 8, 2013

Feathercoin, a Scrypt-based coin modeled around Litecoin, launched on April 16, 2013.  Feathercoin was very similar to Litecoin, with two differences. The first was that the total supply of Feathercoin was increased to 336 million, from Litecoin's 84 million. Feathercoin also adjusted it's difficulty level for mining more frequently than Litecoin.

beTqcOl.png
Source

Seven weeks later, on June 8, Feathercoin was hit by a 51% attack. Prior to the attack, Feathercoin was operating at a network hashrate of .2 GH/s, which increased over 7x to 1.5 GH/s during the attack. After 31 hours, one analysis shows that the attacker made off with 580k Feathercoin—worth $63,800 at the time—most likely by double-spending coins on an exchange.

Screenshot 2019-04-12 14.44.07.png

While it's unclear where the attacker double-spent the coins, several Bitcoin Talk users noted at the time that exchanges were slow to suspend trading, and that the now defunct BTC-E exchange processed several large orders following the attack.

Interestingly, the price of Feathercoin was not immediately affected by the successful attack, and it would continue to rise in the following months. At the time of the attack, one Feathercoin was worth $.11. By the end of the year, the currency spiked to an all-time high of $1.29.

Peter Bushnell, the creator of the coin, commented that this hashpower could have been redirected from any Litecoin mining pool, or pools for any other Scrypt-based currencies. Using the same hashing algorithm as a more popular coin created a vulnerability to 51% attacks, which would be magnified in the coming years with the rise of cloud mining.

Krypton - August 26, 2016

Krypton was an Ethereum clone with the exact same features—smart contracts, scripting, and more. Krypton claimed to offer lower fees than Ethereum, which basically meant that because Krypton was less valuable than Ethereum, the price of computing power denominated in Krypton was lower.

Like many altcoins with low hashpower, Krypton was extremely vulnerable to 51% attack, which subsequently was taken advantage of on August 26, 2016. The attackers launched an attack with over 51%, which was combined with a DDOS attack on the network. They made off with a total haul of 21,465 KR from Bittrex by double-spending transactions, worth around $3,434. The attack was likely part of a larger effort to exploit vulnerabilities in Ethereum-based coins, including  Shift and Expanse.

The attackers sent a ransom note for the stolen funds to the Krypton team:

“We have a chain going on Krypton that we can fork at anytime. It is 7000-8000 blocks because Bittrex wallet was down 2 days ago. While we do want to make bitcoin our intention is not to wreck a project.

We have sold our remaining 20,000 kr today and will give be you the opportunity to end us messing with you if you want. We aren’t asking for anything more than would cover our cost. 7 BTC and we will close our fork. That is the price of the 20,000 kr plus the 8000 blocks and mining cost.

If you agree let us know and we will never mess with you again. If not we will fork the 8000 blocks.”

Krypton refused to pay the ransom, and, following the attack, Krypton founder Stephanie Kent announced that the currency was transitioning to a proof-of-stake consensus model to deter future attack. That move appears to have been unsuccessful: The project was abandoned a few months later.

Verge - April 4, 2018 & May 22, 2018

Verge has the dubious honor of being the only coin on our list to suffer not one but two successful 51% attacks. Verge was designed as a “secure and anonymous” privacy coin. It began as a fork of Dogecoin, and its claim to privacy stems from the fact that it routes transactions over Tor, as well as the “wraith protocol” which basically means that you can use subaddresses with Verge. These features actually did very little to protect user privacy, but the currency nevertheless spiked in December 2017, with a market cap north of $3 billion.

The first attack occurred on April 4, 2018. Verge employed an algorithm called “Dark Gravity Wave” to adjust the difficulty level on the network, using the average block-confirmation time over a 30-minute window. The Verge attack was pretty sophisticated, in that the attacker spoofed time stamps on the chain to lower the difficulty level of Verge and successfully attacked it with far less than 51% of the network hashpower. Before the attack, Verge's difficulty was around 139093, and it dropped down to a low of .00024414 during the attack.

In response to the attack, the Verge team updated the protocol but accidentally initiated a hard fork on the network that then had to be rolled back.

The team's efforts to fix the protocol didn't amount to much, because on May 22, the same exploit was used to attack Verge, for a much larger sum of 35 million Verge, or $1.7 million.

As Abacus Solutions founder Daniel Goldman points out in a write-up of the attack,

“In both cases, this hack presents a strong argument for tending towards sticking to things proven to work and to be wary of overcomplicating things and thereby introducing unnecessary risks when people’s financial assets are involved.”

The Verge attack can be attributed to the complexity of the protocol, which perhaps needlessly reinvented the wheel by allowing miners to use five different hashing algorithms and deploying  features with names like “Dark Gravity Well.”

Bitcoin Gold - May 16, 2018

Bitcoin Gold is a hard fork of Bitcoin that aims to foster decentralization through ASIC-resistance.

Upon launch, Bitcoin Gold used the Equihash mining algorithm, which is also used in ZCash. Equihash is a memory intensive algorithm, which Bitcoin Gold selected to promote GPU mining on the network. Unfortunately, as we've seen in previous 51% attacks, it also made Bitcoin Gold particularly susceptible to 51% attack. Rather than purchasing their own hardware, an attacker could simply rent GPUs from a hashrate marketplace for the duration of the attack.

On May 16th, an attacker launched the first attack on the network, with the last attack occurring three days later, on May 19th. These attacks were used to double-spend Bitcoin Gold on exchanges, making out with around 12,239 BTG, which was valued at around $18 million at the time.

The address of the suspected attacker on Bitcoin Gold, showing 12,239 BTG worth around $18 million at the time. Source: Bitcoinist

Upon detecting the first attack, the Bitcoin Gold development team advised exchanges to require 25 confirmations or more to secure transactions. Two days letter, the team increased this recommendation to 50 confirmations.

In response to the attack, the Bitcoin Gold team eventually hard forked the currency to support ZHash a hardened version of Equihash intended to be even more ASIC-resistant. But this doesn't solve Bitcoin Gold's underlying problem. Because ZHash is mined by general-purpose GPUs which can be leased on a hashrate marketplace, and Bitcoin Gold has a low network hashrate of 2.85 MH/s, it seems only a matter of time before the currency is attacked again.

Ethereum Classic - January 5, 2019

Ethereum Classic is a hard fork of the Ethereum Protocol, which occurred following the DAO hack of 2016. Ethereum Classic is a decentralized computing platform with an emphasis on immutability.