The recent Ethereum Classic 51% attack was far from an innocent mistake as some initially suspected, netting the attacker more than $5 million in stolen funds. What’s more, the hacker only spent $200,000 to do it.
Bitquery, a blockchain data intelligence firm, released analysis today breaking down the steps the attacker took to pull off the 51% attack against the Ethereum Classic blockchain over the weekend.
Those steps reveal careful planning and an intimate knowledge of the Ethereum Classic blockchain architecture, allowing the multi-million dollar exploit to be completed without immediately alerting blockchain watchers and requiring several days to be uncovered.
In essence, the hacker sent ETC from an exchange to his own wallets, then back to the exchange on the original ETC blockchain. Using more than 51% of available ETC hash power, the attacker then mined thousands of blocks, some containing transactions sending ETC to other wallets he also controlled, instead of back to the exchange. Finally, the attacker broadcast his malicious blocks, causing a reorganization of the blockchain that replaced real blocks with those created by the attacker.
The hacker spent more than 12 hours sending ETC to the exchange to be sold or converted into other currency. After the offending blocks were reorganized into the ETC blockchain, the ledger showed that those transactions sending ETC from wallets back to the exchange never happened, instead remaining in the hacker’s possession. These “double spend” exploits are the reason 51% attacks can be so catastrophic for blockchains that are meant to be immutable.
Bitquery analysis indicates that the attacker spent less than $200,000 to perform the malicious mining, using hash power from the nicehash provider daggerhashimoto. Anchain.ai CEO Victor Fang also confirmed for Bitquery that OKEx was the exchange likely targeted by the double spend attack.
Decrypt reported on earlier analysis by head of developer relations at the Ethereum Classic Cooperative Yaz Khoury indicating the apparent 51% attack and chain reorganization could have been the result of unique circumstances where a miner lost internet connection, then submit more blocks than the true chain could manage due to a large mining pool being offline for maintenance.
Whether the attacking miner had knowledge of these circumstances or just caught a lucky break is not yet confirmed. Khoury also contributed to the follow up Bitquery analysis.
Any 51% attack is a troubling sign for the cryptocurrency industry, but the public nature of distributed ledgers and meticulous sleuthing by blockchain watchers may offer hope that exploits will rarely go undiscovered for long.