Anatomy of a Double-Spend / 51% attack

A lot of people want to know how Double-Spend / 51% attacks work. Here’s an attempt at a simplified, plain-language explanation.

It starts with too much power in the hands of one person

It starts with an attacker who has a way to rent or steal or buy a lot of hashpower - more than the entire pool of honest miners. If honest miners are generating 40 hashpower, and the attacker can use 50 hashpower, then the total amount of power is 90, and the attacker has more than 51% of 90. This means they can potentially pull off a “51% attack.”

The 51% attack

They start by private-mining on the side. This is just like mining with a normal pool on the public blockchain but they make a secret chain on a secret pool that doesn’t share with the world. They’re going to build a long chain of blocks - like 14 of them. And since they’re using more hashpower than the honest miners (they have more than 51%) they’ll make blocks faster. Say it starts at block 200,000 and builds blocks - they can amass 14 blocks in a row during the time it takes the honest miners to make 11 or 12 of them.

The Double-Spend

As soon as they start doing doing their private mining, they also go to an Exchange and make a large deposit - call it 1,000 BTG. This is broadcasts to the public blockchain in block 200,001. But they don’t put that transaction on their secret chain, only the public chain (the mainnet.)

On their secret chain, they make a transaction sending those same 1,000 BTG to another wallet address of their own in block 200,001. This is the “double spend” part - they spend those same BTG twice.

Criminal Profit

The trap is set; here’s how it plays out:

The exchange sees the 1,000 BTG deposit on the public chain… after 10 blocks of confirmations, it’s accepted.

The attacker then trades the 1,000 BTG (Bitcoin Gold) for BTC (Bitcoin) at market prices… and immediately withdraws BTC. They’re rushing to get BTC out of the exchange.

The Exchange checks and if all looks good, approves the withdrawal. By now, we’re at block 200,011 or 200,012.

As soon as the BTC come out the attacker will release their long private chain of 14 blocks, broadcasting it to the public network. Now it’s not private, it’s public.

Because the new chain reaches to 200,014 (200,000 plus 14), it’s longer than the mainnet was, and it is unavoidably accepted as the “true” chain by everyone… This puts the mainnet at block 200,014 instantly, using those 14 (previously) secret blocks. This is called a “Chain Reorganization.” The 12 blocks previously on mainnet are displaced (orphaned) and the 14 new blocks are put in place as the new mainnet. This is how any chain split is resolved in the Bitcoin protocol - it’s part of the normal consensus rules which protect the blockchain in every other circumstance.

Suddenly, the mainnet does not include the original deposit to the Exchange back in the original block 200,001… but it does include a transfer of those 1,000 BTG to the attacker’s own wallet back from privately-mined block 200,001. On the new version of the chain, the Attacker never sent them to the exchange, they sent them to themselves.

So the attacker took out 1,000 BTG worth of BTC from the exchange, and they no longer gave the 1,000 BTG to the Exchange in the first place.

They may have paid a lot of money for all that hashpower… but the BTC they stole is worth a lot more than that.

How do Exchanges defend themselves?

Well, they have the ability to approve (or deny) deposits and approve (or deny) withdrawals. We all hate those “confirmation times” the Exchanges demand, but those are necessary protection. The longer the confirmation time, the more expensive an attack attempt becomes (because they need to buy more power to mine more blocks) and the more time the Exchange has to identify an attacker and freeze their account. The time is the critical part - more blocks means more time to spot an attacker and freeze their assets.

What about the mining rewards?

On a successful attack, the attacker will also get the mining reward for those 14 blocks - they mined them. And the honest miners who mined the 12 honest blocks? Well, they get stiffed, because the honest blocks they mined are now off the mainchain. They can’t use them.

Such attacks are really terrible for everyone, and it’s a possibility whenever too much mining power is in one place. This is why centralization is a bad thing. Most public pool operators are honest, but it’s possible that a malicious actor gains control. It’s also possible that a mining hardware manufacturer has a lot of hashpower, so they might be tempted to perform such an attack. Lastly, there are rental services that combine hashpower and redirect it for hire. (It’s also possible for hacked computers or botnets to add up to a huge amount of mining power, but that’s more an issue for a CPU-mined coin like Monero than for a GPU-mined coin like Bitcoin Gold.) Any of these can lead to too much centralized power, putting a blockchain at risk. This is why you always hear people talk about the importance of “decentralization.”

What happens if an attack fails?

Well, if the Exchange doesn’t let them withdraw BTC, the most the attacker can do is steal their 1,000 BTG back. It’s also possible that their 51% attack fails, if the main chain happens to be quick enough to build the longer chain… in that case, the honest miners don’t have their mining reward stolen… and the attacker doesn’t get their 1,000 BTG back.

In the best possible outcome for honest people, the Exchange doesn’t give out the BTC, and the honest chain is quick enough to build the longer cahin - then the attacker loses their 1,000 BTG to the Exchange, and the honest miners get their reward!

That’s the best possible outcome, aside from the attacker not attacking at all.