Despite the inherent security advantages provided by blockchain governance systems, no protection technology is unbreakable. To prove this, a college freshman and security researcher by the online handle of “geocold51” is breaking through blockchain-based security with 51% attacks, reports CoinDesk.
Manipulating The Market
Most blockchains can only be modified when over half of the members concede to the change, otherwise known as 51%. However, while it’s unlikely, it is possible for a hacker to bribe that majority of connected devices and change the blockchain by themselves. Of course, this can only happen on smaller blockchains with fewer participants, as Bitcoin (BTC) and other massive projects simply have too many miners working on the network.
In a majority of these situations, the hacker will remove a previous transaction and replace it with another, essentially duplicating a previously spent asset. This process is known as a “double spend.” On October 13th, geocold51 livestreamed himself completing such an attack on Bitcoin Private (BTCP), a project with a 47 million dollar market cap as of this writing. Geocold51 spent an estimated 100 dollars to get near the double spending point, but he stopped as his livestream was removed.
However, it’s important to note that the security researcher had no intention of actually stealing the coins. Instead, he merely wanted to prove how easy it is on these smaller networks. Geocold51 set up the transactions between two of his own wallets to ensure this, as revealed via a tweet:
To be clear. I’m not attacking any exchange. I’m just forking the blockchain. Transactions will be exclusively to wallets I own.
— GeoCold “Mischief-Maker” (@geocold51) October 13, 2018
Geocold51 predicts that to profit off of a 51% attack, it would cost around $200; so he was halfway there. The money goes towards buying some initial Bitcoin with Bitcoin Private and then forcing an additional transaction on the longer blockchain which should invalidate the initial one. That way, he would receive his Bitcoin Private coins back, and the exchange would miss some tokens.
According to the attacker, going through an exchange costs extra. However, the process is entirely doable thanks to cloud mining. Without cloud mining, geocold51 believes the Bitcoin Private attack would have needed hardware costing around $100,000:
“Nicehash and the ability to rent hashing power fundamentally changes the landscape of 51% attacks. If there’s not a lot of hashing power to secure it, but there is a lot of value associated with it, that’s where you can do a 51% attack.”
Because the livestreams were taken down, geocold51 will make the attack again by himself. Then, he’ll upload the recording of his process to YouTube.
Geocold51 didn’t come up with this idea by himself, however. The freshman was inspired by another hacker, geohot, who had jailbroken the first iPhone. Nowadays, geohot streams himself going through different systems to search for weaknesses.
Our enthusiast has a history in cryptocurrencies as well. He mined a ton of Bitcoin during its initial years, began to trade the assets on Cryptsy, and then lost most of it when the CEO supposedly stole money from its users. However, this only got geocold51 more interested in the technology and inspired his desire to search for security issues. His post about the stream received more than 1,500 upvotes, and his Twitch viewers donated $888 — money he’ll use for future attacks.
A Change of Plans
Interestingly, Bitcoin Private was not geocold51’s first target. Instead, the enthusiast wanted to use Einsteinium (EMC2), a Litecoin fork run by volunteers with a current market cap of $19 million.
Unfortunately for geocold51, the team noticed his livestream. Because of this, the Einsteinium community collectively raised the hash rate to prevent his attack. According to a board member named Ben Kurland, geocold51’s offense would have ruined the blockchain, as it was in the middle of a wallet upgrade. The attack’s resulting fork could have caused some participants to get stuck on the old chain.
On Twitch, geocold51 hit nearly 60,000 viewers before his stream was taken down under “attempts or threats of harm.” The hacker went over to Stream.Me less than a half-hour later; however, a user known as “CommunityWatch” seems to have reported geocold51, as the stream went down shortly after the account posted in his chat.
According to CoinDesk, geocold51 was more than halfway through the process before the takedowns. He had submitted his first transaction to one of his wallets and had written a second transaction to a longer, offline chain connected to another one of his wallets. He had meant to send that longer chain to the main network, which is when the stream was cut.
Suggested Reading : Learn about the best cryptocurrency wallets available.
All Is Not Lost
geocold51 reveals that while security vulnerabilities should be worrisome to members, most assets are protected by game theory. Should a hacker harness a ton of coins from one of these smaller blockchains, the price would probably tank. This is because there just isn’t a strong foundation yet, and as a result, not much liquidity. Also, while it may sometimes be easy to bribe blockchain participants, it might cost a large amount of money to do so.
Finally, geocold51 revealed that he would try to go after some blockchains that have security protocols set up against 51% attacks, such as penalizing all miners for participating. These attacks would be to test those barriers and see if he can’t break through.
geocold51 isn’t the only 51% attacker either. A reputable cybersecurity firm, Group-IB, has documented five successful attacks this year, resulting in nearly $20 million stolen.
The post A College Freshman is Livestreaming Himself Committing 51% Attacks on Small Cryptocurrency Projects appeared first on UNHASHED.