Ethereum Classic 51% Attack: Security Firm Submits Final Report

Ethereum Classic (ETC) was recently a victim of a 51% attack. The perpetrators managed to get away with over $1.1 million in ETC. This attack has raised concerns across the industry regarding the acclaimed security of blockchain networks. A Chinese blockchain security firm SlowMist who was also responsible for initially identifying the attack has now released a detailed analysis of the attack, elaborating how the events as they took place chronologically.

What is a 51% attack?

An attack on a blockchain that uses a PoW algorithm for consensus is possible if the attackers have over 50 percent control of the network hash rate. In this case, the controlling CPU power allows an attacker to create a separate chain from any previous block in the blockchain. Because of the majority of computing power, the new chain will eventually overtake the accepted chain by the network thereby defining a new transaction history.

Any blockchain that uses the PoW algorithm is inherently susceptible to the 51% attack. Emin Gun Sirer, a developer and professor at Cornell University was quoted saying, “Miners at 51 percent or more have a lot of powers, but they do not have the ability to change the actual rules of the system, nor can they usurp funds. They can rewrite the existing blockchain in a limited fashion: they cannot introduce transactions that don’t already exist, they can omit any transaction that they want, and they certainly cannot change any of the existing rules.” Meaning that while a 51% attack does allow miners some limited power over the blockchain, they cannot change the rules by which the blockchain conducts its transactions.

Chain of Events

Here is how the attack unfolded:

  • The attack begins on January 5th. The attacker managed to dupe several exchanges including Coinbase, Bitrue, and Gate.io. The earliest movement is a little over 5,000 ETC from Binance to the address 0x24fdd25367e4a7ae25eef779652d5f1b336e31da.
  • Next, the coins move to a mining node, which mined block 7254355.
  • Then, Bitrue receives a deposit of 4,000 ETC in block 7254430.
  • This transaction is removed from the history of the longest Ethereum Classic chain.
  • Another 9,000 ETC attack happens the same way.
  • The attack was rendered useless by January 8th after the attacker’s addresses were blacklisted by exchanges.

The attacker moved the digital coins to other addresses, deposits and then withdraws them to safe addresses. He was the hash power to be able to remove the transactions he doesn’t want there from the blockchain as is true in a 51% attack.

The two addresses that are confirmed to be involved in the attack by SlowMist in their report are 0x090a4a238db45d9348cb89a356ca5aba89c75256 and 0x07ebd5b21636f089311b1ae720e3c7df026dfd72.

The report makes security recommendations as well to exchanges regarding the chains with smaller hash rates. The report states, “We recommend that all digital asset services platform block transfers from the above malicious wallet addresses. And strengthen the risk control, maintain a high degree of attention, and be alert to double spend attacks that may erupt at any time.”

This attack has shaken the crypto world to its core. If a blockchain cannot guarantee immutability, there is no point in its existence. Thankfully, Ethereum core developers have already been working on plans to make the move from PoW to PoS based consensus.