Jeff Fawkes is a seasoned investment professional and a crypto analyst. He has a dual degree in Business Administration and Creative Writing and is passionate when it comes to how technology impacts our society.
One of the most dangerous kinds of attacks for cryptocurrencies costs Bitcoin Gold its reputation, as January 2020 becomes the happy double-spend month for some selfish hackers.
The attack on Bitcoin Gold was first spotted by James Lovejoy, a researcher from MIT Bitcoin Club.
Bitcoin Gold ($BTG) was 51% attackedhttps://t.co/KxFvrsOhuO
— James Lovejoy (@metalicjames) January 24, 2020
The short review of the attack is already on GitHub. The review says that on January 23, and 24, the attackers have removed blocks from the BTG network. Then, they re-added them and added new transactions instead of their old ones. Why did they do that? Because such thing as pulling the blocks out of the blockchain allows rewriting of transactions.
Bitcoin Gold’s Double-Spend Shed Suspicions towards PoW Security Model
It is known that, on January 23, the attackers used 1,900 BTG coins to double-spend approximately $19,000:
1,900 BTG double-spent (~$19,000).
1,900 BTG originally sent to GgmzUSgXrXpDxiY34bG6SxaDVi2rQ1zU8Q 3a17157994502a749a1827883a670d822f8ee95dae94064631770faeec1e8443 was redirected to GNH5cUEg5LZZP5HfLgaLvTE9ApKAf76aBf 6e05e8253b2ce7f1acf6f0684898e13141c0e9b893e1a5e44d215d8ebe4d28b4.
The majority of the coins were sent from an output owned by the address GK6HuN964f3XFScY5CPGg1oZ1gFRq52nf5.”
Then, on Friday 24, 15 blocks were mined and then removed by selfish miners. They have added 16 new blocks later, rewriting some of the network’s transactions, defrauding unknown parties for $53,000:
~5,267 BTG double-spent (~$53,000).
~1,947 BTG originally sent to Gg4YDMrMuqit6eJAYKaBxmK17zPFnpLt5w, 1,850 BTG to GfRdNzHJan8sfW9wxozAYhRPL9fFLD9A9m n TXID 481d608591f4d6a7013ac1b879c2caf1e2c0a2bb30b5346b2c876deb43873b2b and 1,470 BTG to GfWUNAdW3aEXfQWshApFLf2ZNtMV9MC6VQ in TXID 37c8a8d59f61879cc0da9fa197ed72dbc967c796800d4015cafd47c7be467201 was redirected to GPTH48Z3diz4zwBGchXmzW3kDnmHVxyX2V in TXID a0dc721fff0948732679638f4b4bb713686786826971c3f9a30eb15f5694a0ea.
The majority of the coins were sent from outputs owned by the address Gdc4ANNdqyGBadobzUDZNydBgDHAYdMeAb.”
In both cases, the attackers used this address to receive the block reward for blocks including the fraudulent transactions: GWrW5dTZf5XwGWoJuqRKdzkzZFkwtWSqaP.
At the time of the attack, the Binance exchange had its security rules set to credit BTG coins after six confirmations. Also, after twelve confirmations there was a possibility to withdraw the coins. It appears that now Binance has 20 confirmations as the minimum required to be able to move the coins within the balance.
The approximate estimation of the attack costs is based on Nicehash’s market stats given for Zhash. Analysts counted that it takes around 0.2 ($1,700) BTC to perform selfish mining during the 51% attack. This is the sum that the attacker obtains as the block reward. So he probably gained many profits, including the possible gains from fooling the counterparty.
What the Hell Is Double-Spent, Can’t Cryptos Cope with That?
Cryptocurrencies are one of the ways of eliminating the ”printing” of bills to double-spend them. However, when large businesses entered this field, they quickly found that the blockchain is not as cool as the early adopters said. It was straight out hype which made lots of people mine BTC. Then, when it got a sufficient hash rate, it became too difficult to attack it.
But as for the rest of the cryptocurrencies, you can attack them easily in case you want to spend lots of cash on doubtful activity. However, what’s important here, is that during a 51% attack, a double-spend is possible in almost all the blockchains. Miners gain control over the block production and roll them back whenever they need it.
As for Bitcoin, there’s one easy way to double-spend coins too. It is not selfish mining and not about control over substantial resources. No, it’s much easier and uses RBF technology and the performer must be a social engineering master. The attack first spotted in the major press by Jared Fincher of Bitsonline on April 2, 2019. He brought it on the top level but received no adequate answer from the angry maxis in the comments section.