Finishing: Sherry, Jin Xiaojia; Calibration: Xiao Jie

From the beginning of the birth of digital currency, 51% attack has been a hot topic of discussion. The biggest security risk of digital currency with proof-of-work as its consensus mechanism is the possibility of 51% attack. If someone holds more than 51% of the computing power of the entire network, then he can launch an attack. This attack can cause money to be spent twice, or re-change the consensus state that has been reached.

The Bitcoin network has been in operation for more than ten years. Many times, people feel that the 51% attack seems to be only at the theoretical level, and it is rarely heard that it actually happened. But this time, it really happened, that is, the 51% attack of ETC.

In this issue, Fork It anchors (Terry, Daniel, Kevin) will have a good chat with you about the ins and outs of the ETC 51% attack.

The Ins and Outs of the ETC 51% Attack

Daniel: ETC's 51% attack is aOrganized, premeditated, carefully planneds attack. On January 6, 2019, an exchange called Bittrue announced that they had discovered an abnormal withdrawal worth 13,000 ETC. That is to say, the transaction of the recharge was rolled back, but the transaction balance was discovered when the exchange was withdrawn and was intercepted.

After further investigation, Coinbase officials discovered a larger-scale ETC network reorganization.

Knowledge point: The so-called block reorganization means that six to eight or even longer blocks in the network have been dug out by miners, but all of these blocks are suddenly removed, and some new blocks are generated to replace these existing blocks. Confirmed blocks.

The official Coinbase blog immediately published three relatively large-scale network reorganizations that were suspected to be problematic. Later, a relatively well-known exchange gate.io was exposed to a 51% attack. The hacker had two large recharges on this exchange. These two recharges were removed through network reorganization. The hacker sold Drop their coins in the exchange, or exchange the coins recharged into the exchange for other currencies, and finally withdraw. Gate.io then issued an announcement stating that the attack caused a loss worth approximately $200,000.

After this incident was exposed, some technology enthusiasts, especially domestic security organizations such as SlowMist and PeckShield, began to investigate the attack. They found that the computing power of the 51% attack came from a website called NiceHash, where hackers can rent certain scale computing power, and then attack the ETC network.

At that time, more than 112% of the computing power of the ETC network could be rented, and the rented computing power could be used for ETC mining, and anything you wanted. Hackers use the NiceHash website to rent computing power to launch attacks.

Why ETC is vulnerable to attacks is actually based on two characteristics of ETC.

The first feature islow attack cost. Let's assume that the main network computing power of ETC is 100, and now we want to rent 101 computing power to attack the ETC network. The hacker caused an exchange to lose about 200,000 US dollars through the attack, that is, the hacker attack earned 200,000 US dollars. How much do you think it takes to rent a computing power that exceeds the ETC main network to launch an attack and earn 200,000 US dollars?

The answer is that the hacker's attack cost only about $5,000 per hour. From the day of the attack to the present, the market value of the computing power of the ETC main network has further declined, and it is cheaper to rent computing power to attack the ETC network now than the previous attack.

In the previous Fork It 2, we know that ETC is a chain forked from the 2016 THE DAO event. For a long time, the computing power of ETC is about 1/20 of the total network computing power of Ethereum, and its currency price is also about 1/20 of the Ethereum network, but as time goes by, the network computing power of ETC Less and less, the currency value is getting lower and lower, and it has just reached a state of being particularly vulnerable to attacks.

Another feature of ETC is itsgood fluidity. Ethereum is the mainstream digital currency supported by most exchanges around the world. ETC and Ethereum have the same origin, so exchanges support ETC very well. Although its price is low and its computing power is low, given its liquidity, there are at least two ways for hackers to make money in a 51% attack.

The first method is a double-spend attack: first transfer an account to the exchange, and then use a computing power attack to change the consensus on the transfer chain. At this time, the exchange still retains the transfer record, so the exchange There will be a sum of money that doesn't really exist that can be cashed out. Another way is that a hacker successfully implements a 51% attack, which will be a very big negative news, which can affect the futures market. Hackers can make money by shorting the futures market in advance to achieve arbitrage.

Terry: In fact, this PoW 51% attack is not the first time. Many small coins have been "killed" as soon as they go online. The so-called "killed" is to use computing power to attack. Regardless of whether it is a new currency or a small currency, when their computing power and market value are not high enough, hackers can attack a chain at a relatively low cost, which is particularly unsafe.

Then I have a question: After this incident, there have been a lot of news about PoW, the more representative ones are: "ETC suffered a 51% attack, has the cornerstone of PoW consensus been shaken?"(a bit headline party) What I want to ask is, have you lost faith in the PoW consensus algorithm? Or do you think it's really a problem?

Kevin: First of all, PoW is a way to prevent sybil attacks. Its consensus algorithm is very simple, which is to choose a natural random number, which can be completely fair.

Knowledge point: Sybil Attack: In a peer-to-peer network, a single node usually has multiple identities, which weakens the role of redundant backup by controlling most of the nodes in the system.

The other is openness. Any node can participate in the consensus. Miners only need to buy a mining machine and plug it in to start mining directly. If the computing power of the network itself is very high, the advantages of PoW are still very obvious. However, PoS has more constraints, and it may be necessary to stay online and purchase Tokens. During this process, some IP addresses containing personal information may be exposed. The entire PoW system ensures that each miner must submit a block on the longest chain, which makes each miner motivated to broadcast it as soon as possible after digging a block. These are all very good properties of the Bitcoin Nakamoto Consensus.

But any consensus mechanism has its security model, which may be attacked. It's just that people have a better understanding of the attack model of PoW and how it can resist attacks. People do not fully understand other consensuses, especially for relatively new companies, including in many PoS projects, the method adopted is still 50% of the Token held by foundations and other related groups to ensure that they are not attacked. The PoS that really grew up in the "wild field" has a very short operating time, and people are still in the process of groping, but it is a direction that is very worthy of research.

Daniel: Yes, for unknown consensus mechanisms, we are more worried about unknown attack methods, and we have no mature solutions for these attack methods. As for PoW, we know exactly how hackers will attack.

Terry: Vitalik once tweeted that he thought it was philosophically correct for ETH to switch to PoS. Of course, there are also many opposing voices. The founder of SlowMist Technology said that no matter what algorithm is used, as long as it solves the Byzantine general problem, it has its own security model. Like Kevin said,Security assumptions are different and each has its own problems, PoS also has many unsolved problems. In fact, we have quite a lot of understanding and cognition about the PoS consensus algorithm. We can talk about PoS in future programs.

But what I want to express now is that replacing PoW with PoS is not a solution to the problem, or it may cause many new problems. From the perspective of actually solving problems, some people have proposed some real solutions. For example, for the reorganization of the chain, the BCH community initiated reorganization protection (in BCH, ABC version 0.18.5 added reorganization protection, which can exclude more than 10 block reorganization).

The current PoW mining methods are roughly divided into two types, one is mining through ASIC mining machines, such as Bitcoin, and the other is mining through GPU mining machines (hereinafter collectively referred to as graphics card mining), such as ETC. It has to be admitted that the computing power of graphics card mining is relatively fluid, because it can mine more currencies, and it is easy to rent computing power to attack a certain currency. After attacking a certain currency, even if this If the coin collapses, the miners can still earn income by digging another coin. So here comes the problem,With such a high liquidity of computing power for graphics card mining, will it affect the security of the chain mined with graphics cards to some extent?

Daniel: Based on facts, the entire computing power market is astock market, in the current market environment, few people will invest in the graphics card market to buy graphics cards to increase computing power. On the contrary, more miners will choose to stop their mining machines, because the prices of all currencies are now very low, and mining is not cost-effective.

All miners are free to choose which currency to mine, and usually rational miners will choose those currencies that are profitable and profitable. The final result is that all currencies will return to a relative break-even point, or the profit obtained by mining each currency may be similar. So now the computing power behind each currency is maintained in a stable state.

In this stable state, the higher the value of some currencies, the greater their computing power, and it is very difficult to attack by renting more than the computing power of the main network. And those currencies that few miners mine because of insufficient value or uneconomical mining are very insecure, and attackers can easily rent computing power to attack them.

Any project, especially a project that chooses PoW as a consensus protocol, will go through an unsafe stage in the initial growth stage of computing power, so how to transition from a dangerous state to a mature stage of security is particularly critical.

ASIC Friendly or Not?

Terry: We have seen many projects, they have different attitudes on whether to use ASIC mining machines for mining, some are resistant, some are neutral, and some are friendly. So if a small currency is mined with ASIC, is it safer?

Kevin: It depends on how you define security.There are two criticisms of small currencies towards ASIC Friendly. One is to assume that an ASIC mining machine for a new project can be produced within a very short development cycle, and everyone is optimistic about this project. Then something like this might arise:

Generally speaking, a project has the fastest coin distribution in the early stage, and the fastest bonus period is given to miners with ASICs, so these miners are likely to be centralized. It may even happen that after the ASIC manufacturer develops the mining machine, it does not use it for sale, but digs coins by itself, which will lead to a very concentrated Token itself. If the Token is too concentrated, the community will be very concentrated, and if it is necessary to use Token to vote or use computing power for online governance in the future, problems may arise. What's more, if there is a monopoly like the Bitcoin ASIC mining machine manufacturer, the manufacturer can produce the mining machine first, dig out the most Token, then sell the Token, and put the obtained funds back into production and production. Research and development will be one position ahead of others. So this is where everyone criticizes ASIC Friendly.

The other is that some projects will adopt the ASIC mining algorithm of other projects (such as Bitcoin mining machines), so there are already a large number of ASIC mining machines mining Bitcoin on the market, which is very unsafe for this project. Because once the project goes online, Bitcoin miners can directly reduce the dimension of the project. As long as these Bitcoin miners themselves have enough computing power, it is easy to launch a 51% attack on the project.

So the best way to say it isadopt a new algorithm, whether it is mining with a graphics card or mining with ASIC Friendly.

But there are also some problems for projects that adopt a new algorithm. If it uses a graphics card for mining, because the graphics cards are the same, hackers can attack it by installing mining software. If it uses an ASIC mining machine for mining, it is difficult for the existing ASIC mining machine to attack directly at the initial stage, but this may bring some other problems, such as mining centralization.

Let's take Grin as an example. Grin's mining design is very interesting. It has two algorithms based on Cuckoo Cycle (a graph-theoretic workload proof invented by John Tromp, which we will introduce in the next issue of Fork It), and one is anti-ASIC (ASIC Resistant, through graphics card mining, it is difficult to mine with ASIC), called Cuckaroo29; another algorithm is ASIC Friendly, called Cuckatoo31+.

In the beginning, Grin mined with a large number of graphics cards and let the miners distribute the coins. Because Grin adopts a new algorithm, although the existing graphics card can switch the computing power, it is still difficult. At the same time, Grin does not exclude ASICs. A certain number of coins are mined by ASIC mining machines. As time goes by, the proportion of coins mined by different mining algorithms will gradually change.

If graphics cards are like mercenaries, then ASIC mining machines are like Praetorians. With optimized ASIC mining machines, it is impossible to mine Tokens of other projects. These devices can only mine one project. If other miners want to join in, they can only join by purchasing mining machines. From this perspective, Grin is a relatively good project. Although ASIC miners may have a certain degree of centralization, as long as miners are mining Grin Token, they have the motivation to protect this project (because in addition, Their chips serve no other purpose either).

Terry: Yes, assuming that a new ASIC algorithm for a new project is manufactured, and many people are mining this coin, miners are not necessarily willing to attack it by renting computing power. Although it may be profitable in the short term, in the long run, if the currency has no value, all mining machines are just scrap iron, and the loss will be even greater. However, miners who use graphics cards to mine coins will not consider this situation, because even if this coin is attacked, miners can still mine other coins. This also reflects the loyalty of ASIC mining, which is different from graphics card mining.

Just now we also mentioned Grin mining, which is a very interesting design. At the beginning, 90% of Grin mining used Cuckaroo29 (anti-ASIC), and 10% were Cuckatoo31+ (ASIC Friendly). And this ratio will change, the part of ASIC mining will become larger and larger, and the part of graphics card mining will become smaller and smaller. Such a transformation shows that Grin is neutral to ASICs, which is very consistent with our view.

I have heard the opinion of a senior mining machine manufacturer. He believes that as long as the project is good enough, ASICization is inevitable. There are only two ways to avoid it. One is that the project party threatens, as long as it dares to build an ASIC, I dare to fork and change the algorithm. There is another kind of "cheat", just like ETH has always said that it will transfer to PoS. I don't agree with the idea of ​​"cheating", but I think that since others are so sarcastic and humorous to say this sentence, the point of expression should be that as long as the interests are large enough, ASICs can be made, whether it is friendly or unfriendly.

Although technically I can't judge whether all algorithms can be used as ASICs, but if the benefits are large enough, I believe that someone will do ASIC research for this project. According to some gossip I know, Zcash, Monero, etc. actually have ASIC mining machines, but the community has different attitudes towards ASIC mining machines.

Daniel: Yes, after the ASIC mining machine appeared in the Monero community, a consensus was quickly reached, and the algorithm was switched, and the previous ASIC mining machine became scrap iron.

Terry: OK, here we need to declare that we do not recommend the Grin project. Even if our program recommends its technology, the MimbleWimble protocol behind the Grin project is indeed very legendary. In addition to Grin, another implementation of the MimbleWimble protocol is the Beam project, but it has made some so-called "improvement" on the basis of the original protocol. Whether this "improvement" is good or bad may need to be judged by time. In contrast, I feel Grin is a more fundamentalist implementation of MimbleWimble. In addition, I heard that some domestic teams are also planning to implement MimbleWimble, which may cause a small trend.

Pick Time

Daniel: Finally, it's our favorite Pick Time again. I recommend a movie to everyone: "Randian". I just took my colleagues from the department to watch it. Some of our team have experience in entrepreneurship. Now we watch the stories of entrepreneurs in the movie as entrepreneurs, and we still have a lot of feelings and resonance. You can think of it as a small group building, and tell your colleagues about your entrepreneurial stories, which may be more interesting than the movie itself.

Kevin: I recommend an online celebrity shop "Iger is full" to everyone. My wife has always paid attention to food. She bought some persimmons from this online celebrity shop, which are very delicious. The public account of this online celebrity shop is "Iger is full". (Of course we are not sponsored)

Terry: I recommend a calling card called Google Fi, but this calling card can only be bought in the United States. The characteristic of this kind of card is that it charges according to the flow rate, and there will be no charge after 6G. The cost is about ten knives/G, which is not cheap in China. But for friends who often go abroad, this card is very convenient, because it can be used all over the world, including China. His only shortcoming (so reasonable~) is that he can access some foreign "evil" websites in China without going online scientifically (evil laugh), everyone must pay attention.