- Rented hash power can be used by hackers to carry out 51% attacks on proof of work blockchains like Ethereum Classic.
- A 51% attack against Ethereum Classic using rented hash power would cost around $3,800.
- ETC Labs has announced a strategic plan to protect Ethereum Classic from further 51% attacks.
The hackers behind August’s 51% attacks on Ethereum Classic exploited a “huge vulnerability” in blockchain protocols powered by proof of work (PoW)—rented mining hash power—and it is a growing industry, according to experts.
“It’s actually a huge vulnerability in the system,” said Terry Culver, CEO of ETC Labs, an incubator of projects on Ethereum Classic, in an interview with Decrypt media partner Forkast.News.
Millions of dollars were lost last month following three 51% hacks on the Ethereum Classic network.
Despite the introduction of numerous know your customer (KYC) and anti-money laundering (AML) procedures, as well as regulations to rein in criminal activity in the cryptocurrency industry, hackers have shifted their targets to exploiting a core feature of PoW: decentralization.
“The [cryptocurrency] system is maturing, but the hash rental market is actually growing,” Culver said. “Think of it like, you turn the light on, and where do the mice go? [Malicious actors have] left the exchanges for the most part, and they’ve moved into the hash rental market.”
Ethereum Classic’s $3,800 attack vector
While it may take over $513,000 to rent the hashing power needed to perform a 51% attack (at the time of publication) for one hour on Bitcoin, only about $3,800 is needed for a similar attack on Ethereum Classic.
”The hash rental market is like under a rock somewhere, it’s totally anonymous.”
“The hash rental market is like under a rock somewhere, it’s totally anonymous,” Culver said. “They’re basically money laundering operations. So you could take your BTC from ill-gotten gains, rent hash power, and get out freshly-minted tokens with no provenance—it’s actually an incredible vulnerability in the system, if it wants to mature.”
How rented hash power can be used for 51% attacks
Two of the three 51% attacks on Ethereum Classic last month were made possible by attackers leveraging Slovenia-based NiceHash, according to an analysis by data intelligence firm Bitquery. NiceHash is an online platform where users can rent and sell CPU power to mine cryptocurrencies for profit.
By using rented hash power, attackers behind the first and second attacks “double spent” over $7 million by manipulating transaction entries on the blockchain ledger.
NiceHash itself was the target of a hack in 2017, leading to $78 million in Bitcoin being swiped.
Ethereum Classic was also the victim of a similar 51% attack in 2019, and hackers have used the 51% vulnerability to target a variety of other smaller cryptocurrencies, including Bitcoin Gold, Verge and Monacoin.
“Computers are getting better, it’s going to keep getting easier and easier to get control of the computer power necessary to do these things,” said Benjamin J. A. Sauter, partner at New York-based international law firm Kobre & Kim. ETC Labs is pursuing litigation against the attackers through the law firm.
In a statement, NiceHash says that it “does not support or enable 51% attacks” but also notes that its services “might be abused by the attacker’s pool.”
While NiceHash states that, “Technically, it is impossible for NiceHash or any other miner behind a pool to detect if its hash power is/will be abused for a 51% attack,” the company notes that it takes steps to prevent the manipulation of the platform, which is against their terms of service, and also cooperates with authorities investigating criminal activity.
The fightback against 51% attacks
Following the series of hacks in August, ETC Labs announced a strategic plan to protect Ethereum Classic from further attacks, including monitoring hashrates for suspicious activity, deploying a finality arbitration system, and potentially changing the protocol’s PoW mining algorithm.
“If there’s a market for renting, I don’t think that itself is a problem,” Sauter said. “But if you’re doing it without keeping track of who your customers are and doing the same kind of due diligence that the exchanges are doing now, so that you’re able to trace back these kinds of frauds and hold people accountable when they abuse it, then you’re part of the problem, not the solution.”
This story was produced in collaboration with our friends at Forkast, a content platform focused on emerging technology at the intersection of business, economy, and politics, from Asia to the world.