These have been two interesting weeks for individuals with a vested interest in equihash-based cryptocurrencies (Zcash, ZenCash, Bitcoin Gold and a few others). While my focus these days is solely on ZenCash (and by extension on Zcash from a research perspective), projects such as Bitcoin Gold and the ZenCash have been the targets of 51% attacks and double-spends, probably induced by the limited availability of a new kind of mining hardware devices: ASICs.
The goal of this post is not to explain what a 51% attack or double-spending is (hint: I’ve added links to explanatory articles) but more to cover what may have led to these attacks, what made them possible, the implications of ASIC hardware mining becoming available, and where are those projects (that were initially built to be ASIC resistant) are headed to, with some proposed scenarios for strengthening these blockchains against future 51% attacks.
Motivations for a 51% attack
In a volatile and unregulated market such as the cryptocurrencies one, any major announcements or activities (such as attacks) will cause wild fluctuations which are amplified by mass movements and the lack of knowledge from neophytes who engage in day trading. As such, attacks can have many motivations:
- Theft – this is in my view the most plausible scenario and I believe that the attacker had clearly a first mover advantage. I’m not leaning towards ASICs but I’d expect the actual situation to be exceptional due to the current scarcity of ASIC miners. It could have been either a targeted operation, well prepared in advance (attacker knew of the ASIC miner capabilities and secured hashrate beforehand) or an opportunistic move due to the availability of hashrate power to rent on sites such as nicehash. Such attacks may become more difficult if more ASICs get delivered to different actors, but more on this below.
- Targeted loss of reputation – a malicious actor could, for a given set of motivations (personal or professional), choose to perform an attack to discredit an equihash-based project and draw negative media coverage. The bad news especially a highly competitive & unregulated sector with massive money investments are like a lantern to a moth for specialized media and even for mainstream media who always like to scare the commoner. These are easy stories to write with a well-known scenario, and while this is cliché it doesn’t means that the issue is not the least serious. Why a targeted attack? Reasons could be varied, and can only be hypothesised : a personal grudge or revenge, a lone wolf supporting another competitor project but acting on their own initiative, a shadow operation mounted by a competitor project
- Market manipulation -perhaps the least plausible hypothesis, unless the attacker is looking on the very long term and sought to durably sink down the market value of certain cryptocurrencies in order to massively purchase at a discounted rate.
I’m stopping here because we’re already jumping into the murky waters of conspiracy theories. Keep in mind that these are only possibilities.
How were these attacks possible?
There’s been a very interesting development lately through a site called 51crypto that shows the cost and feasibility of running a 1-hour attack (by achieving at least over 51% of the total hashpower) on some sample blockchains.
Some conditions for success are (in my uneducated view):
- blockchains with a low enough hashpower rate (to make an attack possible)
- the availability of hashpower to rent (on Nicehash for example)
- enough base hashpower from the attacker (unless they have such a decisive advantage, but more on this below)
- obviously, enough technical prowess to make something of this hashpower, in instance the ability to manipulate the blockchain, mine on their own chain (and thus reject other blocks that should be valid), rearrange transactions and indeed perform double-spend attacks.
The double-spend part is extremely interesting here because in the case of the ZenCash attack, the attacker knew exactly where to hit by seemingly targeting an exchange which had set by default a low amount of confirmations before validating transfers. This enabled the attacker to double-spend funds in a comfortable enough lapse of time, while taking advantage either of their decisive edge (proprietary ASICs / rented hashpower / combination of both). At the time of writing, the cost to perform a 51% attack on ZenCash for example was estimated at cca 7800 USD/hour. Considering the theft averaged approx 500,000 USD (if not more) at the rate when the attack took place, we can see that this is still a lucrative activity very much worth the effort (from an attacker’s perspective, of course).
To ASIC or not to ASIC
Actors involved in cryptocurrency mining are usually thought to be acting rationally, which translates roughly into mining coins that are profitable, e.g. maximise their profits, achieve the best ROI on purchased hardware, and reduce their infrastructure costs (cooling, hosting, power) as much as possible.
The theory that rational mining operators are using ASIC miners to disrupt or take control of equihash blockchains and inject their own blocks is contrary to all of the principles outlaid above – in fact, it would be counter-productive at every level and would even help mobilise a majority of GPU-based mining operators towards the development of ASIC resistance, thus nullifying or greatly reducing the ROI they were expecting to achieve on their ASIC hardware.
The question of whether using ASICs or not revolves around several discutable points such as:
- who controls the ASIC manufacturing – in that case, a major manufacturer (Bitmain) is often pointed out (and loathed) by the cryptocurrency community. While we can discuss on their motivations, Bitmain is a major manufacturer and the risk of a monopoly is real
- whether it is ethical to mine with ASICs when the projects were created specifically to be ASIC resistant and deter the hashrate concentration that is seen on blockchains that are mined with ASICs, such as Bitcoin or Litecoin for example
- the impact of ASIC introduction on investments made by mining operators (for the largest in the six to eight figures in USD if not more), and the possible brutal drop of GPU prices on the market if ASIC adoption becomes inexorable and mining operators start to massively sell their GPUs
These are just a few aspects and there are more, so while to outsiders this may seem to be a fun topic, there’s a lot of money involved in these changes, and money-related topics often lead to passionate debates.
Strengthening equihash networks – what options?
Obviously, in an ideal world, there would be enough perfectly distributed hashrate to make blockchains naturally resistant. The reality however is much bleaker, and there already is to a certain extent a variable degree of concentration in terms of mining power, albeit the decentralisation is currently happening at a larger scale than what we may see. In the scenarios I’m developing below, I will go with the assumption that equihash-based cryptocurrencies are still seen as worthy enough / profitable enough to be mined despite the current 51% challenges affecting the smalller projects.
Short-term: ASIC Resistance & Algorithm Difficulty Changes
In this scenario, the equihash community / projects are defiant of ASIC hardware. Tenants of ASIC resistance claim that a change in the equihash algorithm difficulty parameters (link to Zencash and Zcash foundation propositions) would give an edge to GPU miners and prevent ASICs from being effective, or at least limiting their effectiveness to a certain degree. That assertion should however be cooled down by the fact that at the time of writing, nobody is aware about whether the ASIC mining hardware has difficulty parameters hardcoded on the chips, or whether this is in software (or on flashable memory, such as an EEPROM or an FPGA). I strongly recommend readers to check the links provided above (from the Zencash project and Zcash foundation) because they cover the topic in depth and much better than I may in this short excerpt.
The solution could turn out to be either a durable fix for a foreseeable period (at least until the next hardware refresh) or to be a fiasco if it turns out that ASIC hardware manufacturers have taken in consideration difficulty parameter changes. The author of this article believes that hardware manufacturers were smart enough to take this in consideration (at least from an engineering perspective). Obviously these changes require a fork, which will have a large impact on projects such as ZenCash (necessity for individual secure node operators to upgrade 19,000+ secure nodes).
If the equihash coins are profitable despite the introduction of ASIC resistance, it is expectable to see an « arms race » between ASIC manufacturers and projects that are openly advocating ASIC resistance. If the only parade is to change difficulty parameters (and upon the expectation that these parameters are not counter-productive for GPU miners), we can expect the release cycle to be greatly reduced (in case the diff params are hardcoded in hardware) or even to become a matter of hours/days if in the next hardware refresh iterations those parameters are moved from being hardcoded to being soft-coded (NOTE: all of the above are assumptions).
Short-term: ASIC Adoption Leads to Hashpower Distribution/Decentralization
In this scenario, the community is ambivalent about ASIC hardware. General availability of ASIC hardware, combined by superior hashrate and lower operating costs inexorably erodes the existing GPU farms competitiveness. This in turn forces them to adopt ASICs, with an amplifying effect that drives out smaller mining ops / individual miners.
The assumption is that within several weeks/month, enough ASIC hardware will be acquired by competing mining operations to negate or strongly dilute the ability to rent a massive share of hashpower that could lead an actor to temporarily or permanently hold 51% or more of the total hashrate. In such an hypothetical scenario, the distribution of the hashrate, albeit considerably less decentralised than in a pure GPU context, would still be distributed enough to deter a 51% attack.
This scenario implies:
- a broad availability of ASIC mining hardware
- mechanisms in place from ASIC vendors to ethically sell / distribute their products (obviously, intermediaries and aftermarket could still lead to concentration)
- built-in programmability of the ASIC hardware to resist or fight back against algorithm difficulty changes
- ASIC adoption from mining operators
Medium/Long-term: changes in PoW algorithms or transition to PoS
If the temperature of debates about ASIC embrace/resistance was that of Venus, and the temperature of debates about whether the Earth is flat or not (hint: it’s NOT) that of Mercury, the temperature of debates between supporters of PoW (Proof of Work) and PoS (Proof of Stake) is that of a billion melting Suns.
- Proof-of-Work is still supported, but technology changes: the most plausible solution here seems to move from a pure blockchain-based consensus method to a DAG (Direct Acyclic Graph) such as SPECTRE, which hypothetically deters 51% attacks. The question is how much efforts, energy and costs must be put into developing code to implement SPECTRE or any other similar 51% resistant technology. A cheaper alternative would also be to explore how other cryptocurrencies who have forked from Bitcoin are implementing 51% attack mitigations.
- The community and project decide that there’s no reasonable way to prevent future 51% attacks, and decides to move to Proof-of-Stake (PoS). Here again, adapted technology should be identified and tested, which will take some time. There are already staking aspects in some equihash projects (such as ZenCash) where node staking is in place for Secure Nodes and will soon be implemented with Supernodes. This could lead to an hybrid model, where those nodes help mitigate classic hashrate takeover attacks, or could lead to a pure PoS implementation. Proof-of-Stake implementations such as IOHK’s Ourobouros could be considered, but here again projects need to look at current PoS implementations to carefully weigh options and assess current shortcomings before eventual adoption.
It’s difficult to see where equihash projects are headed to from a 51% attack resistance perspective. The ZenCash project for example is already exploring very interesting ideas and I’m curious to see how it will roll out.
Looking at the ASIC story, and being as neutral as I can ( I don’t mine with GPUs anymore, I have zero plans to acquire ASIC hardware mining and this is an independent blog post not sponsored by anyone – and this blog doesn’t accepts sponsorships), there’s one very harsh and cold reality to consider. It’s hard to stop technical progress, and it’s hard to stop innovation. What has impacted other major cryptocurrencies previously (Bitcoin, Litecoin) is on the verge of massively impacting equihash-based cryptocurrencies. In fact, it is not on the verge but already impacting, with a massive redistribution of the hashrate.
There are ethical challenges to ASIC mining hardware availability, and some miners will be impacted by this tectonic shift. I feel nevertheless that no matter what changes are done at the blockchain level in terms of increasing the algorithm difficulty resistance, this may turn into an arms race between equihash projects and hardware manufacturers. One of the challenges of this arms race is exactly the same as the one we know, the USA-Soviet Union arms race: at the end, those who can throw in the most money may get the competitive advantage. Another challenge is whether the equihash community (all the projects) will present a common response to ASICs (Resistance? Adoption?) or if they will be diverging. Those who embrace ASICs may see an influx of hashpower, which may in turn have a leverage effect on their market value. Or not.
It’s hard to predict, but we are indeed living in interesting times.