ZenCash, a privacy coin and fork of ZClassic, which is itself a fork of ZCash, a privacy coin once recommended by Edward Snowdon, has been hacked.
For four hours starting around 10:30 pm Sunday, June 3rd, a hacker gained majority control over the relatively small ZenCash mining network and “double spent” 23,152.3 ZEN coins.
Bitcoinist reports that the four hour attack on the small ZenCash network only cost the attacker about $30 000 USD.
Stolen coins sold on exchanges shortly thereafter may have netted around $550 000 USD.
ZenCash and several other coins, including Bitcoin Gold, Bitcoin Private, Komodo and ZClassic, all use the same mining protocol as ZCash: a proof-of-work system that uses an Equihash algorithm.
Because all these networks use the same protocol, miners that have either established a significant amount of hashing power on a compatible and larger coin’s network (meaning they have a lot of equipment already dedicated to mining the larger coin but not necessarily enough to attack it), or someone who has rented enough equipment, could easily point their mining power for four hours at a small compatible network and assert a 51% attack there.
Cryptocurrency mining power can be rented at places like NiceHash.
Husam Abboud, a cryptocurrency researcher at FECAP University in Brazil, published a post on Medium May 21st in which he claimed that a successful attack on Ethereum Classic, a smaller version of Ethereum, would only cost about $1.5 million dollars and would still be profitable.
Abboud outlined three types of 51% attack:
- Prevent transactions confirmation (arrest network)
- Reverse recent transactions that have been sent (allowing for a double-spend)
- Generate denial-of-service attacks against particular addresses, for example exchanges or other miners.
Ethereum Classic was created after $55 million dollars worth of ethers were drained by a hacker from a pool of coins held in a DAO smart contract in 2016.
In an attempt to render the stolen Ethereum unusable, the network forked and a majority of users moved onto a new chain.
The Ethereum Classic network persisted although on a much smaller scale than the new chain.
Today, total control and possible destruction of the Ethereum Classic network, says Abboud, would bring in a billion dollars and would cost a fraction. “We can safely estimate the cost of a 51% attack on Ethereum Classic today to be between $55 to $85 million.”
When Bitcoin, the largest SHA-256 network was created nine years ago, its inventor believed that the Bitcoin network incentivized good behaviour by making it more profitable to cooperate than attack.
Attacking Bitcoin would require a billion dollars of equipment and several million dollars-worth of electrical power per day, and any such attack so diminish the stolen bitcoins’ sale price, that such an attack would be unattractive.
But recent chainges in crypto markets, says Abboud, like the creation of numerous hedging products and the availability of leveraging, have made even a 51% attack on large crypto networks more feasible.
“Today, 9 years later, clearly these assumptions are very outdated. We do have major exchanges with a lot of liquidity which allow you to short-sell with a trading margin from 2.2x to up to 100x (to benefit from price declines significantly) like Poloniex, BitFinex, Kraken and GDAX — Futures market like CME and Exante (and many others lining up) we have derivatives markets like BitMex, WhaleClub and CFDs like AVAtrade, and Plus500, Options like LedgerX and the decentralized prediction markets like Augur, and Gnosis — which have been becoming popular. You see where I’m going with this.. it’s just becoming easier everyday and the market is more liquid for opportunities where you can benefit from price decline.”
After the attack, Zen Cash issued the same type of reassurances offered by Bitcoin Gold and Verge last week when those networks, as well as MonaCoin, also succumbed to 51% attacks.
According to a statement by ZenCash, the company, “immediately executed mitigation procedures to significantly increase the difficulty of future attacks on the network,” and contacted exchanges (of which there are over a hundred) to request they impose a requirement of 100 confirmations on any ZenCash transactions, a tactic designed to slow the sale of stolen ZenCash.
ZenCash also claimed, “A 51% attack or double spend is a major risk for all distributed, public blockchains,” glossing over the fact that small, cloned networks like ZenCash are much more vulnerable.
The website crypto51 has published alarming data they claim shows the one-hour cost of attacking various crypto networks based on the cost of equipment rental.
It is important to remember that every attack is a possible rehearsal for a bigger one yet to come.