A recent rash of double-spend attacks on ZenCash and other privacy coins is exposing a potential security oversight that has already cost investors and exchanges millions of dollars.
Privacy-focused ZenCash (ZEN) joined the “51 Percent Attack” club when, on June 2, the cryptocurrency was subjected to at least three double-spend attacks.
“At the time of the attack the Zen network hash rate was 58MSol/s,” reads ZenCash’s official statement on the hack. “It is possible that the attacker has a private mining operation large enough to conduct the attack and/or supplement with rental hash power. Net hash rate is derived from the last mined block and therefore live hash rate statistics are not available.”
ZenCash estimates that 23,152.3 ZEN (nearly $620,000 at press time) was laundered in three separate attacks starting around 10:43 p.m. EDT on June 2. Forensic examination of the attacks is ongoing at this time.
A 51 percent attack occurs when a malicious agent takes control of the majority of the coin’s network’s hashrate or computing capability. The attacker can then reorganize the network’s blockchain to accept fraudulent blocks – or blocks legitimately mined but claimed by the attacker. As the attacker’s version of the blockchain is now growing faster than the original blockchain, the network accepts the fraudulent blockchain as being legitimate due to having the longer PoW chain.
In the case of a double-spend attack, the attacker would typically deposit a coin with an exchange, only to reverse the transaction on the blockchain. They would then deposit the original coin in an offline wallet and, when the coin is posted on the exchange, would withdraw the now-laundered duplicate coin as well.
The website 51crypto has recently tested how much it would cost – utilizing rented cloud computing – to achieve a 51 percent attack on a PoW network. While it would theoretically cost more than $735,000 per hour to attack bitcoin, it would only cost about $8,000 per hour to attack ZenCash (at press time). Other coins that recently succumbed to 51 percent attacks – such as privacy-minded Verge (XVG) and Bitcoin Gold (BTG) – also have low barriers to 51 percent attacks.
This vulnerability is being blamed on the Equihash mining algorithm, which is utilized by a significant number of privacy-minded coins. Equihash is an ASIC-resistant PoW algorithm that allocates mining capacity to the memory capability of the mining rig, instead of its computational speed. The appeal of such an algorithm is the current infeasibility of creating a cost-effective Equihash-specialized chip, making large-scale mining operations like the ones seen with bitcoin economically impractical.
However, the security flaws associated with Equihash are forcing developers to come up with forks as quickly as possible. “We’ve been working at an incredible pace the past days to put the plan and pieces together, and we expect to upgrade our mainnet approximately seven days after the necessary software is up and running on our testnet,” the developers of Bitcoin Gold told CCN in May. They went on to say:
“While it would be better to give all our partners more than seven days to test and deploy to avoid disruption, these attacks have already forced disruption on us all, so we feel it’s best to get the upgrade completed as soon as we possibly can.”
The hacks are coming at a time when many governments are cracking down on privacy coins. Citing security and fraud concerns, exchanges in Japan and South Korea recently delisted Monero, Zcash, and Dash, among others.
Frederick Reese is a politics and cryptocurrency reporter based in New York. He is also a former teacher, an early adopter of bitcoin and Litecoin, and an enthusiast of all things geeky and nerdy.
ETHNews is committed to its Editorial Policy
Like what you read? Follow us on Twitter @ETHNews_ to receive the latest ZenCash, ZEN or other Ethereum cryptocurrencies and tokens news.
Source: ETHNews