Rental attacks mean that blockchains must evolve or die

Blockchain technologies have a well-earned reputation for hacking and fraud, but the recent theft of more than $20 million of second-tier cryptocurrencies like Bitcoin Gold, Verge and ZenCash was a fundamental attack on the core mechanisms that allow cryptocurrencies to function. The way that most blockchains (including Bitcoin and Ethereum) function now is called Proof-of-Work; miners must solve hard computational problems to add new blocks of transactions to the chain and the majority (i.e. 51 percent) of the computational power can determine which transactions appear in the public ledger.

In May and June, these second-tier cryptocurrencies suffered from what is called a “51% attack,” where attackers rented more processing power than the honest participants of the network, enabling them to control the transaction register and engage in nefarious behavior. For instance, an attacker could steal from an exchange by sending a deposit of compromised cryptocurrency, cashing it out then striking the initial deposit from the public ledger.

A new working paper from my friend and occasional collaborator Eric Budish, an economics professor at the University of Chicago’s Booth School of Business, argues that any blockchain with reasonably low transaction fees is fundamentally vulnerable to 51% attacks. The risk of these attacks was known, informally, from the earliest days of cryptocurrency, and to counter this risk exchanges do not immediately credit deposits. Instead, they wait for deposit transactions to “age” on the blockchain in an escrow period. The assumption is that it would be hard for an attacker to control more computational power than honest miners for the whole escrow period.

Budish tests this assumption through a sophisticated simulation. He finds that, because it is easier for an attacker with majority compute capability to mine blocks than the honest network, escrow periods provide far less protection than has been thought previously.  Budish’s simulations suggest that increasing escrow periods 100-fold would generally increase the cost to an attacker by less than 10 times.

The most pointed criticism of Budish’s argument is that it does not match the observed facts of the blockchain ecosystem. The average Bitcoin transaction fee is about a dollar; Budish suggests that these fees should be 100x higher (or more) to secure Bitcoin’s blockchain.

Crypto 51, a website that tracks the vulnerability of cryptocurrencies to 51% attacks, provides an answer for why Bitcoin appears secure while other currencies are not: only a small fraction of the mining capability of the Bitcoin network is available to rent. Bitcoin remains secure because there is a great deal of scarcity in the market for latest-generation mining equipment, such as the expensive ASIC chips that have driven Bitmain, the market leader, to a $12 billion valuation.

Looking at the hourly attack-rental prices on Crypto 51 (generally only a few thousand dollars) it is easy to draw the conclusion that every cryptocurrency other than Bitcoin and (perhaps) Ethereum should simply not exist because it is too easy for scammers to destabilize them. Even with the recent collapse in cryptocurrency prices, these second-tier coins still represent tens of billions of dollars of market capitalization.

The protections that Bitcoin enjoys come from the fact that these ASIC miners are hard to get, but there is no law that says this need always be the case. Samsung is actively developing ASIC miners now; if they were to glut the market with cheap, rentable Bitcoin mining rigs, the result would probably be the mass destabilization of the Bitcoin network.

The threat of rental attacks means that Proof-of-Work blockchains must evolve or die. Ethereum is in the process of rolling out just such an evolution, called Casper.

Casper is a mechanism for adding new blocks to the Ethereum blockchain (“minting”) wherein Ethereum holders will lock up (“stake”) some of their ether and use those stakes as bonds to vouch for newly mined blocks. If a staker acts honestly, they will get rewarded with a fraction of the transaction fees in the ecosystem. If they act dishonestly and vouch for blocks that could be part of an attack, Casper confiscates a large amount of their staked ether. The threat of confiscation means that any rental attack on the system would require buying a substantial amount of ether, significantly driving up the cost of an attack.

Casper would be a big change to the way Ethereum works, and it faces considerable pushback from the community. To be fair, it is not a finished product yet in at least two respects. First, the parameters that define the economic benefits and potential losses for stakers are still in flux.

It is important that the parameters of Casper are set attractively enough that a significant fraction of ether would  be staked, because the strength of the system would be proportional to the amount of honestly staked ether. And, although Casper uses Proof-of-Stake for adding blocks to the Ethereum blockchain, it still requires Proof-of-Work mining to create new blocks of transactions. That means Casper will not fix the power consumption or GPU scarcity issues that have been a consequence of Ethereum’s rise. Ideally, Casper would be a stepping stone to a purely Proof-of-Stake system, one in which we don’t need farms of computers wasting energy to solve meaningless computational problems.

Budish’s economic argument suggests that any Proof-of-Work blockchain with low transaction fees will be vulnerable to rental attacks. If blockchain technologies have a future, it will not be from Proof-of-Work. The replacement of Proof-of-Work with better, more robust, more energy-efficient technology will be the challenge of the second chapter of blockchain development.