Note: This is a follow-up post; you may want to first read part 1 here.
If you want to scare somebody in the cryptocurrency world, just utter the phrase “51% attack.” This method of network assault — in which a single party manages to acquire enough mining power to outperform the joint forces of the rest of the network — can no longer be written off as an unfeasible hypothetical, at least not for smaller-scale altcoins . Bitgold Gold and Monacoin were both recently hit with such an attack, and it seems inevitable that more will soon follow.
As far as these attacks go, however, there are important distinctions to note: when Verge was attacked at the beginning of April, it was widely reported as being in the 51% category. However, as I explained in part 1, a combination of questionable design decisions and outright mistakes in Verge’s software enabled the attacker to pull off their feet with far less than the majority of the hash-power, making the “51%” label wrong, or at best misleading .
Well, as it so happens, on 5/22, Verge was attacked again. From the outside, the attack looked suspiciously similar to the first, which was odd. Surely, in the six-week interval between attacks, some sort of fix must have been implemented that would at least make the attacker’s life more complicated. Right? Perhaps this time, it was a legitimate 51% attack? Or maybe the attacker found some new, clever, fascinating, heretofore unfathomed security hole to exploit? I was curious to know the details, and many others seemed to be as well, so I decided to dig back in.
Here’s a drastically condensed version of what I discovered:
-Much to my disappointment, the second hack was virtually identical to the first one, with one minor, un-clever, uninteresting difference.
-An issue that I hadn’t covered in part one (that actually is pretty interesting!) renders the whole situation, for both hacks, far worse than I’d realized.
-In the current state of the Verge repo, of the three sources of vulnerabilities that lead to the attacks, two are slightly mitigated (at best) and the third remains completely unfixed.
-This is all bad.