
Tell HN: Executing a 51% attack on a real live CryptoCurrency, livestream - piracy1
Hey all, On  Oct 13, 3:00 CDT, 4:00 EDT 1:00 PST I&#x27;m going to do a 51% attack against the cryptocurrency Einsteinium (i&#x27;ll do the biggest, most established coin I can afford to attack, I&#x27;m putting in $50 of my money and if you want to donate you can 18YvVAxEMYxowSYEmWVtY75ZUdKXXk2vQc (If that&#x27;s against the rules feel free to remove it Admins)) :<p>1. Demonstrate how easy these attacks are for anyone to do. 
2. Generally teach people about the nuts and bolts of these attacks and potential mitigations.<p>If you want to watch it, <a href="https:&#x2F;&#x2F;www.twitch.tv&#x2F;geocold" rel="nofollow">https:&#x2F;&#x2F;www.twitch.tv&#x2F;geocold</a><p>Event link: <a href="https:&#x2F;&#x2F;www.twitch.tv&#x2F;events&#x2F;NyJSsF3hQkGHdnsKA2f4JQ" rel="nofollow">https:&#x2F;&#x2F;www.twitch.tv&#x2F;events&#x2F;NyJSsF3hQkGHdnsKA2f4JQ</a>
======
hobofan
A 51% attack against small blockchains is like taking a lollipop from a
toddler.

~~~
knocte
A smaller blockchain might seem like a toddler compared to the big old
bitcoin, however you shouldn't dismiss that the biggest shitcoins in market
capitalization have a decent amount of people invested in them.

Take in account a 51% attack causes a double-spend. A double-spend targetting
a transaction of a big amount costs the same as if you target a transaction of
a small amount. This means that whoever performs this attack could just wait
until the perfect victim comes in (think: a big transaction from/to a
hotwallet of a big exchange).

This, in the end, could cause a big loss to some user of the exchange
(especially if the exchange doesn't take responsibility for the issue); which
could mean a lot more value than a lollipop.

Key takeaway from this IMO: don't invest in shitcoins, err.. altcoins sorry.

~~~
ghayes
You should demonstrate an effective use of double-spend in your 51% attack,
since there’s a lot of FUD around what can happen with a 51% attack. As in,
people may assume you can drain accounts with 51% control, as opposed to
double-spend transactions that did not yet hit high confirmation counts.

~~~
piracy1
" As in, people may assume you can drain accounts with 51% control" This is
categorically incorrect. I'll make sure to mention that.

~~~
mr_the_coin
Of course you can drain accounts with 50% hash power or greater. And the
number isn't 51%, it is actually 50%. If you have 50% of the hash power, you
will be ahead exactly half the time. However, you will selfish mine and this
creates an asymmetry. When you are ahead, other miners will mine off your
chain, making your chain the longest. You will never mine off other published
blocks, no matter how far behind you are. And no matter how far behind you
are, you will eventually be greater than even at some point.

Because you can start mining at any point in the past, you can erase all
transactions except the genesis/first transaction.

The bitcoin developers realize this so they essentially stuck the blockchain
in the source code by putting 'checkpoints' in the code. This protects their
coins. The developers are the actual central blockchain authority. If they
changed the checkpoints, they would fork the whole chain. The chain is
essentially in the source code.

------
ralexstokes
Do you have an estimate for how expensive the attack will be?

Are you renting hardware from the cloud?

Any chance they will hardfork before you can attack?

~~~
akerro
[https://www.crypto51.app/](https://www.crypto51.app/)

[https://www.crypto51.app/coins/EMC2.html](https://www.crypto51.app/coins/EMC2.html)

~~~
piracy1
A great site. I made a version of it in python a while back and wanted to turn
it into a website but never got around to it. Glad they did it for me but a
lil sad I never got the media attention it got :(

~~~
giancarlostoro
Try CherryPy if you want to turn python code into a website.

~~~
piracy1
Thanks for the recommendation. For me, making it wasn't the hard part, the
procrastination was.

~~~
giancarlostoro
No problem, I recommend it cause CherryPy will take any object oriented
application and turn it into a website, you could make it all RESTful if it
makes it easier and just have a jquery ajax client or something to make it
stupid simple. Been using CherryPy for years and happy with it.

------
piracy1
Feel free to ask me any questions, I'll try to answer them all.

~~~
ersiees
What these attacks are about is stealing money, right? Is that your plan? Why
do you want donations to steal something or if you don’t steal anything how
will you change the chain?

~~~
piracy1
Generally, an attacker would deposit money in an exchange, exchange that
money, withdraw it, then overwrite the transaction. I don't plan to do this.
I'll either just do the overwriting part or just deposit like a dollar and not
exchange or withdraw it. This is meant to just be educational.

~~~
tomglynch
I understand you're doing it to be educational - though what stops someone
else taking advantage of your 51% attack and performing a double spend?

~~~
ema
Nothing really. Except since this 51% attack is pre-announced people can
choose to not accept any transaction as confirmed until the attack is over.

------
someno
I hope you realise Einsteinium has introduced dPoW algo to harden their
blockchain security several weeks ago? They checkpoint to the Bitcoin
blockchain every 10 minutes on average. You have not prepared accordingly,
have you?

------
luna239
We apologize. This content is no longer available.

------
copex
Can't we take profit too with this attack? It would affect the whole
blockchain, so we can also send an amount of that coin to an exchange when you
start the fork. Then we will have the amount restored when the fork becomes
the real of the coin.

------
jamieweb
What are you going to stream? Setting up the miners physically or a screencast
of the configuration? Or something else?

------
zhte415
I think you've already done it. A central bank cannot run a blockchain level
of trust that is smaller than they are. And nor can shipping companies, and
basically anyone.

If you're not sure another party isn't in control of the 51% of the chain,
nothing is safe.

~~~
loceng
Which then requires a centralized authority, of members who trust the
systems/processes and people in place, if going to use blockchain technology..

------
F_r_k
What time UTC ?

~~~
raws
8:00 PM UTC

~~~
jwilk
Why PM?

~~~
zamadatix
Because that's when it is?

~~~
jwilk
Yeah, but how was that conclusion reached?

3:00 CDT = 8:00 UTC, but the original post didn't mention AM or PM.

Is PM the default in US?

~~~
zamadatix
The event link from the original post says:

DATE & TIME Saturday, Oct 13 4:00 PM EDT

But yes, generally 4 AM isn't the most common stream start time :).

------
tiotempestade
Is there a recording of this? I've missed the thing!

------
Havoc
Isn't that kinda mean towards whoever set up the coin?

Not saying don't do it...bit think it might ruin someone's day even if it is
intended as educational

~~~
ema
I think how to judge this attack depends on how the coin presents itself. If
they're clear about being in a phase of the project where such attacks are
feasible then it's just vandalism, but if they're presenting a more flattering
image of their project then demonstrating a 51% attack is a service to the
public.

~~~
throwawaylolx
If they are in that phase, then they shouldn't be on exchanges.

------
Rainymood
I probably do not understand enough of the blockchain technology but you
announcing this ... why can't they ramp up their security?

~~~
Improvotter
Because in order to "ramp up their security", they'd need more users which
makes this attack harder. Security isn't like a knob that you turn.

~~~
throwawaylolx
They can just rent more hash power than OP during the live stream.

------
sauravt
Did anyone watch it live ?

~~~
bitspill
Was banned by Twitch before the demonstration so switched to stream.me who
also banned him, says he'll record it and post a video later instead last I
saw

------
luna239
What account?

------
jeanlucas
Finally someone can prove those claims of how much it costs, if this is legit.

------
applelover
will it be pumpped during attacking?

------
jwilk
CDT, EDT, PST? I have no idea what this means.

Please don't use time zone abbreviations. They are neither human- nor machine-
readable.

~~~
mchannon
Over half the HN readership lives in areas where these abbreviations are
human-readable. And 100% can google the abbreviations. Would it be better if
we started using UTC+5, etc.? Sure. But good luck getting Americans to change.
If the OP's European counterpart posted a time in "CET" I'd have to go look it
up, and I'd be fine doing that if it was important to me, rather than pointing
the finger and crying Eurocentrism.

What I did find objectionable about the times, though, was the lack of "AM" or
"PM". In the US, 3:00 might be in the morning or the afternoon, and the
context does not make it clear which is intended.

~~~
mirages
Never heard about CET before you mentionned it and I'm european

------
ziomanzo
or you are trying to hack us? with creating an account?

~~~
piracy1
What account?

------
chris_mc
Isn't this massively illegal? You're basically DoSing a network. Possibly
theft as well!

~~~
saagarjha
Why would it be? You’re just mining like any other person, except you’re doing
it faster than anyone else. I think the poster has mentioned that this is
purely for educational purposes; they’re not trying to steal everyone else’s
money.

------
ziomanzo
lol, I taught you were gonna show us how it works on some testnet. If you are
for real, this will be very educational! tell us every detail please! The
costs, hashpower, what exactly are you going to do? double spend?...

