
Show HN: Cost of a 51% Attack on Popular Cryptocurrencies - xur17
https://www.crypto51.app
======
xur17
After the multimillion dollar Bitcoin Gold 51% attack a few weeks ago, I was
curious what an attack like this costs against other currencies. I calculated
the cost of renting hashing power from NiceHash to complete an attack.

I found it surprising that it is possible to rent enough hashing power for
many of the smaller currencies, which makes me question the use of PoW for
smaller coins.

Please note that the attack costs do not include the money you earn in the
form of block rewards, so in many cases the costs will actually be
substantially lower.

~~~
erentz
Nice work. Its really important to consider this for those buying/holding
crypto currency. Consider all coins using the same function to be the same
family and the one with the most work and power to be the most valid. So there
are sha256 coins, scrypt coins, equihash coins, etc. In the case of sha256 the
most immune to attack is bitcoin. Everything else is massively vulnerable. In
the case of scrypt, it’s litecoin. Everything else you should not hold because
it can be swamped by the hashing power mining litecoin atm. So on.

This is a little different from how people have been told to think about it
before which is just focusing on the blockchain itself rather than the mining
power behind any given variation/fork/whatever of block chain.

Ps. And that probably should be taken a step further. If you have families of
coins that are all GPU mined, then you need to consider the tota GPUs mining
them and the hashing power of those GPUs and the ability for them to switch
functions. Now GPUs are a blip on ASICs so for the predominantly asic mined
coins this doesn’t matter.

~~~
ghayes
Just want to note that there’s no risk in holding a token due to 51% attacks
(except for the external issues such as loss of value and hard fork
proposals). No one can spend your assets, it’s just another transaction may
double spend (so you could lose incoming tokens).

~~~
krab
Such attacks may lower the value of your tokens by undermining the trust in
the currency though.

~~~
theraccoonbear
"except for the external issues such as loss of value"

that was literally stated

~~~
elyobo
Literally stated, but sort of missing the point.

Paraphrased: there's no risk, except that you lose all of your money (because
your coins are now worthless).

------
mrb
The elephant in the room is that with the exception of Ethereum, all GPU-mined
coins can relatively easily be "51%-attacked" by a small fraction of GPU
miners.

There are ~10 million GPUs mining cryptocurrencies in the world today. Because
the majority of them mine Ethereum (5-10 million are needed to generate 250
TH/s), it means the other coins can easily be overpowered and attacked if a
small fraction of GPU miners decided to do so. For example look at Monero: 400
MH/s of CryptoNightV7 hashrate means there are 400k-800k GPUs behind it,
therefore only 4-8% of the pre-existing worldwide GPU mining capacity is
needed to attack it.

In a way we could say Monero is vulnerable to a "4-8% attack!"

The best way to defend a coin from this scenario is for it to implement a
unique PoW algorithm that is very ASIC-friendly so that GPU miners couldn't
overpower it. Of course the same attack scenario would exist if there is a
large pre-existing installed based of this ASIC, so the PoW algorithm must be
unique. For example Bitcoin Cash could currently be attacked by 10% of Bitcoin
miners as they are both mined by the same SHA-256 ASICs.

The irony is that the misguided trend to try to be "ASIC-resistant" is
actually worsening the value proposition of all these GPU-mined coins as it
makes them _more_ vulnerable to the very real possibility of 51% attacks...

~~~
fanzhang
Having a unique ASIC algo would raise the problem of the traditional 51%
attack though.

Whichever fab produced it would have a huge hardware advantage in mining. They
would mine themselves and just use 51% of their physical units (versus renting
on a time-slot market) to do the attack.

~~~
tfha
Better to have one person who can attack you than to have 25.

~~~
loser777
This point doesn't seem to make sense. If you have 25 potential attackers,
then for there to be an actual 51% attack, more than half of them (13/25)
would have to band together to actually reach 51%. Unless the assumption is
that the 25 parties buy chips and sit on them indefinitely without
contributing to the network hash rate.

~~~
tripletao
I'd guess they mean "better to have one potential attacker because of the
centralization that mining with a unique ASIC would tend to cause, than to
have 25 potential attackers because you're vulnerable to an attack by 1/25 of
worldwide GPU power (which is normally used for other coins but could be
briefly repurposed)".

------
HaseebQ
This is a totally misleading calculation for the largest currencies. It's
literally quoting the spot price for what's available on NiceHash and then
dividing by the fraction you'd have of the total hash rate.

In reality, as you continued buying up hashing power, the price of the
remaining hashing power would go up precipitously. This is basic supply and
demand.

~~~
xur17
That is why I included the NiceHash % for each coin. NiceHash offers fixed
price contracts, typically for ~30% of their supply that you can lock in for
up to 24 hours.

It's definitely a lot less do-able for the larger currencies - I still think
PoW is a good option for them honestly. This was more to show that 51% attack
risk is problematic for smaller coins, and I'd love to hear a discussion on
the best way to fix this.

~~~
Iv
> I'd love to hear a discussion on the best way to fix this.

Proof of stake (still problematic for very small cap) or proof of ID (my
favorite) using something like the e-estonia crypto ID system. You can prove
every miner is a unique person, award them coins on a deterministic pseudo-
random order.

~~~
swift532
If you're going to use proof of ID, doesn't that kind of remove any need for a
blockchain? How do you suppose you can have a censorship resistant currency if
all a bad state actor has to do is punish anyone who mines a transaction they
don't like.

I like crypto, but the greatest danger of it seems to be the potential for
economic enslavement(we don't like you, therefore you can't buy bread anymore)
through censorship and oppression.

~~~
Iv
Centralized government only provide means for a person to ID themselves,
possibly through pseudonymous means.

If you are worried about targeted censorship, I seem to recall from the first
days of BTC that there are ways to "shuffle" IDs: participate in a pool P, get
a new ID that is untraceable to the original one but that is traceable to pool
P and offers the guarantee that there are no duplicates.

But note that no cryptocurrency is "censorship-resistant" (I am of the opinion
that financial transactions are not free speech, so calling it censorship is
not the appropriate word and confuses issues). BTC can be (and has, in China)
be forbidden. Forbid mining, jail people who do it. Easy in a country that
bans also VPNs and Tor.

BTC is only as strong as Tor is and Tor is dependent on the governmental
goodwill to let people use strong crypto. Keep in mind that until 2000 US
companies were banned from exporting crypto tools that the NSA could not break
[1] and even to this date, restrictions exist for some material and countries.
USA is just one executive order away from making Tor, VPNs, and thus,
anonymous BTC mining, illegal.

And I think that many countries will ban BTC. China is more energy-constrained
than most of us, but the energy needs of the BTC netword is gargantuan. I
think they have a year to solve that issue (I think they will use proof-of-
stake) before states starts pulling the plug.

And always remember that as cool as crypto is as a tech, it does not exist in
the vacuum. While it allows to navigate against an incompetent but permissive
state, it does not fare well against a competent hostile one.

A part of the problem of maintaining cryptocurrencies (or anonymous networks)
is political, not just technical. I too, as a geek, love the prospect of being
able to solve political problems with technical solutions, but it only works
up to a certain point.

[1]
[https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States)

------
Meekro
Doing a 51% attack on a major coin, and actually profiting from it, is much
more complicated than this chart implies. Here are some of the problems you'll
run into:

1\. NiceHash doesn't have anything like the hashpower you need to attack a
major coin such as BTC or ETH. The chart admits that NiceHash has only 2% of
the capacity you need to accomplish this on Bitcoin. You'll need to start
buying ASIC hardware or graphics cards to cover the other 98%. Both of those
are hard to obtain in very large quantities quickly.

2\. Since you have to buy the hardware, you can expect to pay much more than
the NiceHash prices imply. Bitmain is one of the major suppliers of such
hardware, so let's use their prices as an example. One of their top Bitcoin
ASICs is a 14 TH/s unit that costs about $1,000 [1]. So you need about 2.5
million of these units at a cost of 2.5 billion dollars. Not that Bitmain has
the capacity to fill such an order.

3\. The cost of those ASICs is just the beginning. Have you seen photos of
those Chinese data centers that have racks of mining ASICs on shelves? Each of
those data centers has maybe a few percent of Bitcoin's hash rate, so you'll
need to build something at least 30x larger. Your electric bill alone will
exceed the GDP of some small countries. Since you've already spent billions of
dollars on ASICs, hopefully you have some money left to pay it and hire a data
center ops team.

4\. How fast can you build all this out? Bitcoin's hash rate has grown 30%
over the last month[2]. You might sink billions of dollars into this project
only to discover that you've come up short.

5\. Congratulations, you can now make a few million dollars by 51% attacking
the blockchain. You would, for example, deposit some bitcoins with a bunch of
exchanges, sell them, withdraw dollars, and then use your hashpower to unwind
those deposits and put the bitcoins back into your own wallet. It'll take a
few hours (or less) for every exchange to notice what you're doing and freeze
withdrawals. The bitcoin price will free-fall as everyone wonders about how to
prevent this next time. You may or may not be arrested and charged with wire
fraud. You're done!

[1]
[https://shop.bitmain.com/product/detail?pid=0002018052320100...](https://shop.bitmain.com/product/detail?pid=00020180523201006625r2KQCnC10650)
[2] [https://blockchain.info/charts/hash-
rate](https://blockchain.info/charts/hash-rate)

~~~
btown
The interesting thing is that the Chinese government could theoretically
nationalize all those data centers and be very close to (or far beyond) 51% on
any proof-of-work-based cryptocurrency [0]. This would, of course, be a one-
way street, immediately lead to a price crash, and likely be unprofitable...
but it might be viable, say, as part of a scorched-earth cyberattack to cause
chaos and wipe out international wealth parked in Bitcoin.

It's heartening to see things like Ethereum moving in a proof-of-stake
direction [1], and there's a lot of hope for a lot of the new cryptocurrencies
out there. But Bitcoin itself is far more centralized and government-
controlled than a lot of people think.

[0] [https://medium.com/@homakov/how-to-destroy-bitcoin-
with-51-p...](https://medium.com/@homakov/how-to-destroy-bitcoin-
with-51-pocked-guide-for-governments-83d9bdf2ef6b)

[1] [https://www.ccn.com/ethereum-moves-one-step-closer-to-
proof-...](https://www.ccn.com/ethereum-moves-one-step-closer-to-proof-of-
stake-as-casper-receives-first-release/)

~~~
wpietri
Given that money laundering is a significant use of Bitcoin, and given China's
extensive history with capital controls [1] and their willingness to execute
people for corruption [2], it would not shock me much to see them do this for
purely internal reasons. Chinese leaders are historically not big fans of
things they can't control.

[1] It's a hot topic:
[https://www.google.com/search?q=china+capital+controls](https://www.google.com/search?q=china+capital+controls)

[2] E.g.: [http://time.com/4298731/this-is-how-much-money-you-can-
take-...](http://time.com/4298731/this-is-how-much-money-you-can-take-in-
bribes-before-the-chinese-authorities-execute-you/)

~~~
michaelt

      China's [...] willingness to execute people for corruption
    

I read a fascinating (although very cynical) book a few months ago, and it
said something very interesting about corruption.

If an autocracy needs to buy the loyalty of the army/police/government
officials, instead of paying them cash the autocracy can simply turn a blind
eye to corruption. That means you don't need to spend your own money to bribe
them - and if any of them display disloyalty, you can simply have them
executed... for corruption!

So you always have to be wary when you hear a regime is cracking down on
corruption - it may be they're simply cracking down on disloyalty, while
retaining their private pro-corruption stance.

~~~
wpietri
Oh, yeah, I'd believe there's some of that going on here. Although I'd also
believe that the real rule isn't "don't steal", it's "don't steal too much".
With "too much" being defined by some combination of "more than those superior
to you in the pecking order" and "in a way that causes public upset".

~~~
SZJX
That has definitely been a commonly deployed trick throughout historical
Chinese dynasties. However there are always two sides to it and nothing can be
regarded simplistically, especially if you're talking about Xi's anti-
corruption campaign. While Xi might be consolidating power with the corruption
crackdown, the general welfare of Chinese civil servants have indeed been
reduced a lot, to the extent that many of them simply quit and started their
own businesses indeed.

Whether one likes it or not, Xi is genuinely trying to make China more like
the US and letting the private market play a much bigger role while reducing
government support. He's just like Reagan.

------
fanzhang
Rent-a-miner attacks seems to be another amusing example of when the
_existence_ of a market can break the system.

For example, voting works well in a democracy, but if we can sell votes,
democracy would likely collapse because rich organizations would buy it up and
control all politics. (Some say this is already true; but you know it would be
way worse if votes were openly sellable).

Satoshi foresaw people trying to mount a 51% attack by buying a ton of
machines, and so he went to great lengths to ensure this was unlikely using
mining. I don't think Satoshi foresaw the liquid AWS-like market for instant
hashing power. The ability to mount a limited-time 51% attack makes the attack
literally 1000x easier than a buy-machine 51% attack.

~~~
AlexCoventry
It's bizarre to me that rent-a-miner is a viable business at all. Why don't
the owners just set the miners to mine whatever the most profitable coin is at
the moment?

~~~
ex_ex_nihilo
The "owners" of the hardware are private miners. The rent-a-miner business
(NiceHash) just connects sellers of hashrate (miners) with buyers of hashrate.
The miners don't care what they are mining, and they get paid in BTC
regardless of what their hardware actually mines. NiceHash is just a
marketplace that automatically mines the most profitable coin by what people
are willing to pay for hashrate. None of the hardware belongs to NiceHash.

Your question is still valid and good, but not in the way you have phrased it.
The real answer is: laziness. NiceHash is easy and steady. If you have a nice
gaming rig, you can make a few extra bucks a day by selling your hashing power
while it's idle. If you are a serious miner, you probably don't use NiceHash.

~~~
AlexCoventry
Makes sense. Thanks.

------
jakecraige
It would be helpful to expand on how many blocks can be reversed given only
one hour of hash rate.

Many wallets, exchanges, etc require a minimum number of confirmations before
allowing you to spend the coins to handle reorgs that happen naturally.

For example, in Bitcoin this is often around 6. With 1hr of hash rate you
might be able to get 7 blocks but likely you’ll actually need more time to get
enough blocks or successfully attack. Accounting for this would increase the
cost substantially.

Either way, pretty neat site!

~~~
gizmo686
I don't think it is particularly useful to talk about blocks reversed in this
context.

In all cases, you can reverse about 1 hour worth of blocks. In practice, when
wallets/exchanges/etc pick a minimum number of confirmations, they are really
picking a minimum time. So, if bitcoin had double the blockrate, they wouldn't
say 'well, we only require 6 blocks, so you only need ~30 minutes of an
attack', but rather, 'we require ~1 hour, so you need 12 blocks of
confirmation'.

~~~
jakecraige
Yeah it’s sort of time based assuming consistent blocks, but it would still
based on confs. If the hash rate doubled then one would only require 30
minutes until the difficulty adjustment kicked in.

The main purpose of my post is that to actually pull off a successful attack
you probably need more than an hour, so the numbers are making it look like
it’s cheaper than it would be in practice (ignoring other factors other
commenters have shared about acquiring ASICS, data centers, and such).

You can’t 51% attack Bitcoin for $611K, but your site says you can. While the
site can’t be perfect, it would be helpful to make it more realistic. If a
news site picks this up and doesn’t understand the nuances they’ll
accidentally spread FUD and mislead a lot of people.

~~~
Canada
> If the hash rate doubled then one would only require 30 minutes until the
> difficulty adjustment kicked in.

Difficulty adjusts every 2016 blocks.

~~~
jakecraige
Yes, I’m saying that rather than needing an hour to get 6 blocks if the hash
rate doubled, you’d only need 30 mins _until_ the adjustment occurs. Then it
would be an hour again.

------
hoschicz
This is incredible! What actually stops me from launching such an attack on
something like Einsteinium?

One problem I found w/ the website: you have included Peercoin, even though
Peercoin uses PoW only for initial coin distribution and not block validation.
Block validation is done through PoS.

~~~
aiCeivi9
> What actually stops me from launching such an attack on something like
> Einsteinium?
    
    
        - lack of exchanges accepting it
        - delays on withdraw/deposit to/from exchange
        - exchanges requiring verification of user PI
    

That is probably all.

------
cameldrv
This is why a POW based cryptocurrency can never handle a significant amount
of money.

Suppose you're Coinbase. The way you protect yourself is on large
transactions, waiting for more confirmations. This increases the amount an
attacker must spend to do a 51% attack. If you wait long enough, it's not
worth it. But wait! The attacker can use multiple accounts and multiple
exchanges, so now Coinbase has to look at the total volume of newish
transactions on the blockchain in order to know when it is guaranteed to be
safe.

The upshot of this is that a POW blockchain cannot securely transact more
money per hour than the 51% attack number. That's also approximately the
amount of money miners spend per hour.

Total world payment volumes are on the order of a quadrillion dollars per
year. Unfortunately world GDP is only $80 trillion. Even if we reoriented our
entire economy to do nothing but mining, we could only protect about 10% of
all of the transactions.

~~~
guy_c
An exchange could mitigate this attack by also monitoring the outflow by
'age'. Delaying any large withdrawal of 'new' coins.

* AGE: i mean, how recent was the deposit of any coins involved in any transaction. So if I send a large quantity of Bitcoin Gold to an exchange (they are marked as 'new'), then if I immediately exchange them to Ethereum, the Ethereum is now also considered 'new'. If I try to withdraw the Ethereum the exchange delays withdrawal.

------
loader
If this graph were true wouldn't we be seeing attacks all the time? If coins
could be exploited for just hundreds of dollars they'd be rendered useless
pretty quickly. This can't possibly be accurate.

~~~
ex_ex_nihilo
It is true and mostly accurate by some back of the napkin math I've done. What
stops people from doing 51% attacks is a few factors:

1) If you can pull off an attack for a few hundred bucks, it's probably on a
coin that will only net you a few hundred bucks. Remember, these coins are
thinly-traded altcoins, many of which only do a few hundred bucks worth of
volume on exchanges in the first place.

2) Once you pull off your attack and people realize what happened, the "free"
coins you get back will be worth shit because nobody will want that coin.

It's not as much of a free lunch as it might seem at first blush. I most
certainly possess the domain knowledge and skill to pull off a 51% attack, as
I have contributed code to Bitcoin and many other cryptocurrencies, written
open source mining software, etc. But I would need several million dollars in
starting capital to make the kind of money that would make me even consider
it. That time would be better spent hacking away on a project with the
potential to make me sustainable income, or a client project where I'm paid by
the hour.

~~~
slivym
On point 1 take for example Ubiq, it'll cost you say 10x the 1h rate or $4.7k,
and the 24 hour volume is 130k, that seems like a pretty good ratio to me. Or
Bytecoin - let's say 100x since it's harder to get the capacity - cost $50k,
24h volume - $18m.

On point 2 I thought the entire point was to double spend - so you have 1
einsteinium or whatever, you put it in the exchange, you use it to buy
bitcoin. You re-spend it at another exchange buying bitcoin. You got twice as
much bitcoin as you paid for. As long as you're out before it becomes obvious
what you've done you make profit.

------
koolba
Interesting that BCH and DOGE cost about the same but differ in market cap by
a factor of 40:

    
    
                       Market Cap ($M)   1h Attack Cost ($)
        Bitcoin Cash   $ 16,060               $62,356
        Dogecoin       $    380               $66,908

~~~
guy_c
DOGE uses merge mining with LTC -
[https://www.cryptocompare.com/mining/guides/what-is-
merged-m...](https://www.cryptocompare.com/mining/guides/what-is-merged-
mining-bitcoin-namecoin-litecoin-dogecoin/)

------
fru2013
Looks great, nice work, keep it up! One small improvement in my opinion would
be to make the columns sortable- especially the 1hr attack cost.

------
maxander
The cost and market cap estimates are probably both not good measures of how
things would work out in practice on that scale, but even so- it looks like
someone with a couple million dollars to invest could plausibly extract
several billion from BTC via a 51% attack. It would cost substantially more
than the estimate on here (since even non-NiceHash cloud GPU services probably
wouldn't fully cover the required hashpower), and require substantial
technical expertise, and decently-connected people would probably see it
coming at least days in advance due to the movements of GPUs and GPU-power
involved, and be pretty definitely illegal, and BTC's market value would be
crumbling underneath you as you tried to sell out... _but_ , the sheer
profitability of such a scheme should seriously worry people with a stake
(finanical or emotional) in BTC. A dollar bill sitting on the sidewalk doesn't
stay there long.

~~~
xur17
I go into more detail in this [0] comment, but it would be substantially more
expensive to pull off an attack if the hashing power was not available to rent
from NiceHash. The 'nicehash-able' column is meant to represent how much
hashing power is available - if it is > ~300%, an attack would be fairly do-
able from just renting hash power.

[0]
[https://news.ycombinator.com/item?id=17173265](https://news.ycombinator.com/item?id=17173265)

------
product50
Is this really accurate? So 51% attack on bitcoin is around 100btc? Given the
advantage of such an attack, won't more users want to do it? Also, won't
nation states easily come in on this and attack the integrity of these coins?

~~~
makomk
This isn't possible for larger coins like Bitcoin because it assumes you can
get a short-term rent of enough hardware to carry out the attack for exactly
the amount of time it takes to carry out at the NiceHash market rate. Most of
the Bitcoin mining hardware is not available for rent in this way and its
owners have a financial incentive not to allow this because it'll wipe out the
value of their hardware.

~~~
sorokod
_and its owners have a financial incentive not to allow this because it 'll
wipe out the value of their hardware._

Well they don't have to be on the receiving end of the attack. They can be,
you know, on the other end.

~~~
makomk
Sure, the owners of the mining hardware could be on the other end, but that
puts up the cost of the attack substantially - instead of depending on the
cost of renting an hour's mining time, it now depends on the total lifetime
value of the equipment used. There's also the rather large problem of how they
could convert enough double-spent Bitcoins to something else before the price
tanks; it'd have to be a very big heist to make the math work out.

~~~
AlexCoventry
Just tanking the price is enough, if you've sold enough bitcoin futures
beforehand. I suppose that would put you on the CFTC's radar, though.

------
qeternity
Bytecoin looks remarkably easy to attack. If we filter to currencies that can
easily be NiceHashed and have decent market caps, and then sort by
cost/mktcap, the top 5 look pretty juicy.

    
    
      Bytecoin	        BCN	$986,840,000.00	CryptoNight	164 MH/s	$637	219%
      Bitcoin Private	BTCP	$470,080,000.00	Equihash	12 MH/s		$1,280	922%
      Bitcoin Gold		BTG	$706,750,000.00	Equihash	29 MH/s		$3,120	378%
      MonaCoin	        MONA	$204,110,000.00	Lyra2REv2	2 TH/s		$3,218	436%
      Vertcoin	        VTC	$73,570,000.00	Lyra2REv2	697 GH/s	$954	1471%

------
xer
Wow nice works. I was working on the exact same project
[https://www.coinmarketattack.com/](https://www.coinmarketattack.com/)

------
std_throwaway
In order to get to 51% share you would need 104% of the current hashing rate.
Did you consider that?

~~~
xur17
This math is based on having 100% of the existing hash power (the network is
500H/s, you would need 500H/s) - in most cases you would probably purchase
enough to give yourself a decent buffer above the existing hashing power. The
numbers are meant as very rough estimates to give people a better idea of the
costs.

~~~
std_throwaway
OK, so by 51% you really mean at least 50%. Do you happen to have a background
in finance? It's quite unusual to say 51% in math/engineering.

~~~
paulgb
"51% attack" is the name of the attack, but you don't actually need 51% of the
hash-rate to do it, just 50% plus a small margin.

~~~
direction534
You dont need 50%. You can do it on 1% with luck.

~~~
std_throwaway
Is there a known probability curve?

With so many actors it could be very steep. Like 51% capacity has 99% chance
of success and 49% has 1% of success and 40% has practically zero chance
(these are made up numbers).

It could also be quite shallow as in 1% capacity gives you 1% of success...
that would actually be quite bad and invite malicious actors to test the
system with regular attacks.

~~~
im3w1l
It's a race of who can get to N blocks first. The higher N the "steeper" it
is. N is set by the merchant so as to balance security with quick transactions

------
cies
I'm curious were Cardano ADA would be on this list. It seems to be one of the
more thoughtful designs, and also a recent addition to the list of coins.

~~~
mythrwy
Cardano is POS so no NiceHashing.

(rather, it will be POS when full decentralization and staking are implemented
later this year, but it's not and never has been POW).

Agreed, it seems like a very thoughtful design and I'm excited about it.

------
bazza451
One coin I've seen is wrong is Komodo. It uses DPoW which is a completely
different type of security scheme
[https://wiki.komodoplatform.com/wiki/Delayed_Proof_of_Work_(...](https://wiki.komodoplatform.com/wiki/Delayed_Proof_of_Work_\(dPoW\))
even though the webpage says $593 to perform...it would be a lot more
difficult

------
daveguy
That is disturbingly easy. Of the top 20 currencies by market cap 10 of them
can be attacked with a NiceHash purchase. Representing over $2 billion in
market cap. Bytecoin is a higher market cap coin that is almost as vulnerable
as Bitcoin Gold. If a 51% attack also hits Ethereum classic (89%
purchaseable), there will be market chaos.

------
ttul
Loaded into a live-updating Google Sheet for convenience:
[https://docs.google.com/spreadsheets/d/18tqvZPXjnEVExlSaTcGu...](https://docs.google.com/spreadsheets/d/18tqvZPXjnEVExlSaTcGu5kilasQ4N1i0ekx0zmSwSiI/edit?usp=sharing)

~~~
xur17
Thanks - I'm happy to make a json endpoint or something as well if people
would find that useful.

~~~
AlexCoventry
Another handy aspect of the google doc is the ability to sort by other
columns. You might want to add that to the website, too.

------
ummjackson
Hey @xur17, I run arewedecentralizedyet.com - we should partner on adding this
metric. Really great work!!

~~~
xur17
Would love to - feel free to reach out, @xur17 on twitter, or my email is in
my profile.

------
nickpsecurity
I'd offer to buy the companies or groups controlling most of the mining power.
Even paying off individual executives to cut deals to lower the price. The
resulting buy would probably be way, way, way less than $100 billion for
Bitcoin. Hell, it might be less than a billion.

~~~
quickthrower2
Depends if you can make more from the attack than the mining co. will lose
from being out of operation (plus the BTC price crash that will follow).

------
nreilly
Does nicehash let you run custom mining software to make adjustments to how it
handles your transactions (permit double spend) or change the algorithm (like
the verge attack)?

Edit: or would the malicious code live in a mining pool that you direct the
nicehash hashing power to?

------
lixtra
Mayor players (exchanges, bitpay) could decide to just ignore the dominated
branch of the blockchain, by requiring that block n has hash h. This would
lead to a fork similar to etherium vs etherium classic.

Alternatively they could start not to accept the spoiled coins. If account a
double spends x, they track where the coin goes, let’s say b accepts y:=x-?
coin then a still has x-y spoiled coins and b now has y spoiled coins. Now you
just don’t accept transactions from accounts that have spoiled coins. Would
work with bitcoin. Also the government can come up with similar regulations to
crack down on bitcoin.

~~~
amenod
> If account a double spends x, they track where the coin goes, let’s say b
> accepts y:=x-? coin then a still has x-y spoiled coins and b now has y
> spoiled coins. Now you just don’t accept transactions from accounts that
> have spoiled coins.

That would be a perfect way to lock another user's account out of exchanges.
Care to give me your address? I'd like to send you some spoiled bitcoins I
have lying around... ;)

As for the government, you can be sure they are already tracking all of the
transactions. Bitcoin is far from anonymous - cash is a better alternative if
you need anonimity, and even that can be traced easily nowadays.

~~~
lixtra
Well, if you attack me like that I can always pass on the spoiled coins to a
newly created account. Once I got rid of the spoiled coins my account would be
clean again.

In a regalutory framework there could also be filter addresses that launder
your coins for a high price (99%).

------
pieguy
I don't think multi-algorithm is taken into account for multi-algorithm coins.
Several coins have multiple independent mining algorithms each with their own
difficulty, and need to be attacked simultaneously.

~~~
xur17
Yes, this is correct - I wasn't actually aware that there were multi-algorithm
coins, but I'm assuming there aren't very many. I will go through the list and
try to update this, but let me know if there are any that you know of that I
should update.

~~~
abecedarius
Does that explain why Myriad is such an outlier in this table?

------
osrec
It would be interesting to add the currency rewards the attackers would gain
from the hashing process. I bet the cost may be greatly reduced, and may even
make the operation profitable, without much illegality...

~~~
sjburt
Is it even illegal? And if it is, is obtaining recourse through the courts the
kind of thing that cryptocurrency users want to make a habit of?

~~~
hoschicz
Exactly. What law would I break by doing a 51 % attack?

~~~
lolc
The attack itself is legal. Sure you will cause some property damage if you
split and roll back an hour worth of transactions. People might try and bring
a civil suit against you. That would be interesting.

Of course, if you try to double-spend as part of the attack: it's fraud!

------
mike-cardwell
So you can perform a double spend attack on the largest crypto currency with a
market cap of $124 billion dollars for only $600 thousand?

For criminals who know what they're doing, this looks like a very juicy target
to me.

~~~
jldugger
Is it? Say you control 51 percent of the mining capacity. How do you profit
from it in such a way that you don't tank the value of the good you're
stealing?

~~~
empath75
Shorting it is the obvious way. You borrow a bunch of that currency, sell it,
then use the money to buy hashing power, and steal it back to cover your
shorts.

~~~
stale2002
You have to short it by billions and billions of dollars.

Bitmain, alone, made 3-4 billion dollars in PROFIT last year. And they don't
control even close to 51%.

Bitmain would have to make enough money off of a single attack so as to cover
all it's FUTURE profits.

And then it would also have to not be noticed.... Do you really think all
these exchanges would just suffer under an attack that loses them many
billions of dollars, without retaliating? No, they wouldn't. And then people
would end up in jail.

~~~
empath75
You short a small currency not bitcoin.

------
ninjakeyboard
Just curious - excuse my ignorance - wouldn't there be a high level of chance
involved in that you might actually win, that would cause the cost to rocket
way up for you to succeed in that double spend? Eg you'd have to keep trying
before you got a hash that would cause you to need to actually spend a lot
more.

This is for 1h of compute in the calculation so would you not actually need to
run for a very long time, and also be spending in each and every one of those
blocks?

Again sorry for my ignorance - hoping for some insight.

------
pietroglyph
It's important to note that this doesn't include block rewards, so these
attacks are all actually less expensive than shown.

------
captainbland
I guess what's amazing about this is that a 51% attack on Bitcoin could be
achieved by a relatively modestly sized company. More worrying I guess is the
prospect of somebody with a suitably powerful botnet attacking the network for
'free'.

~~~
lima
Even a massive botnet won't be able to attack the Bitcoin network. Unless it's
a botnet comprised of ASIC miners ;-)

------
whatsstolat
For the Bitcoin attack perhaps it is cheaper to open an asic factory + nuke
reactor.

------
127
It would be interesting to have some summary on different types of PoW
algorithms, which of them have the highest durability. Does for example memory
constrained PoW have an advantage over one that simply burns CPU cycles?

------
duxup
Crypto currencies seem to have this sort of ethos where nobody controls the
currency and that is great .... except for what seems like a baked in ability
for a single entity to do exactly that....

------
mythrwy
I'm pretty sure Sumokoin is wrong.

It doesn't use standard CryptoNight anymore but rather a custom "CryptoNight-
Heavy" that I don't think is even available on NiceHash.

------
angel_j
You will need > 2x that amount of money to begin with to profit, in order to
have enough coin to double spend, and cover for the cost of the privilege.

------
lucasp
You should add Decred to the list. It would be nice for people to see the
increased cost of a 51% attack for a hybrid PoW/PoS coin.

------
andr3w321
Does the cost of a 51% attack rise linearly with time? Is this right? Cost of
24h attack == 24 * (Cost of 1h attack)

------
timvdalen
That's surprisingly cheap for a lot of coins with a reasonable coin cap!

~~~
arisAlexis
yes becauze calcs are misleading. Ooh I will attack Dash tomorrow instead of
booking a flight to my home town

------
_31
Very interesting data. Are you planning on making it available via an API?

~~~
xur17
I should be able to add a json endpoint with all the data from the table if
that would be helpful.

~~~
_31
That would be great! I'm building a cryptocurrency app and this data would be
really useful.

------
thisisit
Nice collection, OP. Though the page is hypothetical it does show some
viability of the cost of 51% attack, something which many people deny as
uneconomical without proof.

But I am sure there will be people who will deny saying miners can refuse
mined blocks and create a branch. And others who will deny this by talking up
game theory mechanic of 51% attack - if someone does get 51% power then the
rational thing to do is to not harm the coin. This obviously doesn't hold true
for an irrational person.

And given the concerns raised for PoW for small coins, I can only say this -
"Those Who Do Not Learn History Are Doomed To Repeat It." Here's one of my
favorite stories from Nathaniel Popper's Digital Gold about a coin which was
very small back in the day called - Bitcoin:

 _Laszlo’s CPU had been winning, at most, one block of 50 Bitcoins each day,
of the approximately 140 blocks that were released daily. Once Laszlo got his
GPU card hooked in he began winning one or two blocks an hour, and
occasionally more. On May 17 he won twenty-eight blocks; these wins gave him
fourteen hundred new coins that day.

Satoshi knew someone would eventually spot this opportunity as Bitcoin became
more successful and was not surprised when Laszlo e-mailed him about his
project. But in responding to Laszlo, Satoshi was clearly torn. If one person
was taking all the coins, there would be less of an incentive for new people
to join in.

“I don’t mean to sound like a socialist,” Satoshi wrote back. “I don’t care if
wealth is concentrated, but for now, we get more growth by giving that money
to 100% of the people than giving it to 20%.”

As a result, Satoshi asked Laszlo to go easy with the “high powered hashing,”
the term coined to refer to the process of plugging an input into a hash
function and seeing what it spit out.

But Satoshi also recognized that having more computing power on the network
made the network stronger as long as the people with the power, like Laszlo,
wanted to see Bitcoin succeed.”_

------
arisAlexis
this isn't correct.proof: the ongoing war between btc and bch has people
holding millions in btc. they didn't even try to attack. you can't attach bch
with 70k or you would have attacks everyday forever from old btc holders.

------
DSingularity
Whoever wrote this must be totally oblivious. The hardware costs alone to
attack bitcoin are likely in the hundreds of millions. Beside that, think you
can rent that much hash power at the spot price is hilariously naive and
ignores the fact that this is a supply and demand driven market.

