Cryptocurrency Deals Can Always Be Erased, for a Price

(Bloomberg Opinion) -- Long before there was a Federal Reserve, banks settled accounts with each other by sending porters from bank to bank to exchange checks for bags of gold. Sometimes a porter would present a check only to find that the issuing bank had insufficient funds. Rumors of insolvency quickly spread and panic would ensue.

With a blockchain, everyone has their own copy of the database. Participants can verify account balances before accepting a payment, rendering bounced checks a thing of the past. But that’s not as easy as it sounds.

A fact of any distributed network is that information takes time to propagate. Cryptocurrencies rely on specialized machines called miners, which compete to arrange transactions into blocks. Each new block must broadcast to thousands of computers, and sometimes participants on two sides of the world will append a series of divergent updates before realizing the network has split.

This is called a fork. Usually the divergence is unintentional; multiple miners often generate new blocks at similar times. When a conflict is discovered, the “longer” chain is kept as the definitive history, and any blocks appended to the lesser fork are discarded as orphans.

Cryptocurrencies rely on the assumption that miners append information only to the most recent block, but a malicious miner might choose an earlier point and create an offshoot. Given enough computational power, the offshoot could eventually outpace the original chain, thereby rewriting the most recent history.

Invalid transactions can’t be created, but recent transactions can be erased to perform a chargeback. For example, a bad guy could create a Bitcoin payment to a Lamborghini dealership, which the seller could verify. Then the bad guy drives home and starts creating an alternative ledger history with the original account balance directed to a different address. If the prospective thief has more computational resources than all the other miners combined, he’ll eventually produce a longer chain that overrides the old one. The original transaction is orphaned, and the dealership ends up with no Lambo and no Bitcoin.

This is also called a 51-percent attack, because anyone can pull it off with at least 51 percent of the computational power of the network. It’s particularly problematic now that the bear market has left a glut of mining power up for grabs. A site called Crypto51 calculates just how much it will cost to rent the computational power to execute such a scheme and helpfully identifies which cryptocurrencies are particularly vulnerable to attack.

Last week, a series of attacks were pulled on the Ethereum Classic blockchain, and about $200,000 worth of transactions were revoked after being traded on multiple cryptocurrency exchanges. Previously, similar attacks were conducted using the cryptocurrencies Verge, Vertcoin, Monacoin and Bitcoin Gold. It even happened to the fictional PiedPiperCoin from the TV show “Silicon Valley.”

During the half-dozen financial panics between 1860 and 1907, major banks refused to accept deposit checks if the issuing bank was suspected to be insolvent. When the customers realized they could no longer write checks, they ran to the bank to withdraw all their cash.

It was once thought that a successful 51 percent attack would similarly undermine the integrity of a cryptocurrency. The purpose of a decentralized blockchain is immutability, and if it fails at its one job, merchants and exchanges would refuse to accept payments, participants would flee, and the network would collapse and die.

With the exception of PiedPiperCoin, all previously attacked cryptocurrencies are still chugging along.

Every cryptocurrency transaction is susceptible to a 51 percent attack, but every attack is avoidable. Even though transactions are never truly final, the more time that passes without a conflict, the lower the probability a given transaction will be orphaned.

It currently costs $300,000 an hour to commandeer enough computational power to attempt a rewrite of Bitcoin’s transaction history, and would take over eight hours  to rewind a single block. That means the recipient of a $2 million transaction should wait over seven hours to deliver the goods. Once the transaction is buried deep enough in the blockchain, it becomes economically irrational to overwrite.

Attacks are easier on lesser-known blockchains: To become a majority miner on Ethereum Classic costs only about $4,000 an hour, and the honest blockchain could be outpaced in less than 15 minutes. Participants should either wait longer to confirm payment, or transact in smaller amounts.

Crypto anarchists tend to be economically rational. In a lawless economy, it’s practically guaranteed that any loophole will be egregiously exploited.

Banks solved the problem of indeterminate settlement by creating a clearinghouse with mandatory reserves and government bailouts. Financial institutions make people feel safe by hiding risk behind layers of complexity. Crypto brings risk front and center and brags about it on the internet. It’s a bit uncivilized, but for some participants, a world where risk is quantified and individual is preferable to one where it’s unknown and distributed.

When it comes to killing a blockchain, 51 percent is not nearly enough.

Block production is basically a competitive guessing game, and the more computational resources a miner has, the higher the probability of a correct guess. We can calculate the number of blocks it takes for a bad guy to generate twice as many correct guesses as a good guy using this equation from Bitcoin Core developer Jimmy Song: x = 1/(2p-1), where p is the percentage of total computational power a miner has.An attacker with 51 percent of the network resources will thus overtake the honest chain after about 50 blocks. Block times vary from one cryptocurrency to another: about 10 minutes per block for Bitcoin, and 15 seconds per block for Ethereum.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Elaine Ou is a Bloomberg Opinion columnist. She is a blockchain engineer at Global Financial Access in San Francisco. Previously she was a lecturer in the electrical and information engineering department at the University of Sydney.

©2019 Bloomberg L.P.