PoW Mining Risk Analysis and Countermeasures

Editor's note: This article is from Unitimes (ID: Uni-times), original link: https://blog.sia.tech/fundamentals-of-proof-of-work-beaa68093d2b, original author: David Vorick, translated by: Jhonny, Echo

2019 was the year of the 51% attack. Once a problem limited to cryptocurrencies of negligible value, cryptocurrencies with large reputations and market caps now find themselves falling victim to double-spend attacks, with exchanges bearing the brunt of the damage.

As attacks became more frequent and severe, exchanges began taking steps to protect themselves. At first, they simply increased the number of transaction confirmations, but as the number of blocks attacked increased from dozens to hundreds, the effectiveness of this strategy began to be questioned.

Without drastic changes to the response strategy, we can expect losses to continue to mount, and even to the point where exchanges can no longer sustain the situation. These 51% attacks are successful because cryptocurrency protocols are fundamentally weak, so exchanges need to be extremely careful when choosing which cryptocurrencies to list.

Mining Game Theory and Threat Models

Many decentralized protocols make the assumption that at least 51% of the participants are honest. Bitcoin was successful because the protocol designers realized that this assumption does not apply to real-world decentralized protocols.

In the anonymous and unregulated Internet, participants are free as economic agents and generally face no repercussions for misbehaving. Rather than assuming that more than 51% of participants will participate honestly, Bitcoin assumes that more than 51% of participants will act in their own best interests.

This threat model (i.e., assuming that at least 51% of participants are honest) is much less secure. Instead of assuming that the majority of participants will act honestly in accordance with the protocol, Bitcoin developers assume that participants will spontaneously find ways to act against the Bitcoin protocol if it is profitable. While this assumption greatly limits the flexibility of protocol design, it has proven to be a key requirement for success in the open Internet.

Bitcoin developers are working hard to achieve incentive compatibility. If a protocol is incentive compatible, it means that the best decision made by each person from their own perspective is also the best decision for the entire group. When a protocol is incentive compatible, people can be completely selfish because these selfish actions will also benefit the entire group.

The game theory that keeps Bitcoin secure is complex and quite subtle. Many cryptocurrencies that have attempted to copy the design of the Bitcoin protocol have made modifications to the protocol that break the incentive compatibility that keeps Bitcoin secure. As a result, these cryptocurrencies are not secure, and the frequent occurrence of double-spending attacks is a clear indicator that something is wrong.

Although the designers of altcoins have various ways to destroy incentive compatibility, the most threatening way, judging from the recent double-spending attack, is to use shared hardware as a means of ensuring blockchain security. When the same mining hardware can be used to mine multiple cryptocurrencies, the incentive compatibility that is vital to life is gone.

There are two main categories of cryptocurrencies that use shared hardware. The first (and most prominent) category: ASIC-resistant cryptocurrencies. The goal of ASIC-resistant cryptocurrencies is to use shared hardware; they believe that doing so will increase security because they believe that the wider the range of mining hardware available, the greater the possibility of centralization of computing power (which can lead to a 51% attack).

The second type of cryptocurrencies that use shared hardware mining use ASICs to mine, but use the same mining algorithm as other cryptocurrencies. When multiple cryptocurrencies use the same PoW algorithm, the same mining hardware (even dedicated mining hardware) can attack any of these cryptocurrencies, thus, like the first type of ASIC-resistant cryptocurrencies, this type of cryptocurrency also breaks incentive compatibility.

How PoW Mining Has Changed Since 2017

Shared hardware has been a topic in the cryptocurrency space for years, but it wasn’t until recent high-profile 51% attacks (against ETC, etc.) that it became a really big issue.

To be honest, the reason for these recent attacks is simply that the industry has become more sophisticated. There are better tools, smarter attackers, and generally more and better infrastructure. While this infrastructure largely benefits honest actors, it also benefits attackers and makes it easier for sophisticated attackers to attack unsecured cryptocurrencies.

Below, we’ll explore some of the developments that are important to 51% attacks, but even without these specific developments, I think 51% attacks on shared hardware cryptocurrencies would have occurred in a high-profile manner regardless. Sharing mining hardware is fundamentally an insecure way to protect a blockchain from double-spend attacks.

Hash power market

One of the key developments that contributed to the recent attacks is the maturation of hashrate marketplaces. For cryptocurrencies that share mining hardware, knowing which cryptocurrency is most profitable to mine at which moment requires sophistication. Hashrate marketplaces allow mining hardware owners to rent out their hardware to more sophisticated miners, increasing profits for all participants in the hashrate marketplace.

A side effect of the hashrate market is that attackers can have a large amount of hardware, and when they want to launch an attack, they can temporarily and quickly use the aggregated hashrate of this hardware.

Before the advent of hashrate markets, an attack on a cryptocurrency protected by 100,000 GPUs would require the attacker to have 100,000 GPUs themselves. An attack of this magnitude would require tens of millions of dollars to launch, which means that cryptocurrencies mined by giant GPUs are generally safe.

After the emergence of hashrate markets, the same 100,000 GPU mining equipment can be rented for only tens of thousands of dollars for a few hours. The emergence of hashrate markets has reduced the security of cryptocurrencies using shared mining hardware by several levels.

Going forward, we can only foresee that the hashrate market for shared mining hardware will continue to expand, as everyone who participates in the hashrate market benefits from it - the hashrate market makes mining more efficient.

These hashrate markets don't make much sense for cryptocurrencies that use specialized mining hardware (ASICs). The benefit of hashrate markets is that they help hardware owners not have to worry about deciding which coin to mine to make the most money. On cryptocurrencies that use specialized mining hardware, there is only one coin that can be mined, so there is not much benefit for hardware owners to join such a specialized mining hardware hashrate market.

There is another key game theory element to hashrate markets. When miners provide shared hardware to hashrate markets, there is a chance that the mining hardware could be abused to launch attacks. However, the operator of the shared mining hardware does not care if the hardware is used to launch attacks, because (due to the sudden need) the attacker may only pay a small fee for the hardware, and even if a cryptocurrency using the shared hardware suffers a large attack, the shared hardware will not depreciate because there are many other cryptocurrencies that can be mined.

In contrast, dedicated mining hardware only derives value from mining a specific cryptocurrency. Providing dedicated mining hardware to an attacker is riskier because a successful attack will have a direct negative impact on the value of the dedicated mining hardware used in the attack. All dedicated mining hardware providers who join the hashrate market risk losing their only source of income due to a successful attack. Therefore, they will not participate in a hashrate market that weakens the security barriers of the cryptocurrency.

Large mining farm

The emergence of large mining farms has also greatly reduced the security of cryptocurrencies mined using shared hardware. Many large mining farms have more than 10,000 GPU mining rigs, and many have more than 100,000 GPU mining rigs. The largest mining farm has more than 500,000 GPU mining rigs.

From a security perspective, this means that the largest mining farm alone can launch a 51% attack and bring down any cryptocurrency with a total hashrate of less than 500,000 GPU mining rigs. Cryptocurrencies that are mined with less than 100,000 GPU miners may be brought down not only by the largest mining farms, but also by those that are capable of launching a 51% attack and double-spending attack on their own. Cryptocurrencies that are mined with less than 10,000 GPU miners have a total hashrate that is too small to be easily attacked.

Most GPU mining farms are purely profit-driven, and they have hardly absorbed any ideology in the cryptocurrency field. For some mining farms, the best way to make more money is the best way to work, even if it will bring additional harm to the entire ecosystem, but they don't care.

Dedicated mining hardware solves this problem in two ways. First, for cryptocurrencies that use dedicated mining hardware, there is essentially only one mining farm that can launch a 51% attack. While this is not pleasant, cryptocurrencies that use dedicated mining hardware must trust at least one entity. This is in stark contrast to the vast majority of cryptocurrencies that are ASIC-resistant, which are subject to attack from different mining farms at any time.

A more important advantage of specialized mining hardware is the incentive alignment effect it brings. For profit-maximizing mining farms, it is usually impossible to make a profit by launching an attack on a cryptocurrency that is mined using specialized mining hardware, because the attack will reduce the profit that the farm's specialized hardware can earn. Even if a mining farm that uses specialized mining hardware has enough computing power to launch a 51% attack, the farm will not launch an attack because the total value of the farm's specialized mining hardware is greater than the value that the farm can steal from the attack.

Increase attacker budget and attack difficulty

One major difference between the cryptocurrency space in 2019 and 2017 is that the overall value of the crypto space is higher in 2019, attack theories are better understood, and there are more sophisticated experts.

In 2017, not many people knew about the vulnerabilities mentioned above in cryptocurrencies. In addition, the value of major cryptocurrencies was not very high, which means that even if someone knew how to launch an attack, the profit they could make from launching an attack was not high.

In 2019, more people understand how cryptocurrencies work, and more people know how to attack cryptocurrencies with major flaws. In addition, the potential rewards for launching an attack are higher now, which means that a large number of people who can launch an attack are waiting for an opportunity to launch an attack. The increase in rewards also means that attackers are willing to invest more time, money, and resources to launch an attack.

This trend will continue. Today, we see 51% attacks happening because they are the most profitable thing to do with the least effort (the most cost-effective thing). However, many of today's mainstream Dapps (decentralized applications) have major weaknesses, and as these Dapps become more valuable and attackers become more sophisticated, these weaknesses will be exploited more and more times. In particular, I am concerned about most cryptocurrency projects involving new consensus algorithms, on-chain governance, oracles, stablecoins, prediction markets, etc. Often, the core concept of these projects will not be broken, but the specific design and implementation may be broken. Currently, many high-profile projects deployed in the cryptocurrency space have not been fully audited and may have major active security vulnerabilities.

Bear Market for Mining Hardware

A bear market in mining hardware will have a negative impact on cryptocurrencies that are mined using both shared hardware and dedicated hardware. If the value of mining hardware drops to the point where mining is no longer profitable, it will become very cheap for attackers to mine it.

The recent bear market in cryptocurrencies has significantly reduced the value of mining hardware, which means there is less total active computing power to secure cryptocurrencies, and also means that hardware resources have become cheaper for attackers to rent or buy.

The GPU market is experiencing a second shock: ASIC mining equipment has now appeared for both ETH and Zcash. Apparently, these two cryptocurrencies previously consumed most of the GPU mining hashrate, which is slowly being driven out of the market by ASIC equipment, which greatly reduces the cost of renting GPU equipment to launch attacks on low-market-cap cryptocurrencies.

As ASIC hardware slowly infiltrates the market for high-value cryptocurrencies powered by GPU hardware, we can expect this impact to intensify, and 51% attacks to become more common and cheaper. Even with the emergence of new ASIC-resistant cryptocurrencies, I don’t see this trend reversing.

Bitcoin is also being hit by the bear market in mining hardware. It is estimated that bankrupt mining farms are selling off a third of Bitcoin’s total hashrate at low prices. Currently, the price of S9 mining machines is far below their manufacturing cost. Although this does not pose a security problem for Bitcoin at present, it is likely to become a real problem if the price drops another 2-4 times.

The mining hardware manufacturers themselves have been hit hard by the bear market. It is estimated that Bitmain, Innosilicon, TSMC, and even Samsung have been hit hard by the sudden drop in mining hardware prices, so it is unlikely that we will see an overproduction of mining equipment in the future - people have understood that the risk of mass production is very high. Bitcoin is so large that companies are unwilling to take such high risks. I speculate that this is the most severe hardware bear market Bitcoin has ever experienced.

However, other cryptocurrencies that use specialized mining hardware are not as large as Bitcoin. Manufacturers of specialized mining hardware may be more willing to take the risk of overproduction, but may face a bear market due to a sudden drop in cryptocurrency prices or other turbulence.

Impact of Block Rewards

Since mining hardware is very expensive to purchase and operate, the security of a cryptocurrency against double-spending attacks depends largely on the size of its block reward.

The level of protection a cryptocurrency can have is directly proportional to the amount of mining hardware protecting it. If the block reward is too small, a large amount of mining hardware will no longer mine the cryptocurrency, and the cryptocurrency will no longer have the same level of security.

In general, when we think about security, we need to consider how much it costs to launch a 51% attack. If the total value of mining equipment for a certain cryptocurrency is $1 million, then we can expect that any transaction over $1 million is very vulnerable to a 51% attack, because the counterparty of the transaction only needs to spend $1 million to buy or manufacture enough mining hardware to launch a double-spending attack.

It is not easy to estimate the total value of mining equipment for a particular cryptocurrency, nor is it easy to estimate the cost of manufacturing enough new hardware to launch a 51% attack. But generally speaking, this number should be between 6 and 24 months of the total block rewards for a particular cryptocurrency. Open competition for mining hardware usually ensures that this number is within this range.

This estimate helps us set the maximum safe transaction value for cryptocurrencies. However, before setting this value, we need to talk about the term "double spend". The fact is that a double spend can also be a triple spend or a quadruple spend, or any number of times an attacker can successfully spend a certain amount of funds. A single double spend attack can be carried out on a dozen different exchanges at the same time. Therefore, when considering the security problem against double spend attacks, it is actually not enough to only consider a single transaction value, we also need to consider other attacks that may be happening at the same time.

Each cryptocurrency will have its own actual transaction value cap, which is determined by many factors, not just the block reward. But from past experience, if the transaction value of a cryptocurrency mined with dedicated mining hardware is greater than the block reward value of the chain for one month, then you need to be vigilant; if a cryptocurrency is built on an existing large computing power market and the transaction value is greater than the total block reward for one hour, then you also need to pay attention.

Cryptocurrency shorting

Crypto short selling is essentially a loan. When you short a cryptocurrency, you are essentially taking a loan (and selling it at the current market price) and you agree to return an equal amount of coins in the future (usually with a little interest). Typically, when someone shorts a crypto, they sell the coins instantly and then hope that the price drops so that they can buy them back at a lower price and return the previously borrowed coins, making a profit in the process.

There are two requirements for short selling cryptocurrencies. There needs to be someone who wants to short sell or take out a loan, and then there needs to be someone who offers to take out the loan. When it comes to cryptocurrencies, there is an important dividend distribution tension between the person who takes out the loan and the person who offers the loan: the person who takes out the loan could use that loan to launch an attack on the cryptocurrency and cause the price to crash. This attack could be a double spend attack, or simply an attack where a service is not used, where the attacker only ever mines empty blocks. Or, depending on the cryptocurrency, they could perform other more advanced attacks that they have planned.

I raise this issue for two reasons: The first is to warn exchanges and market participants against the crypto short-selling market. If you are providing crypto loans, you are providing funds to attackers who will devalue the assets you hope to recover. Providing crypto short-selling loans is much riskier than providing short-selling loans for traditional markets.

Another reason is that a large short market can increase risk for other parties, depending on the security of the cryptocurrency. If a cryptocurrency has a large short market, potential attackers have a source of large amounts of funds to launch an attack without having to return a large amount of funds if the attack is successful. Therefore, exchanges and other users should be particularly vigilant and avoid holding cryptocurrencies with large short markets.

Limitations of increasing transaction confirmation time

When a blockchain network is experiencing turmoil (i.e., when it is attacked), a common reaction is to increase the time it takes for transactions to be confirmed. In many cases, this is good advice: sometimes, increasing the time it takes for a transaction to be confirmed helps to avoid certain types of risks. However, sometimes increasing the time it takes to be confirmed does nothing at all and does not provide any additional real protection for the transaction.

One area where increasing transaction confirmation times is most useful is when there is unrest in the peer-to-peer network. If for some reason blocks are propagating too slowly, or if the blockchain network is split into two networks, or if some peers try to prevent certain blocks from being propagated or launch a routing layer attack, increasing confirmation times will be very useful in these situations. For example, changing the confirmation time from 60 minutes to 24 hours will mean that the longest chain will have more time to propagate, more time to repair the network split, or more time to resolve a routing layer attack.

Another situation where increasing transaction confirmation time is very useful is when there is selfish mining (a form of attack on the Bitcoin network) or when there is a single miner controlling close to 50% of the hashrate. When there is a lot of selfish mining in the network, or for some reason a large mining farm or mining pool mines in an unusual way or generates invalid blocks, the likelihood of a large reorganization of the blockchain will increase greatly. You may see up to a dozen blocks being reorganized at the beginning, instead of the 2-3 blocks that you usually see. However, since there is no 51% attack, it is unlikely that we will see more than a few dozen blocks being reorganized. The network will generally still move in the same direction.

For actual 51% hashrate attacks, increasing confirmation times tends to have a much smaller impact. Extending confirmation times from 60 minutes to 6 hours will increase the time an attacker has to borrow hashrate, or increase the time it takes a mining farm to attack, although this only applies to cryptocurrencies that are highly vulnerable to attack.

The important thing to remember is that when a cryptocurrency is 51% attacked, the attacker receives all of the block rewards for the blocks they mine. If the price of the cryptocurrency drops only slightly after the 51% attack, the attacker will actually receive enough in return to fully offset the cost of launching the attack.

This is one of the key reasons why increasing transaction confirmation times is not very useful for cryptocurrencies that are mined with small GPUs. An attacker might only need to rent a few hours of computing power from the market to mine a week's worth of blocks, especially if the cryptocurrency being attacked has a small market cap or a small block reward.

Limitations of address blacklists

Previously, one of the ways to combat attackers was through emergency blacklists applied by exchanges. When an attacker performs a double spend attack, they must extract the funds somehow. This usually involves transferring funds from one exchange to another and then initiating a trade on those funds.

In the past, exchanges have tried to stop theft or double spending by blacklisting any addresses suspected of participating in a double spend attack - exchanges would pass the addresses of the offending accounts to each other, and then the exchanges would band together to recover the funds.

While this approach can be effective at times, attackers are increasingly able to circumvent this security measure, either by using privacy-preserving cryptocurrencies, by delaying the actual double spend until the stolen crypto is transferred to a wider range of wallets, or by using decentralized exchanges rather than traditional centralized exchanges to withdraw funds, making blacklisting addresses increasingly ineffective, as attackers become more sophisticated.

This does not mean that exchanges should stop using address blacklists. It is a great technique that has successfully recovered a large amount of stolen funds. However, exchanges should not rely solely on address blacklists to recover funds in the event of an attack, as many times address blacklists will not be able to recover stolen funds.

Tips for reducing risk

While the situation is dire, especially for traditional centralized exchanges, there are steps that can be taken to at least temporarily mitigate the risk to major cryptocurrencies that use PoW mining, although these mitigations may eventually be circumvented by sufficiently sophisticated attackers and will eventually become ineffective as decentralized exchanges and decentralized hashrate markets in the cryptocurrency space achieve significant development.

The only established long-term solution is to require all cryptocurrencies to switch to specialized hardware - each cryptocurrency using an ASIC-friendly mining algorithm, and each cryptocurrency using a different ASIC-friendly mining algorithm.

Tracking the availability of mining hardware worldwide

One way exchanges can manage risk is to keep a close eye on the availability of mining hardware for each cryptocurrency worldwide. The percentage of active mining hardware mining a particular cryptocurrency is a good indicator of the security of that cryptocurrency.

The only things you need to be careful about with cryptocurrencies that are mined using specialized mining hardware are low block rewards and periods of bear market for mining hardware.

For example, if the mining hardware used to target a particular cryptocurrency is no longer profitable for most of the mining hardware, then the cost of attacking that cryptocurrency is likely to be very low, as the hardware can be purchased quite cheaply. In all other cases, cryptocurrencies that are mined with specialized mining hardware should be resistant to hashrate attacks.

The key thing to note about cryptocurrencies that use the same mining algorithm and are mined using ASICs or other highly specialized hardware is what percentage of the hashrate these cryptocurrencies account for.

For cryptocurrencies that have more than 70% of the computing power of professional mining hardware, there is not much to worry about; for cryptocurrencies that have computing power that only accounts for 10%-70% of the total computing power of all professional mining hardware, it is prudent to ensure that the transaction confirmation time is no less than 24 hours. Even with 70% computing power, there is still the possibility that a large mining farm will launch an attack and successfully perform a double spend. By using a 24-hour confirmation time, these attacks will become less feasible.

For cryptocurrencies that use the same mining algorithm but have less than 10% of the total hashrate of all professional mining hardware, then this cryptocurrency is very unsafe. Of course, the decision to deposit or withdraw this cryptocurrency always depends on the risk tolerance of the exchange and other factors, but my advice is to stop depositing and withdrawing this cryptocurrency until the hashing algorithm of this cryptocurrency becomes more secure.

For cryptocurrencies mined using GUP hardware, risk management does require understanding the current distribution of the computing power market and the status of large-scale mining farms in operation.

While I haven’t spent a lot of time researching exact values, I estimate that there is currently between $100 million and $250 million worth of GPU mining equipment in the global hashrate market. This number is critical to determining whether a cryptocurrency is likely to be 51% attacked. While this number alone is not sufficient, there are strong reports that some large mining farms have been involved in 51% attacks on smaller cryptocurrencies. In particular, one mining farm with between $10 million and $100 million worth of GPU mining equipment appears to have attempted a hashrate attack.

Given the above, my current recommendation is that for cryptocurrencies that use GPU mining, but the value of the GPU equipment mining on such coins is between $5 million and $250 million, these cryptocurrencies should implement 24 hour transaction confirmation times; for all cryptocurrencies below this threshold, exchanges should prohibit all storage for these cryptocurrencies.

As the ecosystem evolves and the market for large mining farms and hashrate changes, the analysis of cryptocurrencies of different sizes and using different algorithms will also change accordingly. Exchanges that can keep up with these changes will often be able to conduct more accurate analysis and be better able to make the best business decisions.

Build relationships with mining farms and computing power markets

Exchanges can mitigate some of this risk by building relationships with large mining farms and significant hashrate markets.

The hashrate market has been the source of most attacks. Centralized hashrate markets can limit the amount of hashrate that can be rented out at any time, and can even perform KYC (know your customer) operations for anyone trying to buy a large amount of hashrate.

By establishing a relationship with the hashrate market, exchanges can at least warn exchanges that a large amount of hashrate is suddenly directed toward a particular cryptocurrency, which may be vulnerable to a 51% attack.

But a very sophisticated attacker might be able to circumvent these controls using methods such as Sybil attacks. Of course, the more control a centralized market has, the more users will turn to decentralized solutions where there is no centralized control. Therefore, these controls are at best a temporary solution, albeit a temporary solution that might buy enough time for some cryptocurrencies to find a better solution.

Establishing relationships with many of the largest mining farms could also be very beneficial. If nothing else, these relationships could provide a deeper understanding of the current state of mining for various cryptocurrencies, giving exchanges a clearer idea of ​​which cryptocurrencies are more/less vulnerable to attacks. In terms of risk mitigation, I think these relationships could be much more beneficial than expected.

Automatically suspend transactions & blacklist addresses

When a large reorganization is detected for a cryptocurrency, trading in that cryptocurrency should be automatically stopped, and if a double spend is detected, the addresses involved should be automatically blacklisted. This should be implemented on as many exchanges as possible, not just those affected by the double spend attack.

Although it is too late to suspend trading immediately after the funds have been stolen, this approach does greatly reduce the ways in which the attacker can deal with the stolen funds. At the same time, attackers can usually predict the price changes after the attack and resist such price changes by making large transactions. If the transaction is frozen, the potential attacker’s profit source will be reduced.

Blacklisting addresses can have a similar effect: it also reduces the number of ways an attacker can deal with stolen funds, which increases the chances of recovering them.

From past experience, we know that attackers are usually not that sophisticated and often have some major oversights. Even for those theoretically invulnerable attackers, there is very little you can do, but real attackers are far from invulnerable. Actively tracking attackers and trying to find their oversights can often bring very effective results.

Scorched Earth Strategy: Striking Back

There is a more advanced but more risky way to deal with double-spending attacks, which is to launch a counterattack. When an attacker launches a double-spending attack on a certain cryptocurrency, the affected exchange can purchase a large amount of computing power to extend the original chain, thereby consolidating the original transactions and resisting the attacker's double-spending attack.

Of course, the attacker can also launch a counterattack, that is, to respond to the extension of the original chain by extending the attacked chain. The problem brought about by this situation is that the exchange needs to spend more money to extend the original chain, and the attacker also needs to spend more money to extend the attacked chain. Even when the cost of funds paid by the exchange and the attacker has exceeded the value of the funds that may be stolen, it is still necessary for both parties to continue to extend their respective chains in order to recover the funds. This is very necessary.

Imagine that an attacker spent $10,000 to steal $50,000 worth of cryptocurrency from an exchange. In this case, the attacker earned $40,000 and the exchange lost $50,000. At this point, the best way for the exchange to respond is to spend $10,000 to restore the original valid chain to the longest chain, which means that the attacker lost $10,000 and the exchange also lost $10,000. If we extend this situation, we can get the following results:

When the attacker is no longer able to profit from the entire attack, the exchange has lost the same amount of money in defending against the attack, and if the exchange gave up the resistance at the beginning, the funds would also be lost. In this game of computing power, the exchange is not in an advantageous position at any time, but will only lose more and more funds, and the same is true for the attacker.

This game can actually be endless. At all times, both sides have reasons to keep trying to get back the initial $50,000, because at each step, both sides need to spend an additional $10,000 to get back the $50,000. This is why this strategy is called a "scorched earth strategy" - there are no winners, and both sides lose more and more money (both lose).

The value of this strategy is that, at least in theory, the exchange can prevent the attacker from profiting from the attack. If the attacker knows before launching the attack that the exchange he is going to attack will be willing to adopt a scorched earth strategy to deal with the attack, then there is no point in launching the attack, and the exchange will likely be spared several attacks.

There is another big complication with scorched earth tactics. The attacker has a big advantage in preparation, he can spend weeks or months preparing for an attack, while the exchange needs to respond to the attack almost immediately. For example, if the attacker uses more optimized code, the attacker may only spend $5,000 per round, while the exchange may spend $10,000 per round. In this standoff situation, the exchange cannot tell whether the attacker has this advantage.

If multiple exchanges also try to execute scorched earth strategy at the same time, then there will be problems with this strategy. Exchanges may end up in a computing power battle rather than a computing power battle with the attacker, which will be a high cost for participating exchanges.

The final consideration for this strategy is that it will likely cause huge collateral damage to the ecosystem. In fact, many cryptocurrencies cannot handle a large number of continuous reorganizations: nodes may collapse, other transactions may be lost or double-spent in this computing power battle, and generally, users will take greater risks during this scorched earth battle.

Due to the above reasons, I do not recommend that the exchange adopt a scorched earth strategy to counter the double-spending attack.

Developer Arbitration

The last strategy I want to propose is developer arbitration, because there have been successful cases of this strategy. When the theft occurs, the developer can always initiate a hard fork to retrieve the stolen funds.

This method will require the introduction of a high degree of centralization of developers, but the developers themselves are humans, and may be deceived and misunderstood an attack. Therefore, developers may transfer legitimate cryptocurrencies to the attacker's account rather than recovering the stolen cryptocurrencies.

At the same time, developers can also deal with the double spending problem by signing blocks. Once a block is signed by developers, the block is a permanent block, and transactions in the block cannot be double spent. This method has been successfully applied in many cryptocurrencies, but this method also has certain risks: if the developer's key is stolen, various problems will follow one after another. Moreover, developers can effectively decide which transactions are allowed to be conducted on the network, which may make people feel a bit similar to traditional financial regulators.

Therefore, developers should be cautious when adopting this approach, because if developers make a wrong decision when trying to retrieve stolen funds, sign the wrong block, or allow an unknown terrorist organization to trade, this may cause serious legal liability. Especially now that the cryptocurrency field is receiving more and more attention from regulators, I do not advocate this approach, even if the relevant centralization issues are ignored.

Summarize

As the cryptocurrency field continues to evolve, we will continue to see more complex attacks. In the next 6 to 12 months, most attacks will likely target double-spending attacks on poorly secure PoW cryptocurrencies, but more and more decisions made by developers that are vulnerable to attack will be exploited by attackers.

Secure cryptocurrency design is not easy, and most cryptocurrencies and decentralized applications have not yet fully succeeded in ensuring the security of their projects.

The current multi-million-dollar cryptocurrency theft caused by shared hardware computing power attacks can reflect this well; but these attacks are just the first wave of high-profile attacks we have experienced, and the cryptocurrency community may experience more attacks in the future.

To prevent more losses, measures need to be taken in the short term to protect the exchange from shared hardware power. In some cases, it is sufficient to extend the transaction confirmation time to 24 hours; in other cases, transactions of a certain cryptocurrency should be prohibited until the cryptocurrency can fork out a safer paradigm.

In the long run, exchanges will need to take a more conservative and cautious attitude towards their own risk patterns and make forward-looking due diligence on the currency that chooses to go online.

Thanks to Ethan Heilman for reviewing this article.