What is a 51% attack?

A 51% attack is a vulnerability of PoW blockchains that lets an attacker seize control of transaction confirmation and block production.

With 51% of the hash rate, attackers can:

• prevent other miners (validators) from finding blocks (selfish mining);
• double-spend coins to steal from service providers, exchanges or swap services (double spend);
• fork the main blockchain, splitting the network into two competing chains;
• block transactions or entire blocks from being confirmed;
• collect all block rewards and transaction fees during the attack.

An attack is more serious if the perpetrators control far more than 51% of the network. Then they can:

• steal from deposit-challenge-verify contracts and state channels/Lightning Network if they are participants;
• lower and manipulate network difficulty;
• steal coins that are not dated to the genesis block (by rolling back old blocks and re-collecting rewards for those blocks);
• delete contracts or transaction history (by rolling back old blocks and editing the list of included transactions).

A 51% attack by itself does not let attackers:

• obtain your private key or forge a signature;
• obtain coins awarded by a faulty contract;
• send, lock into staking or burn your coins on your behalf (except via the techniques mentioned above);
• control the decisions of full-node operators (validators).

A malicious mining pool can rent extra hash rate and attack a chosen cryptocurrency. Using data from the 51crypto service, the authors of the study Exploring the Attack Surface of Blockchain: A Systematic Overview compiled a table for six cryptocurrencies showing the hourly attack cost.

The data were gathered in April 2019. As shown, attacking Bitcoin would cost $486,000 per hour. An attack on Dash (market capitalisation $2.3bn) would cost just $15,000 per hour.

A strategy that lets miners increase profits by withholding blocks from the public network. Instead of broadcasting each newly found block, they keep mining atop their own privately found blocks. While competitors mine on older public blocks, the selfish miner gains an edge.

This creates a quiet race between the public chain of “honest miners” and a private chain of “selfish miners”. Attackers must have enough compute to make their secret chain longer than the public one.

Once the private blockchain becomes longer than the public chain, the attackers release it to claim block rewards and user fees. If the private network’s power is as low as 25% of the total, selfish miners can keep winning the race until displaced by another selfish miner or an aggrieved minority.

In Proof-of-Work blockchains, what matters is not the longest chain by block count but the one with the most accumulated work.

The longest chain represents the majority of hash power only if there is no monopolist (a holder of 51% or more). If there is, the longest chain may not reflect the will of most miners.

Assume the attacker controls significant compute power. He pays a merchant; the merchant accepts a large crypto payment and the deal is nearly done. The transaction is sent to the main blockchain and, after three confirmations, the parties part ways.

Once confident the victim cannot reach him, the attacker “returns” the coins to himself by rolling the blockchain back to an earlier state after sending the payment.

A more covert variant mirrors selfish mining: the attacker mines a parallel chain. Instead of the honest transaction, that chain includes a double-spend that sends the same coins to another address controlled by the fraudster. He then “feeds” the valid chain an alternative batch of blocks (with correct PoW), hoping the network will accept them.

Thus the network “excises” the valid transaction from history. The merchant opens the wallet to find the coins gone and no proof of the deal. He did not even take wallet screenshots or copy the transaction ID when the coins arrived.

In theory, once a transaction has one or more confirmations, a double spend is excluded. Many users do not know what to do when a transaction “disappears” from a bitcoin wallet.

Thanks to such schemes, coins keep reappearing in the attacker’s wallet and can be spent twice, three times, and so on. Frequent double spends may prompt exchanges hit by them to delist the affected cryptocurrency. Attacked coins also lose market capitalisation afterwards. For example, Verge was attacked in May 2018 and has since lost over 95% of its value.

A 51% attack can be used to create a new cryptocurrency. PoW consensus was designed to prove the integrity of a chain, not to prevent forks.

Suppose attackers secretly mine several blocks and then “drop” them onto the main network. Without community support, the honest minority of the remaining 49% will reject that chain. But a few secretly mined blocks let the attacker split off and keep mining his own chain while other miners continue the original one. Two assets emerge: one familiar, the other new.

As long as there are enough miners for the blockchain to function, even new blockchains born of a hard fork will not cause material harm.

The well-known “bitcoin guru” Andreas Antonopoulos believes the Bitcoin network is no longer at risk of a 51% attack because of the resources miners spend to maintain it. Andreas says that in 2019 attacking Bitcoin no longer makes sense; it would be too costly even for governments. Less powerful altcoins can be attacked, he adds.

To attack a blockchain, an adversary does not always need 51% or more of the compute power. The probability of success depends on the attack duration and available hash rate.

Even with 40% of the network, an attacker can attempt a two-block attack with a 40% chance of success.

But miners are only a small part of blockchains’ security model. Ten years on, real-world incidents suggest the threat was greatly exaggerated.

A 51% attack is not impossible. In July 2014 the Ghash.io mining pool controlled more than 50% of Bitcoin’s hash rate for a short period. The pool then voluntarily sought to reduce its share, stating it would not exceed 40% of total mining in future.

In August 2016 the “51 crew” hacked the Krypton and Shift blockchains. Using a series of double spends, they stole roughly 20,000 Krypton tokens.

In May 2018 a group of malicious hackers gained control of 51% of the Bitcoin Gold network, allowing them to steal $18m in cryptocurrency from Bittrex, Binance, Bitinka, Bithumb and Bitfinex. Bittrex accused the developers of negligence and demanded compensation, threatening to delist BTG. The developers replied that this is a known threat type. Bittrex had not taken precautions and was itself to blame, they said.

In June 2018 Monacoin, Zencash, Verge and Litecoin Cash were hit by 51% attacks, causing multimillion-dollar losses. Some exchanges lost about $90,000 in Monacoin, $500,000 in ZenCash and $1.7m in Verge.

In November 2018, after a 51% attack on Aurum Coin, more than $500,000 was stolen from the Cryptopia exchange.

In May 2019 two large mining pools carried out a 51% attack on Bitcoin Cash. They said they prevented the theft of unprotected SegWit coins that sat at addresses from which anyone could take them. These coins remained after the 2017 split from Bitcoin but had been locked by developers—until they were accidentally unlocked by a May 2019 hard fork.