The promise of digital cryptocurrencies like bitcoin is that you don’t need to trust the people to whom you send or receive money, because the software makes it technically impossible for anyone to cheat the system. Instead of relying on humans and their flawed judgment, you rely on the laws of mathematics. But a recent attack on the cryptocurrency Ethereum Classic—not to be confused with the original Ethereum project—shows once again how hard it is to remove human frailty from digital systems.
Like other cryptocurrencies, Ethereum Classic relies on a decentralized ledger known as a blockchain created and shared by the machines that process transactions on the network. This ledger ensures that no one can spend their virtual tokens twice. Unless, that is, someone could take over at least 51 percent of the machines in the network. That’s what appears to have happened last weekend.
Currency exchange Coinbase said Monday it had detected double spends on the Ethereum Classic platform on Saturday and that it had suspended transactions involving Ethereum Classic. Kraken, another exchange, followed suit with a similar announcement. Coinbase security engineer Mark Nesbitt wrote in a blog post that the company had spotted 12 instances of double spending Ethereum Classic tokens, involving a total value of about $1.1 million.1 Ethereum Classic is not as popular as some other cryptocurrencies: It had a total market value of $553.5 million on Friday, according to CoinMarketCap; by comparison, ether, the currency created by the original Ethereum project, had a value of $16.3 billion, and bitcoin a value of $67.5 billion.
Nesbitt told WIRED that Coinbase is “very confident” that the double spends are a result of someone taking over 51 percent of the Ethereum Classic network, effectively enabling those attackers to rewrite history.
Ethereum Classic’s team announced on Twitter that it is looking into the issue but didn’t confirm that double spends had occurred. The company also complained that Coinbase hadn’t contacted it before announcing the suspension. Nesbitt says Coinbase tried unsuccessfully to contact the Ethereum Classic team on Monday but is now in contact. Ethereum Classic did not respond to our request for comment.
It’s not clear how someone would have been able to gain control of 51 percent of the Ethereum Classic network. Cryptocurrency observers have known for years that blockchains are vulnerable to such an attack, but major cryptocurrency projects had yet to see a successful takeover, in part because it would be so expensive to set up enough computers to muscle out the rest of the network.
If someone has gained the power to rewrite Ethereum Classic’s ledger and spend tokens multiple times, the software’s developers, and the owners of the machines running that software, will need to decide what to do. The team could release a new version of the software with a new version of the blockchain that reverses the double spends and hope that users will adopt the new version. But making changes to the blockchain would go against the project’s raison d’etre.
Ethereum Classic was founded in 2016 after a hacker stole about $50 million of ether from an investment scheme known as the DAO (Decentralized Autonomous Organization). The heist was a result of mistakes made by the DAO’s programmers, not an attack on the Ethereum blockchain itself. But the Ethereum team decided to alter the blockchain to restore the stolen tokens to their previous owners.
Ethereum Classic was created by members of the Ethereum community who rejected the idea of altering the blockchain. Essentially, its users opted to keep using the version of the Ethereum ledger that shows the stolen cryptocurrency sitting in the virtual wallet of the DAO hacker and ignores subsequent transactions made on the original Ethereum network, which likewise ignores transactions made on the Ethereum Classic network. The attack on the Ethereum Classic network does not affect the original Ethereum project.
The attack on Ethereum Classic is different from the attack on the DAO in that it apparently altered the Ethereum Classic blockchain directly, which is more serious than exploiting bugs in software developed outside the project. The community might find this attack a more valid justification for reversing the offending transactions. But it will be up to the community to decide what to do, not the software. It’s also another black eye for cryptocurrencies and a reminder that blockchains aren’t truly immune to human politics and judgment.
1 CORRECTION, Jan. 8, 7:40PM: Coinbase identified 12 instances of double-spending on the Ethereum Classic network. An earlier version of this story incorrectly said it had identified 21 such instances.