What is a 51% attack, and what can a successful attacker do?
This incredibly expensive approach is an unlikely strategy for Bitcoin fraud
If a single entity were to acquire control of over half of the mining power on the Bitcoin network, it would gain the ability to do certain things that would not typically be possible and this poses a known security risk. While acquiring so much mining power would be very expensive, some have cautioned that because a majority of mining power may be located geographically within the borders of one country—China specifically—this poses a unique risk that should concern policymakers. So how exactly would such an attack work and how big of a risk is it? What could you actually do with a majority of the mining power on Bitcoin or any other proof-of-work cryptocurrency?
Bitcoin’s blockchain is a list of all valid transactions that have been made since the network’s inception back in 2009. Anyone can update that list by adding a new block of transactions to the chain, but they have to compete and follow the rules of the protocol. The network relies on these competing “miners” to update the blockchain because there’s simply no other authority within the system; it’s decentralized. A miner will win the ability to write the next block whenever the following conditions hold: (a) her computer solves an open-ended math problem (known as a hash function) by using guess and check, (b) she broadcasts that solution along with her proposed block of new valid transactions to the network, and (c) enough other miners build on top of her solution (because a previous block solution must always be used as an input to create future blocks) such that this chain of new blocks is the longest chain—has the most computing effort dedicated to it—as compared with any possible alternative states (forks) of the network.
This is why a single individual, by marshalling as much computing power as the rest of the network combined, could, in theory, (1) block future transactions (by refusing to put them in new blocks) and (2) attempt to convincingly double-spend new transactions. Because this neerdowell has more computing power than the rest of the network combined she will, on average, be able to write new blocks faster, add them to the chain she prefers, and always have that chain remain the longest chain in the network—i.e. the authoritative state of Bitcoin.
That is referred to as a 51% attack. It’s important to point out that such an attack does not give the attacker the ability to spend any funds sent to Bitcoin addresses for which she does not have the corresponding private keys, nor does it give her the ability to create new bitcoins out of thin air. Any miner, even a miner who had a majority share of the network’s computing power, who attempts to change or break the basic consensus rules, is effectively advocating for a hard fork of the network, and she takes the risk that the network writ large—miners as well as users—will refuse to treat tokens on her new fork as valid currency. While the revisionist miner may create new blocks that reward her with new tokens, when those tokens are perceived as counterfeit by all other participants in the ecosystem, then she will fail to profit from her actions.
The much-touted double-spend 51% attack is also not a particularly pronounced threat to the integrity of Bitcoin or any other proof-of-work cryptocurrency. Here’s how such an attack would work. An attacking miner with 51% of the computing power on the network begins to compile a secret, private version of the Bitcoin blockchain all her own. Meanwhile she sends, for example, 100 bitcoins to a bitcoin exchange and asks the exchange to cash her out in dollars sent to her bank account. This bitcoin transaction is incorporated into the public blockchain, but she does not include the transaction in her own private version. In her version, she never sent the bitcoins to the exchange. The exchange, however, sees the transaction on the public blockchain, assumes it therefore has the 100 bitcoins, and initiates a dollar transfer to the attacker’s bank account. Once our attacker is certain she has the dollars in her bank, she then broadcasts her private version of the Bitcoin blockchain to the network. If she truly had more computing power than the rest of the network combined, then her chain will be “longer” (more cryptographic problems solved) and the rest of the network will recognize this new—if until recently private—blockchain as the authoritative ledger. The exchange that accepted the 100 bitcoins for dollars no longer has those bitcoins according to this new reorganized chain and it has lost the dollars as well. While this is certainly a possible vector for attacking exchanges, it’s likely more difficult than merely attempting to steal poorly secured bitcoins from an exchange by hacking into their systems. It would also require that the attacking miner retain 51% of the network for a period long enough not just for the exchange to wire the money to her bank, but presumably for her to withdraw the funds as cash from the bank. Otherwise, the stolen funds would be frozen once the attack was revealed.
To reiterate, a 51% attack does not enable the attacker to fundamentally change Bitcoin; it merely enables the attacker to block new transactions and, potentially, double-spend transactions that were initiated after she obtained majority control. Moreover, the cost of such an attack is, necessarily, massive. There is fierce competition among Bitcoin miners, and specialized hardware components—application-specific integrated circuits, or ASICs for short—have come to dominate the field. These expensive ASIC chips have effectively no valuable application outside of cryptocurrency mining, therefore any attacker seeking to perform a 51% attack would need to make a very sizable investment in otherwise useless hardware merely to initiate the attack. Additionally, given the transparent nature of the Bitcoin blockchain, any double spend attacks would be immediately visible and, if sufficiently large, would likely lead to a rapid collapse in the price of bitcoin, leaving the perpetrator with little or no reward as measured in purchasing power. This transparency could also allow the bitcoin community to discover the attack and potentially agree on a change to the rules of Bitcoin which could serve to reverse the attack or block the attacker.
If the goal is to simply disrupt the network, rather than to block transactions or attempt a double-spend, there are much more efficient and cost-effective vectors of attack available, such as distributed denial of service (DDoS) attacks. Given the high cost and uncertain benefits, a 51% attack against Bitcoin would not be a likely strategy for a rational actor seeking to commit fraud.