Deep Chain Reorganization Detected on Ethereum Classic (ETC)
On 1/5/2019, Coinbase detected a deep chain reorganization of the Ethereum Classic blockchain. In order to protect customer funds, we immediately paused interactions with the ETC blockchain.
Updated Jan. 7, 10:27pm PT: At time of writing, we have identified a total of 15 reorganizations, 12 of which contained double spends, totaling 219,500 ETC (~$1.1M). No Coinbase accounts have been impacted by the attack.
We will continue to monitor the status of the network and update this article with the most recent information we have. Current ETC network status can be found here.
Page 3 of Satoshi Nakamoto’s whitepaper, Bitcoin: A Peer-to-Peer Electronic Cash System, states the following:
“If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains.”
The “honest[y]” of more than half of miners is a core requirement for the security of Bitcoin and any proof-of-work cryptocurrencies based on Bitcoin. Honest action, in this context, means following the behavior described in the Bitcoin white paper. This is sometimes described as a “security risk” or “attack vector,” but is more accurately described as a known limitation to the proof-of-work model.
Failure to meet this requirement breaks several core guarantees of the Bitcoin protocol, including the irreversibility of transactions. Many other cryptocurrencies, such as Ethereum Classic, have also adopted proof-of-work mining.
The function of mining is to add transactions to the universal, shared transaction history, known as the blockchain. This is done by producing blocks, which are bundles of transactions, and defining the canonical history of transactions as the longest chain of blocks*. If a single miner has more resources than the entirety of the rest of the network, this miner could pick an arbitrary previous block from which to extend an alternative block history, eventually outpacing the block history produced by the rest of the network and defining a new canonical transaction history.
This is called a “chain reorganization,” or “reorg” for short. All reorgs have a “depth,” which is the number of blocks that were replaced, and a “length,” which is the number of new blocks that did the replacing.
This, on its own, might end up being nothing more than a minor inconvenience. After all, the transactions all still exist, but they might have been put into a different order, perhaps delaying some of them. However, imagine a miner who also owns a large number of coins. The miner could send those coins to a merchant in a transaction, T, while also secretly extending an alternative block history. The miner’s secret blocks do not include T, but rather include a transaction that sends the same coins used in T to a different address. Call that transaction T’. When the miner reveals this secret history, it will contain T’, not T. Because T and T’ attempted to send the same coins and T’ is now in the canonical history, this means that T is forever invalid, and the recipient of the coins sent in transaction T never even received them in the new, now-canonical history. More info on this can be found here.
What we observed
Updated Jan. 7, 10:27pm PT.
We observed repeated deep reorganizations of the Ethereum Classic blockchain, most of which contained double spends. The total value of the double spends that we have observed thus far is 219,500 ETC (~$1.1M).
Timeline of events
- Late on the evening of Saturday 1/5, our systems alerted us to a deep reorg in ETC that contained a double spend. Our on-call engineers responded to the alert and worked to confirm the report through the night. We determined that we would temporarily halt send/receive interaction with the ETC blockchain in order to safeguard customer funds.
- This meant that customers who tried to send or receive ETC on Coinbase Consumer or Pro were unable to complete their transactions.
- On the morning of Sunday 1/6 we posted an update on status.coinbase.com stating (that) “Due to unstable network conditions on the Ethereum Classic network, we have temporarily disabled all sends and receives for ETC. Buy and sell is not impacted. All other systems are operating normally.”
- We performed an analysis on Sunday afternoon/evening to confirm the pattern and determine the key details of the double-spend attacks. Beginning Sunday afternoon, we observed 8 more incidents, all containing double spends.
- Out of an abundance of caution, we did not put up a blog post prior to legal and technical review. A false alarm could have inadvertently caused market instability.
- On Monday 1/7 morning after legal and technical review, we finalized our public analysis and posted to our blog and social media accounts.
Note: A full blockchain analysis is beyond the scope of this article. Further research into the addresses sending the double spend transactions, the history of sends/receives from the addresses, the block fields such as timestamp, and the subsequent movement of miner rewards from attack blocks may shed light on the threat actor or actors behind these attacks.
We observed the following deep chain reorgs:
- Common ancestor: 7245623. Depth 4 / Length 7. No double spends were observed in this reorg. We noted that this was a reorg of unusual depth for ETC.
- Common ancestor: 7248488. Depth 5 / Length 6. No double spends were observed in this reorg. We noted that a second reorg of unusual depth was highly suspicious, but did not necessary indicate an attack as there was no double spend and the depth was still below the ETC confirmation limit for most services.
- Common ancestor: 7249343. Depth 57 / Length 74. A transaction of value 600 ETC in orphaned block 7249357 was double spent by a transaction in attacker block 7249361**.
We ceased interacting with the ETC blockchain upon observing this reorg. Coinbase was not the target of this double spend and no funds were lost.
- Common ancestor: 7254419. Depth 32 / Length 53. A transaction of value 4,000 ETC in orphaned block 7254430 was double spent by a transaction in attacker block 7254435**
- Common ancestor: 7254568. Depth 123 / Length 140. A transaction of value 5,000 ETC in orphaned block 7254646 was double spent by a transaction in attacker block 7254656**
- Common ancestor: 7255033. Depth 60 / Length 79. A transaction of value 9,000 ETC in orphaned block 7255055 was double spent by a transaction in attacker block 7255066*
- Common ancestor: 7255204. Depth 25 / Length 35. A transaction of value 9,000 ETC in orphaned block 7255212 was double spent by a transaction in attacker block 7255225**.
- Common ancestor: 7255476. Depth 37 / Length 46. A transaction of value 15,700 ETC in orphaned block 7255487 was double spent by a transaction in attacker block 7255492**.
- Common ancestor: 7255542. Depth 67 / Length 85. A transaction of value 15,700 ETC in orphaned block 7255554 was double spent by a transaction in attacker block 7255563**.
- Common ancestor: 7255662. Depth 62 / Length 110. A transaction of value 24,500 ETC in orphaned block 7255669 was double spent by a transaction in attacker block 7255681**.
- Common ancestor: 7255998. Depth 69 / Length 86. A transaction of value 5,000 ETC in orphaned block 7256012 was double spent by a transaction in attacker block 7256022**.
Updates as of 10:27pm PT, January 7
- Common ancestor: 7261497. Depth 44 / Length 54. A transaction of value 26,000 ETC in orphaned block 7261492 was double spent by a transaction in attacker block 7261497**.
- Common ancestor: 7261603. Depth 35 / Length 44. A transaction of value 52,800 ETC in orphaned block 7261610 was double spent by a transaction in attacker block 7261614**.
- Common ancestor: 7261647. Depth 8 / Length 9. No double spends were observed in this reorg.
- Common ancestor: 7261676. Depth 37 / Length 47. A transaction of value 52,200 ETC in orphaned block 7261684 was double spent by a transaction in attacker block 7261690**.
The Coinbase team is currently evaluating the safety of re-enabling sends and receives of Ethereum Classic and will communicate to our customers what to expect regarding support for ETC. Coinbase takes security very seriously. As part of that commitment, we monitor blockchains for activity that could be harmful to our customers and take prompt action to safeguard funds. We want to emphasize to customers that Coinbase strives to be the most trusted and safest place to buy, sell, or store cryptocurrency.
* It is actually the chain with the most accumulated work, rather than the chain with the most blocks, that defines the canonical history. In most cases, these chains will be the same
** The block explorer does not properly handle reorgs and labels the transaction as confirmed. Click on the block to see that the block is orphaned.
This website may contain links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of Coinbase, Inc., and its affiliates (“Coinbase”), and Coinbase is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. Coinbase is not responsible for webcasting or any other form of transmission received from any Third-Party Site. Coinbase is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by Coinbase of the site or any association with its operators.
Unless otherwise noted, all images provided herein are by Coinbase.
Ethereum Classic (ETC) is currently being 51% attacked was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.