In light of the 51% Attack launched on the popular Switzerland-based DAO Aragon Association I thought it would be a useful exercise to explain the function of, purpose for, and potentially legal issues surrounding such subversive attacks.
What is a 51% Attack
A 51% attack, also known as a majority attack, is a potential security vulnerability that can occur in blockchain-based cryptocurrencies. It refers to a situation where a single entity or a group of colluding entities gains control over more than 50% of the total hashing power or computational resources of a cryptocurrency network. In a decentralized blockchain network, consensus is reached through a process called mining, where miners compete to solve complex mathematical problems to validate transactions and add new blocks to the blockchain. When a miner successfully mines a new block, they propagate it to the network, and other participants validate and add it to their copy of the blockchain.
A prospective 51% attacker always needs to control a significant portion of the network’s hashing power to execute. This can be achieved by either renting or purchasing mining equipment or by utilizing botnets (networks of compromised computers) to contribute computational resources. If a single entity or group controls the majority of the network’s computational power, they have the ability to manipulate the blockchain in several ways. Once obtained, the primary means through which motivated parties launch 51% Attacks include:
- Double spending:
- Block exclusion:
- Block modification: and
- Network disruption.
Double Spending
With majority control, an attacker can spend their cryptocurrency, and then create an alternative blockchain branch where the transaction never occurred. Attackers can use their computational power to mine blocks on this alternate chain faster than the rest of the network, eventually making it the longest chain and overwriting the original transaction. Since the original transaction made by the attacker was excluded from the blocks in the alternative branch, they can now spend the same coins again in another transaction. This effectively allows them to double spend the cryptocurrency.
Block Exclusion
Block exclusion refers to the act of intentionally omitting or censoring specific transactions from being included in blocks within a blockchain network. In a blockchain, transactions are grouped into blocks, which are then added to the blockchain through a process called mining. In a decentralized blockchain network, the inclusion of transactions in blocks is typically determined by the consensus algorithm and the participating miners or validators. They validate and prioritize transactions based on certain criteria, such as transaction fees or timestamps.
During a block exclusion, an individual or group with significant control over the network’s hashing power – as in a 51% attack scenario, can selectively choose to exclude certain transactions from being included in blocks. This means that those transactions will not be confirmed and recorded on the blockchain, leading to delays or even the prevention of their execution. Specifically, an attacker may selectively exclude transactions to disrupt the network’s normal operation, cause inconvenience or financial losses to specific participants, or manipulate the overall functionality of the blockchain.
Block Modification
Block modification, also known as blockchain reorganization or chain reorganization, is another potential consequence of a successful 51% attack on a cryptocurrency network. In this scenario, the attacker exploits their majority control over the network’s hashing power to modify previously confirmed blocks in the blockchain. Once an attacker has majority control and creates an alternative blockchain branch, the attacker will broadcast their longer chain to the network. Nodes in the network, which typically follow the longest chain rule, switch to the attacker’s chain as the new valid version of the blockchain.
With control over the majority of the network’s hashing power and the longer chain, the attacker can modify or exclude specific transactions within previously confirmed blocks. They can rewrite transaction history, reverse transactions, or modify the contents of blocks. As the attacker’s modified chain becomes the accepted version of the blockchain, the network recognizes the modified blocks and transactions as valid, even if they differ from the previous version of the blockchain.
Network Disruption
In a 51% Attack, the attacker can choose to refuse to validate or confirm any transactions that are broadcasted to the network. They essentially reject the inclusion of transactions into blocks. The attacker can further halt the production of new blocks by refusing to mine new blocks or propagating empty blocks that do not contain any transactions. By disrupting the normal validation and block production process, the attacker causes a denial-of-service (DoS) effect on the blockchain network. Transactions may not be confirmed, and the network’s functionality may be severely impaired or completely halted.
Examples of Successful 51% Attacks
While 51% attacks are relatively rare, there have been a few notable examples in the history of cryptocurrencies. Here are a few:
- Bitcoin Gold (2018): Bitcoin Gold, a fork of Bitcoin, experienced a 51% attack in May 2018. Attackers gained majority control of the network’s hashing power and used it to reverse transactions, double spend coins, and manipulate the blockchain. The attack resulted in significant financial losses for exchanges and other affected parties.
- Ethereum Classic (2019): Ethereum Classic, another popular cryptocurrency, fell victim to a 51% attack in January 2019. Attackers exploited the network by gaining majority control of the hashing power, allowing them to double spend coins. The attack resulted in millions of dollars’ worth of digital assets being double spent.
- Verge (2018): Verge, a privacy-focused cryptocurrency, experienced multiple 51% attacks within a short period in April 2018. The attackers gained control over the network and manipulated the blockchain, causing disruptions and exploiting vulnerabilities in Verge’s mining algorithm.
It’s important to note that these attacks targeted smaller cryptocurrencies with lower hashing power and less robust security measures. Larger cryptocurrencies like Bitcoin and Ethereum have significantly higher computational power securing their networks, making successful 51% attacks more challenging.
Regulation & Legality of 51% Attacks
While the cryptocurrency community generally condemns 51% attacks as they undermine the fundamental principles of decentralization and security upon which cryptocurrencies are built, they continue to be orchestrated.I n general, 51% attacks are not inherently illegal since they involve using computational power to control a cryptocurrency network. However, certain actions taken during a 51% attack, such as double spending or unauthorized modifications, can be considered illegal under existing laws related to fraud, theft, or computer crimes. To date, there have been no specific legal enforcement actions solely focused on 51% attacks.
Cybersecurity Laws
Cybersecurity laws play a crucial role in addressing various cyber threats, including 51% attacks on cryptocurrencies or blockchain networks. While the specific laws and regulations may vary across jurisdictions, there are several general ways in which cybersecurity laws can address such attacks:
- Unauthorized access and hacking: Many countries have laws that criminalize unauthorized access to computer systems, hacking, or other forms of cyber intrusion. Perpetrators of 51% attacks may be subject to legal consequences under these laws if they gain unauthorized control over a network or exploit vulnerabilities to manipulate transactions.
- Fraud and theft: If a 51% attack involves theft or fraudulent activities, existing laws related to fraud, theft, or financial crimes can be applicable. The attackers may be prosecuted under these laws for unlawfully gaining control of funds, engaging in fraudulent transactions, or causing financial harm to others.
- Computer crime legislation: Several jurisdictions have enacted specific computer crime laws that address various forms of cyber threats. These laws may cover a wide range of malicious activities, including unauthorized access, disruption of computer systems, and the intentional manipulation of data or computer programs. Perpetrators of 51% attacks could potentially face charges under these laws.
- Regulatory compliance: In the context of cryptocurrencies, security tokens, and blockchain networks, there may be specific regulations that govern their use and operation. These regulations can include requirements for security measures, reporting incidents, and compliance with relevant laws related to financial transactions, investor protection, or data privacy. Failure to comply with these regulations may lead to legal consequences for entities involved in a 51% attack.
Anti-Money Laundering Laws
While AML laws primarily focus on the movement of illicit funds, they can indirectly address certain aspects related to 51% attacks on cryptocurrencies. Here are a few ways AML laws may apply:
- Reporting suspicious transactions: AML laws often require financial institutions, including cryptocurrency exchanges, to implement robust customer due diligence measures and report suspicious transactions to relevant authorities. In the context of 51% attacks, if an attacker successfully executes a double spending attack or engages in other illicit activities, the involved entities may have obligations to report such suspicious transactions.
- Identifying beneficial owners: AML laws typically require financial institutions to identify and verify the beneficial owners of accounts or transactions. This helps ensure transparency and accountability within financial systems. If an individual or group orchestrates a 51% attack, AML regulations may be relevant in identifying the responsible parties and understanding the flow of funds associated with the attack.
- Enhanced customer due diligence: Cryptocurrency exchanges and other virtual asset service providers are often subject to AML regulations that require them to implement comprehensive customer due diligence processes. These processes involve identity verification, monitoring of transactions, and risk assessment. Robust AML controls can help detect and prevent suspicious activities associated with 51% attacks.
- Compliance with sanctions regulations: AML laws also include provisions related to compliance with international sanctions regimes. Entities involved in cryptocurrency transactions are typically required to screen participants against sanctions lists to ensure they are not facilitating transactions with sanctioned individuals or entities. This aspect can indirectly address situations where 51% attackers may be engaged in illicit activities or linked to sanctioned individuals or organizations.
Securities Law
51% Attacks in the context of security tokens are exceedingly rare. Security tokens represent ownership or financial interests in an underlying asset, such as real estate, equity, or other financial instruments. They are typically issued and traded on blockchain platforms that employ different consensus mechanisms compared to proof-of-work (PoW) or proof-of-stake (PoS) used by cryptocurrencies. The security of security tokens depends on the specific blockchain protocol and consensus mechanism being utilized. Blockchain platforms designed for security token issuance often employ consensus mechanisms like delegated proof-of-stake (DPoS) or Byzantine fault tolerance (BFT) variants. These mechanisms involve a different set of rules for block validation and governance, and they are less susceptible to traditional 51% attacks. However, assuming the ability of attackers to coordinate a successful 51% attack, laws relating to the disclosure of ownership of certain security tokens could apply.
State Corporate Law
While the majority of 51% attacks are coordinated against (mostly) unincorporated DAOs, there exists prospective liability where the DAO is formed as a legal entity, such as a Wyoming DAO limited liability company. Areas of liability could include:
- Shareholder rights and protections: State corporate laws often provide certain rights and protections to shareholders, including the right to participate in corporate decision-making, the right to inspect corporate records, and the right to receive dividends or distributions. In the event of a 51% attack that affects the corporation, shareholders may seek legal recourse based on their rights under state corporate law.
- Fiduciary duties of directors and officers: Corporate directors and officers owe fiduciary duties, such as the duty of loyalty and the duty of care, to the corporation and its shareholders. In the context of a 51% attack, if directors or officers fail to take appropriate actions to prevent or mitigate the impact of the attack, they may face legal consequences for breaching their fiduciary duties.
- Shareholder derivative actions: State corporate laws often allow shareholders to bring derivative actions on behalf of the corporation when directors or officers fail to fulfill their fiduciary duties. If a 51% attack results in harm to the corporation, shareholders may initiate legal proceedings through derivative actions to hold responsible parties accountable.
- Corporate governance and decision-making: State corporate laws outline the procedures for corporate decision-making, including board of directors’ meetings, shareholder voting, and corporate governance mechanisms. In the context of a 51% attack, the affected corporation may need to follow specific corporate law provisions to address the situation and make decisions regarding mitigation or recovery.
Conclusion
With respect to a 51% attack, community size, security protocols and increased network hashing power serve to buffer a network against such an exploit. At the same time, there are virtually no laws or regulations directly addressing the legality of 51% attacks. Consider this, there is very little regulation concerning a corporate takeover in the context of publicly traded equity outside of disclosure of ownership. Therefore, all things considered, don’t look for 51% Attacks to be either a legislative or enforcement priority any time in the near future.
About Adam Tracy
Adam Tracy is a payments expert and entrepreneur who specializes in payment systems, blockchain technology, digital currencies, and other emerging technologies. He is the founder of Blockrunner, LLC that provides consulting services to clients in the blockchain, payments and cryptocurrency arenas.
Tracy has been involved in the payments industry as an attorney, consultant and entrepreneur since 2005, while he was become an expert in blockchain and cryptocurrency since its advent in 2013. Tracy has worked with a wide range of clients, including startups, established businesses, and investor – both in the United States and worldwide. He has advised clients on a wide range of compliance, legal and operational issues related to payment transfer systems, crypto token generation and architecture, cryptocurrency exchanges, regulatory licensing, smart contracts, and other blockchain applications.
In addition to his consulting work, Tracy has founded several companies in the payments, blockchain and cryptocurrency space, including a digital asset hedge fund, licensed electronic money institution and a blockchain-based tokenization platform. He is also a proponent of decentralized finance (DeFi) and has been involved in various DeFi projects.
Tracy is also a frequent speaker and writer on blockchain and cryptocurrency topics. He has been featured in a wide range of publications, including Forbes, CoinDesk, and Bitcoin Magazine.
Find Adam: https://linktr.ee/adamtracy