Once hailed as unhackable, blockchains are now getting hacked - The first knowledge sharing application in Vietnam

But the more complex a blockchain system is, the more ways there are to make mistakes while setting it up. Earlier this month, the company in charge of Zcash—a cryptocurrency that uses extremely complicated math to let users transact in private—revealed that it had secretly fixed a “subtle cryptographic flaw” accidentally baked into the protocol. An attacker could have exploited it to make unlimited counterfeit Zcash. Fortunately, no one seems to have actually done that.

The protocol isn’t the only thing that has to be secure. To trade cryptocurrency on your own, or run a node, you have to run a software client, which can also contain vulnerabilities. In September, developers of Bitcoin’s main client, called Bitcoin Core, had to scramble to fix a bug (also in secret) that could have let attackers mint more bitcoins than the system is supposed to allow.

Still, most of the recent headline-grabbing hacks weren’t attacks on the blockchains themselves, but on exchanges, the websites where people can buy, trade, and hold cryptocurrencies. And many of those heists could be blamed on poor basic security practices. That changed in January with the 51% attack against Ethereum Classic.

The 51% rule

Susceptibility to 51% attacks is inherent to most cryptocurrencies. That’s because most are based on blockchains that use proof of work as their protocol for verifying transactions. In this process, also known as mining, nodes spend vast amounts of computing power to prove themselves trustworthy enough to add information about new transactions to the database. A miner who somehow gains control of a majority of the network’s mining power can defraud other users by sending them payments and then creating an alternative version of the blockchain in which the payments never happened. This new version is called a fork. The attacker, who controls most of the mining power, can make the fork the authoritative version of the chain and proceed to spend the same cryptocurrency again.

For popular blockchains, attempting this sort of heist is likely to be extremely expensive. According to the website Crypto51, renting enough mining power to attack Bitcoin would currently cost more than $260,000 per hour. But it gets much cheaper quickly as you move down the list of the more than 1,500 cryptocurrencies out there. Slumping coin prices make it even less expensive, since they cause miners to turn off their machines, leaving networks with less protection.

Toward the middle of 2018, attackers began springing 51% attacks on a series of relatively small, lightly traded coins including Verge, Monacoin, and Bitcoin Gold, stealing an estimated $20 million in total. In the fall, hackers stole around $100,000 using a series of attacks on a currency called Vertcoin. The hit against Ethereum Classic, which netted more than $1 million, was the first against a top-20 currency.

David Vorick, cofounder of the blockchain-based file storage platform Sia, predicts that 51% attacks will continue to grow in frequency and severity, and that exchanges will take the brunt of the damage caused by double-spends. One thing driving this trend, he says, has been the rise of so-called hashrate marketplaces, which attackers can use to rent computing power for attacks. “Exchanges will ultimately need to be much more restrictive when selecting which cryptocurrencies to support,” Vorick wrote after the Ethereum Classic hack.