A blockchain security research firm called Slowmist has released a full report on the attack that recently took place against Ethereum Classic. The report indicates that several exchanges are the victims of a concerted 51% attack.
Notably, the researchers report that the attack begins January 5th at 19:58:15 UTC. Days pass before anyone notices. The attacker dupes several exchanges in the process including Coinbase, Bitrue, and Gate.io. The analysis focuses heavily on Bitrue. Central to the attack was the owner of address 0x24fdd25367e4a7ae25eef779652d5f1b336e31da. The earliest movement is a little over 5,000 ETC from Binance to this address.
The Attack Begins With Coins From Binance
From there the coins move to a mining node, which mined block 7254355. Later, in block 7254430, a deposit is made to Bitrue in the amount of 4,000 ETC. This transaction no longer actually exists in the longest Ethereum Classic chain, as it was re-organised in the double spend attack. It was sent to verified Bitrue address 0x2c9a81a120d11a4c2db041d4ec377a4c6c401e69. As you can see if you click that address, the official history does not show any such deposits.
But Bitrue’s own records remember. Bitrue tweets them:
Another 9000 ETC attack later happens the same way. The attacker moves the coins to other addresses, makes deposits, then withdraws them to safe addresses. The attack is simple at its heart: make a deposit, then make a withdrawal. He has the hashpower to ensure that the transactions he wants to exist will and that the ones he’d rather be forgotten are. In essence, he doubles his money simply by moving the coins to other addresses. Then he moves the original coins to safety.
Coinbase Just One Victim
Of course, this all adds to the confirmed damage at Coinbase. The report goes into some detail about that. It says that once Coinbase and other exchanges began blacklisting attacker addresses, the attack basically stopped being useful to the attacker on January 8th.
The report confirms two addresses certainly involved in the attack:
0x090a4a238db45d9348cb89a356ca5aba89c75256
0x07ebd5b21636f089311b1ae720e3c7df026dfd72
Combined, these addresses possess over 53,000 ETC at time of writing. They will struggle to find any liquidity for these tokens, as most exchanges have likely blacklisted them. Security is fundamentally important to exchanges. These tokens can essentially be considered “tainted.”
Conclusions After a Real Attack
Exchanges must adapt their security policies to chains with smaller hashrates. Declining markets lead to reduced hashpower. It happens in all proof-of-work systems. Unsavory individuals view it as an investment opportunity. If the token is worth enough, dedicating massive hashpower to the chain in order to defraud legitimate exchanges is worth the effort.
As the report says:
[W]e recommend that all digital asset services platform block transfers from the above malicious wallet addresses. And strengthen the risk control, maintain a high degree of attention, and be alert to double spend attacks that may erupt at any time.
SlowMist
The incident provides lessons for all players in the blockchain ecosystem. The reality of decentralization is that every player is on their own. Exchanges can increase the number of confirmations required. They can also force users to register intended withdrawal addresses before ever making a withdrawal. Billions of dollars across markets are actually on the line.