What are the chances of a 51% attack?

Preface: I started to write this as a reply to another post, but it became long enough to justify a new thread. This post is intended to clear up misconceptions around the current feasibility of a 51% attack. However, please be encouraged to state differing opinions.

The chance of a 51% attack on Zcash is close to zero, as an attacker would need to have sufficient monetary incentive to carry out such an attack. Right now there is about 100Mh/s of Equihash available on Nicehash. Given that Zcash’s network hashrate averages about 1.8Gh/s, the Equihash hashrate available for rent represents less than 6% of the Zcash network. In order to control 51%, a hypothetical attacker would need to acquire an additional 45% of the existing network, which works out to 810Mh/s or about 16,200 A9’s/Z9’s.

The top pools in order of network hashrate are Poolin (382Mh/s), F2pool (343Mh/s), Flypool (273Mh/s), and Slushpool (146Mh/s). Even if an attacker was already in control of Poolin and F2pool, they would still only have about 40% of the total network. Even combined with what’s available on Nicehash, they would be short of 51%. However, for sake of argument let’s assume an attacker could have theoretically purchased enough ASICs to acquire the 45% of the network they needed already and they’re currently mining on several pools.

If the hypothetical attacker purchased 16,200 full Z9’s at a cost of $3000 USD each, they would have spent over $50 million to acquire their hardware. Adding the cost of renting all the Equihash hashrate on Nicehash, the opportunity cost of a 51% attack would need to exceed $50 million in order to justify acting maliciously. The attacker would need to carry out a double spend attack on an exchange in that amount, which is greater than the daily ZEC trading volume of any exchange, excluding LBank and BCEX which are known to fake volume by amounts greater than 4000x. The combined volume of every other exchange in all ZEC pairs is $53 million.

An attacker would need to coordinate a double spend on every single exchange that supports ZEC in an amount that exceeds their daily trading volume, otherwise there simply isn’t enough monetary incentive to justify a 51% attack. Setting aside the feasibility of such an attack, the aftermath would potentially leave the attacker’s hardware worthless, so logic dictates that anyone with the resources to carry out such an attack would make more money by simply mining legitimately. That’s the beauty of proof of work, and Satoshi was very explicit in talking about this in the Bitcoin whitepaper.

Why can’t the attacker just put a million Zec onto his wallet and wait?

You didn’t account for leverage and others market instruments (shorts, options, futures).

you forgot the Antpool @19.2%(not vital but still)

@phakov

Because an attacker with 51% is still bound by the rules of the underlying protocol they cannot simply put a million coins into a given wallet in an instant, they can only create new coins one block at a time in the form of mining rewards (10 ZEC). Which is exactly what Satoshi was talking about in Section 6: Incentive (Page 4). An attacker with greater than 51% has to chose between acting maliciously or mining honestly and gaining the majority of mining rewards.

The most common attack is the double spend attack, where a miner with 51% can deposit coins into an exchange, exchange them for BTC and withdraw that BTC from the exchange, then use their majority hashpower to revert their initial deposit by mining a longer chain that doesn’t include the initial deposit transaction. That’s why most exchanges wait for a certain number of confirmations before allowing you to trade your deposited coins, because the feasibility of this kind of attack diminishes with each successive new block after the deposit transaction. It’s much easier to re-hash 10 blocks than it is to re-hash 100.

@tloriato

Thank you, that’s an excellent point which I completely overlooked. Theoretically if an attacker could short ZEC using futures or some other instrument that would allow them to profit greater than $50 million, then perhaps a 51% attack might be worth it if they could cause confidence in the coin to completely collapse and drive the price down significantly. That’s assuming that you could amass a short futures position that large and that you could be confident of price decline of sufficient magnitude for you to profit. Such a plan would be extremely high risk as your hardware investment would probably become worthless after the attack.

@Uche32

Thanks, I forgot Antpool because for some reason they don’t appear on this miner distribution chart.

Also this thread about 51% attack solutions: Zooko talking about PoS. PoS vs PoW Discussion - #12 by Shawn

true, I never realized it, huge LOL, and I am looking everyday at it, since I have my ASIC

Your calculations confirm my opinion that the use of ASIC on the network adds resistance to attacks, and not vice versa.

When Zencash was 51% attacked a few months ago, people cried nicehash, there has been ZERO evidence to show that nicehash was rented to attack the network. There was a article that came out a few weeks before it was attacked stating the THEORETICAL cost to attack networks with nicehash. After that everyone kept linking it like it was proof that nicehash was used to attack the network,

HOWEVER these costs assume that all you need is 51% and you magically win. That is a misconception of a 51% attack, you actually need much more to do what happened. If you control 51% of the network hashing power, the odds of you mining 38 blocks in a row is almost zero, this is what happened to Zencash.

My guess is Bitmain used their ASICs before they were released to attack equihash coins since they dominated the hashrates with their private monoply on ASICs. How can you be sure Bitmain does not have 100x Asic miners that do 250k or 500k sols?

Using your math, if Bitmain had ASICs that were doing 250K/sols, currently achievable with ASICs to the public. Bitmain would only need 3200 units. If the units did 500k/sols they would only need 1600. The Z9 was the prototype model im sure they have better machines running if they were selling z9s that were making 30+ a day.

If each unit cost them $2000 usd to make(its probly WAY cheaper for them), $2000 x 3200units = $6,400,000 usd. For only 6.5 million usd they could easily have 51% of the network hashrate of Zcash, or 90+% of any other equihash coin. Bitmain made billions (with a B) last year, 6.5 million is pennys to them. Making a couple thosand units isnt hard for a manufacturer and hell you can resell them when you are done, dumb people will buy them.

To think they are selling the best and fastest ASICs they currently have is just being foolish.

ASICs are terrible for the network. How do we know everyone is playing fair? Bitmain could have private ASICs that hash at 500K/sols, and could have thousands of them. Just because the hashrate is high, does not mean its trustworthy hashrate.

With how centralized ASICs currently are, we cant be sure how many Bitmain has running. They could be most of the network right now. We dont know how many they made or shipped out.

Atleast with GPUs, we didnt have to worry about Nvidia and AMD using the newest cards to mine with. And everyone was on equal footing, no 10x-100x increase in a month. increase of 30% over 2-4 years was expected with GPUs.

We went from 100,000+ GPU miners to less than 10,000 ASIC miners. What is more secure?

why waste all this time making these calculations based on a perverted fantasy?

why would such a company risk everything with such a low baller?

You are not contribuiting in any positive way. Why not talk about quantum mining or area 51 alien mining?

Maybe if you would take a min to read the post I was responding to, instead of wasting a post on how I am wasting time you would see what im talking about and where Im getting my numbers…Ironic how you say im wasting time and not contribuiting in any positive way, yet here you are responding to me and adding nothing to the discussion…

Your post is off topic and a waste of time to even read, thanks johnwisdom. Atleast I was talking about a 51% attack.

Do you care to explain how im wrong? Im assuming, yes its a guess, that the current ASICs released are not the fastest ones available, NOT hard to imagine. Now how many of them would you need to get 51% of the network…yes its a guess, but easily within reason. What part is a perverted fantasy? What is so hard to belive?

Im sorry you ordered ASICs not knowing anything about them, and how they are a race to ROI before they stop making money due to electricity. Dont get mad at me just because what I say might have some truth to it.

EDIT: I dont even know why I try, I show math, the calculations, post charts, link supporting evidence, yet people on here are just like derp your wrong. Always with nothing to support what they are saying.

Just in generally without taking any side. If i remember right the cost or % of control needed is less than 51%.
While it’s called a 51% attack it’s sometimes missleading for various attacks that happened.

In some cases, like a time spoof or double spend attack it could be enough to control even 30% of the network to “inject” a chain that has been mined privately allready. And as said allready, if i remember correctly, on some low hashrate coins it could be even enough to control temporary as much as 15% to try attacking the network. Making the comment generally and it’s not toward ZEC or ZEN, but just to show that not always are 51%+ needed to perform an attack.

This is true, you can change a block or 2 with less then 51% of the hashrate, however this does you almost zero good. To do what has been happening with the 51% attacks you need more hashrate then 51%.
.
You actually need MUCH more then 51% to attack an exchange that requires 20-30+ confirmations. ZenCash was 51% attacked over 38 blocks. You need MUCH more then 51% of the network to mine 38 blocks in a row.

Most 51% attacks that have hit exchanges needed MUCH more then 51% of the network to mine 20-30 blocks before the network, doing that with less then or even equal to 51% is almost impossible.

Can you link any articles on this? I have not seen anything about 15-30% of the network is all that is needed to attack the network.

I just searched for the link but can’t find it right now, pretty sure it was explained in detail on an electroneum reddit channel talking about the attack they suffered as well as Vitalik explaining 51% on another article.

I’am not the expert when it comes to network security but (again: if i remember right!), it was explained that way:

If you have 51% of the network hashrate the attack will succed 100% and some indeed owns the new longest blockchain able to do whatever they/he desire.

But even with less a successfull attack can be carried out, the success rate just gets smaller. Can’t remember the exact digits, but if i remember right with as low as 30% an attack has very good chances to be successfull and even with as much as 15% and attack might get successfull at some time, it just might take several attempts. The change with the 15% hashrate attack was calculated in theory and not covered by any real proof.

The idea about having success with less hashpower is that the attacker mined allready secretly his own blockchain and did not contribute it to the network but will do just if he has a long one and succeds to get a point where he can inject his “offspring of the blockchain” which let’s him spent for the time “his” blockchain is valid. Hope you get the idea. Pretty sure there are some articles and experts that can explain it way better than me.

Some remarks i found right now:

• investopedia: On the other hand, a form of a 51% attack is possible with less than 50% of the network’s mining power, but with a lower probability of success.

• decentralpost: 51% is just a name, less hash-power would be enough for an attack
  Despite its name, the 51% attack scenario doesn’t actually require 51% of the hashing power. In fact, such an attack can be attempted with a smaller percentage of the hashing power. The 51% threshold is simply the level at which such an attack is almost guaranteed to succeed. Security research groups have used statistical modeling to claim that various types of consensus attacks are possible with as little as 30% of the hashing power

If this was directed towards my original post, then this is a strawman argument because I never suggested Nicehash was rented to attack any network. I even stated Nicehash’s Equihash availability in order to show that Nicehash would not be sufficient to launch a 51% attack as it accounted for less than 6% of the Zcash network hashrate at the time. The purpose of mentioning Nicehash was to prove that any attacker would have to make a substantial hardware investment in order to carry out such an attack.

Given that an attacker would need to spend $50+ million to carry out such an attack, it would stand to reason that any rational attacker would need sufficient monetary incentive to attack ZEC specifically and risk losing the value of their hardware investment. Would be attackers wouldn’t need to worry about the effects of attacking smaller Equihash coins, since a loss in confidence in ZEN or BTG doesn’t create a loss in confidence in ZEC. Conversely, because ZEC is the largest Equihash coin by a large margin, an attack on Zcash specifically would risk destroying confidence in all Equihash coins and bricking the attacker’s hardware.

You’re right, you absolutely cannot be sure what Bitmain or any other manufacturer has developed. However, this falls into the realm of wild speculation as @johnwisdom pointed out. And to clarify, I really don’t think he meant for that comment to be argumentative. He simply stated an opinion that trying to guess what kind of secret hardware exists isn’t particularly useful, and I tend to agree with that sentiment. I attempted to keep my original calculations as fact based as possible.

I don’t know where these numbers are from, but they’re either incorrect or outdated. Refer to my original post to see how I derive an estimate of $50 million.

I’ve been a GPU miner for many years and this is also false. In 2016 and the Ethereum network difficulty went up 10x from January to October.

ASICs are more secure for the reasons I stated in my original post, such as a lack of monetary incentive, which you didn’t address. Without monetary incentive, no rational attacker will risk losing his hardware investment unless the potential gains of a 51% attack exceeds the cost of their hardware.

You’re 100% right on this point. An attacker would need substantially more than 51% of hashpower to revert the chain back 30+ confirmations. However, this actually reinforces my argument that the probability of a 51% attack being carried out against ZEC is close to zero. If the attacker needs significantly more than 51%, then that proportionally increases the hardware cost needed to carry out the attack.

My point is you are looking at NICEHASH like its the only vector of 51% attack, there is no evidence to show it was ever or has ever been used like you are implying.

A article was made a few months back showing some numbers it takes to attack a network for 1 hour with NICEHASH. Highly misleading numbers because the odds of you accomplishing anything with just 51% of the network in 1 hour is almost zero. You need atleast 30+ blocks to fool an exchange. If you mined EVERY block that hour, you would have 24ish, still not enough to make any real money back.

These are from your numbers…

Using a Z9Maxi (250K/sols) instead of a Z9(40K/sols)you only need 3200 units to equal the 810Mh/s, $2000 x 3200units = $6,400,000 usd. MUCH MUCH less then 50 millions.

Do you think the Z9 is the best unit Bitmain has made? I highly doubt it, you can deny it all you want but its more likely then not. Units are available already that have 200K/sols or more. You dont think Bitmain has something better?

Once again you miss the point. Im not talking about hashrates im talking about efficiency of the machines. GPUs only increased 30% or so in last 2-4 years, ASIC can go 10x-100x in a month. Did Ethereum hashrate go way up from people buying GPUs and mining it? Yes it did, has nothing to do with efficiency tho.

GPU miners dont have to wake up one day to a new GPU that makes all the old ones doorstops by a margin of x10 or x100.

This would be true if it wasnt a ASIC network. If manufactuers make a machine that does 5x what the Z9 does , this isnt hard to imagine, they already did a 5x over the mini for the SAME cost. They would only need around 4000 units to have 51% of the network(For Zcash other coins have a much smaller hashrate AKA more incentive). Equals out to be around 7 millon dollars to control almost all the Equihash coins that didnt fork…Ok lets say we use your 50 million, still a huge incentive for a company that made billions last year.

AND they would OWN the hashrate at that point, after a few attacks they can turn around and resell them because people will still buy them…or hell, do a 2 month pre order again and then attack the networks, the units have already been sold. So why does it matter if the coin goes to zero.

Mine/Attack/Resell…Win/Win/Win

If you are making the units, alot of the risk goes into ASIC machines that you can just resell and profit because there is a demand. Why not use them to try and make some extra money that is completely anonymous.

I understand this and its technically true. So far all 51% attacks have been against exchanges, however to attack an exchange like this the odds say its almost impossible. I like how they say used statistical modeling, because under real world usage, its not gonna happen.

If your trying to roll a dice and have it land on 1 a million times in a row, its statistical possible, however the odds say its not gonna happen during your lifetime.

They also say The 51% threshold is simply the level at which such an attack is almost guaranteed to succeed.…This all depends on what you consider sucessful? Can you attack an exchange that requires 30+ block confimations with 51%, more then likely not. Can you change a 1-3 block confirmation with 51% very possible, then I guess yes it was succesful. So depends on what you consider an attack to be.

with as little as 30% of the hashing power…The problem is who are you attacking at this point with a 15-30% attack? You cant make a chain that is 30+ blocks long to attack an exchange? However you might be able to make a block or 2 block chain that overwrites your transaction to the coffee shop that does zero confirmations.

This is why they say to wait a few blocks when sending large amounts of money, the deeper in the chain the less likely it can be reversed.

That’s not how i think it works with a secretly mined part of the blockchain in advance. As i understand it they mine their own chain (ahead or into the past) without releasing that blockchain and just in a given moment that part of the blockchain gets injected true the attack. And here you have the blocks you need allready done until the true blockchain catches up the damage is done allready.

For the third and final time, I never once stated or implied that Nicehash has been used to achieve a 51% attack. On the contrary, my post explained in very clear terms how Nicehash was insufficient and therefore any attacker would need to buy their own hardware in order to carry out an attack. It seems you have trouble understanding that point, but I’ve repeated it in all my posts on this thread.

Did you even reading my post? You stated costs of $6.4 million for 51%, which is not “from my numbers”. My estimate was approximately $50 million, which I clearly explained with facts and figures.

You seem to be basing your estimates on fictional numbers. I don’t know what a Z9 Maxi is, but making estimates based on a hypothetical 250k sol/s miner that sells for $2000 USD is just plain silly. Stick to facts if you want to be taken seriously.

I haven’t seen any evidence that this is true. The 180k sol/s Asicminer Zeon which sells for $20,000 USD is more than likely a scam, and you can find a review from a well-known YouTuber that suggested it isn’t legit.

Maybe. Perhaps Bitmain or Innosilicon has a more efficient miner that they’re using in secret, but that’s all speculation. One thing is for sure though, if they did have such a miner they wouldn’t be using it to do a 51% attack unless there was monetary incentive to do so. That’s the main point that you seem to be missing.

This is a fair point. I agree with you 100% here, ASIC manufacturers have the ability to make previous hardware obsolete, which isn’t really a threat with GPUs.

I think you’re misunderstanding me when I talk about incentive for a 51% attack. There must be sufficient opportunity to double spend in order to make the 51% attack worth the risk of bricking your hardware. Thus, if an attacker needs to spend $50 million on hardware, then they need to double spend at least $50 million worth of deposits on an exchange in order to make it worth the risk. If they can only double spend $20 million and then the network forks after the attack bricking the hardware in the process, then they’ve lost $30 million by carrying out the 51% attack.

If you read my original post, I explained how the combined trading volume for all ZEC pairs across all exchanges is only about $53 million per day. So unless the attacker could simultaneously double spend ZEC across all major exchanges in amounts that exceed the daily trading volume of ZEC, then there really isn’t any opportunity to double spend enough to justify the risk of bricking your hardware. It would make much more sense for the hypothetical attacker to mine legitimately as they would make more money that way. This isn’t some novel idea either, the topic of incentive was discussed by Satoshi in the Bitcoin whitepaper.