By Kris Coward, Chief Scientist at Shyft Network
Are decentralized systems inherently vulnerable to 51% attacks? The recent successful 51% attack against the Ethereum Classic (ETC) network showcases the limits of decentralization and flaws in the current processes of securing digital assets and hints at the ways these risks can be mitigated.
The Ethereum Classic 51% attack (and what it means)
The state of the market, also known as âcrypto winterâ has had a chilling effect on the industry. In addition to bringing down the prices and eroding margins, the market affected the hash rate required to mine the more secure, POW-based tokens. Since Ethereum mining infrastructure can also be used to mine ETC, it ended up presenting a particularly attractive target for potential attackers. And so it got attacked.
Since ETC exists because of the DAO hack, thereâs a certain poetic irony to it being targeted. The DAO (âDecentralized Autonomous Organizationâ) was groundbreaking but ultimately a flawed attempt to found an entirely new model of totally decentralized governance, and it was built on Ethereum. When a hacker successfully compromised The DAO due to security flaws, the Ethereum community had a choice: roll back the chain to make investors whole again, or accept that the theft occurred and respect the sanctity of the ledger. ETC was the result of the latter camp forking off.
Weâve now seen two fairly cutting-edge networks brought down at least in part by the same principle: âthe more decentralized a technology is, the better and freer it is.â Ultimately, that freedom comes with an expensive set of risks that might not be worth the price of admission.
The internet is a dangerous placeâââand everyone knows it
The same principle applies to any conventional proof-of-work based cryptocurrency; ETC is no exception. Thereâs no requirement to raise 51% hash power to successfully perform a â51% attackâ. Related attacks have been demonstrated using as little as 25% of a POW networkâs collective hash power to successfully subvert enough blocks to confirm invalid blocks (note that while these attacks are technically feasible, theyâre generally not considered economically viable). The relatively recent advent of rentable computing power via services like NiceHash makes 51% attacks even easierâââno more need to rig up an expensive fraud engine at home or the office.
Thereâs a perfect storm effect at work here: more and more users who either donât know how to secure their data online or donât have faith in the tools at their disposal; malicious actors online with increasingly sophisticated and inexpensive means to subvert even sophisticated networks, and an increasingly networked world in which more and more services are coming online.
Information security is a serious concern
For both the crypto world and the broader online ecosystem, current solutions are simply not good enough. The security apparatuses and conventions are not keeping pace.
The importance of data security and privacy means we need to think beyond âdecentralized everythingâ and come up with solutions flexible enough to solve for many diverse use cases. Just recently, the World Economic Forum released research showing that the percentage of users who take active measures to protect themselves online is dismal, even while the vast majority acknowledge that information security is a serious concern.
Itâs clear that people need better tools to protect and manage their data.
Weâve seen more major data breaches, including the compromise of personal data for essentially the entire German political class. Last March, a breach in Indiaâs ID database exposed biometric information on over 1.1 billion citizens. Another half a billion had their personal information made available to hackers thanks to lax security infrastructure at Marriott hotels. Thatâs just three major incidents. New major headlines keep coming with distressing regularity.
Some centralization required
A more comprehensive solution for both crypto users and average internet users has to be some sort of compromise point between centralization and decentralization. In a blockchain context, this means networks that have some element of authorityâââwhether itâs singular or federatedâââto be able to, for example, efficiently roll back blocks affected by an attack, or at least to increase the block confirmation threshold.
For example, through an attestation flow that leverages trusted entities, a blockchain network would allow users to attest to their token ownership without exposing their specific identity to the blockchain and introducing further risk. In case of theft or loss of access to private keys, users could then issue a âstopâ order to the network to ensure that no funds can be moved until theyâre sure the coast is clear.
Relying on existing roadmaps and Improvement Protocols alone wonât suffice. We need to ensure that cryptography and technology that is built to leverage it, like blockchain, can work for everyone.
Usability matters: How cryptography can be made accessible for everyone
For blockchain technology to deliver on its potential, it should be able to reproduce some of the basic usability elements and conveniences people have come to expect from technology, while still leveraging the advantages offered by cryptographic keypair architecture and distributed systems. In other words, lost keys shouldnât lead to panic and forever-lost funds; attestations on the network should have revocability elements, and thereâs a need for a more centralized middle layer to manage keys and attestations. In other words, we canât expect users to be their own banks, and perhaps not everything needs to be decentralized all of the time.
Security mechanisms and systems that make it easy for regular people to manage and protect their data could be the key to mass adoption.
========================================
Kris Coward is the Chief Scientist of Shyft Network. His journey began in the 90s as a teenage hacker, followed by extensive experience in academia and the corporate world. At Shyft, he combines his technical skills with a keen interest in cryptography, security, and privacy.
Learn more at Shyft.Network or talk to us on Telegram.