If you think your portfolio’s got it bad, just take a look down the market cap. Privacy coin Verge crashed twice in the space of a month, and allowed hackers to walk off with thousands of dollars in block rewards. A 51% hack on Bitcoin Gold allowed the attackers to double-spend as much as $17.5 million in cryptocurrency, and a similar attack on Monacoin resulted in $90,000 in losses.
While we on’t enjoy seeing other people’s coins get hacked, there are a few things we can learn from them.
Are ASICs that bad?
Bitcoin Gold and Monacoin were vulnerable because—unlike the bigger Bitcoins—they were intentionally built to resist industrial-scale mining. Several other cryptocurrencies, notably Monero and Verge, also made explicit choices to resist ASICs and keep mining within the scope of household computers.
But, although mining on your laptop sounds a lot more democratic than a few warehouse-sized mining farms, those mining farms do add a measurable improvement to network security. As the BTG hack shows, cryptos that limit the mining arms race to GPUs are also putting themselves at the mercy of players with heavier firepower.
You can learn exactly how vulnerable each coin is thanks to Crypto51, a helpful page that’s making the rounds on Reddit and Twitter. Would you like some free Einsteinium? I haven’t heard of it either, but you can own the entire network for less than forty dollars an hour. How about Bitcoin Private? It costs less than a thousand dollars to rent enough hash power to own the entire BTCP network. People spent twice that just to hang out at Consensus.
Bigger coins have better protection. All of Nicehash could only match two percent of the Bitcoin network, or three percent of the Ethereum network. “Most bigger cryptocurrencies have sufficient mining capacity behind them, making it extremely expensive to acquire the necessary hardware to pull an attack like this off,” the creator of Crypto51 expains. “Smaller cryptocurrencies have less hashing power securing the network, making it possible to simply rent hashing power.”
It’s also worth mentioning that—despite the name—a 51% attack does not actually require half of the networks’ hashpower, so most of these prices are probably overestimates.
This seems to make ASIC-resistance a losing game. What happens if a big player cracks ASIC resistance? Monero developers faced exactly that problem last March, when Bitmain began selling the machines they’d already developed and used in secret. The next time Bitmain starts mass-producing industrial miners, they might not be nice enough to tell us.
But what about the Verge attack?
The Verge hack was a little different—the attackers exploited timestamps instead—but there’s still a lesson in there.
The first time Verge got hacked, they were still trying to raise zillions of dollars to deliver a mystery partnership. The partnership now seems to be stillborn, and the porn industry has moved on to other cryptos. Since then, lead developer Justin Erik Valo (or Sunerok, or whatever his real name is) has tried patching it, forking it, repatching and borrowing code from other projects, none of which have made his sinking boat any more weatherproof.
Somewhere in this story, there’s a cautionary parable about the limits of decentralization. In a marketplace full of decentralized projects, Sunerok tried really hard to make his most censorproof, anonymous, trustless coin in the cryptosphere. He integrated Verge with TOR to prevent detection. He wrote a the protocol to rotate through hashing functions, to resist the centralizing power of ASIC chips, and did everything else he could think of. None of that changed the fact that, in terms of leadership, his was one of the most centralized projects in the space.
Another Kind of Centralization
Several years ago, someone much smarter than Erik Valo proposed that cryptocurrencies were limited by an impossible trilemma: Given a choice between scalability, security and decentralization of nodes, developers can choose no more than two. If you want Visa-level transaction speed, you have to give up on security or centralize your network. And so on.
But there should also be a term for a different kind of centralization: the kind when all the brainpower behind a leaderless project can fit inside a single room.
At the other end, larger coins are less affected, and team size correlates directly with success. You may not like EOS, but the fact that Daniel Larimer can hire a Roman Legion of developers should allay some doubts. Likewise, if the entire Ethereum core team had simultaneous heart attacks, there would be plenty more to fill in the gaps.
As much as we all hate banks and “third parties,” we put a lot of trust in the third parties who write our code. Unless you’re smart enough to audit code for yourself, every download from Github is like doing a trust-fall with your life’s savings.
With BTG taking on water, and Verge starting to sink, we may find that some of our favorite little projects are not as centerless as they look.
The author is invested in Ether, Bitcoin and Monero.