QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$5 600 000 USD
JULY 2020
MALTA
OKEX
DESCRIPTION OF EVENTS
"OKEx is a Seychelles-based cryptocurrency exchange that provides a platform for trading various cryptocurrencies. Some of exchange's core features include spot and derivative trading. It was founded in 2017. OKEx is owned by Ok Group which also owns crypto exchange Okcoin." "We rely on blockchain technology to provide everything you need for wise trading and investment. Enjoy hundreds of tokens and trading pairs. With OKEx, you can join one of the leading crypto exchanges by trading volume. We’re serving millions of users in over 100 countries. Our BTC futures trading volume is $1.5 billion daily. Apart from futures, we’re providing spot, margin, options, and perpetual swaps, DeFi, lending, and mining services." "OKEx provides excellent ETC liquidity, seeing some of the largest ETC transaction volumes in the industry."
"Ethereum Classic is a decentralized computing platform that executes smart contracts. Applications are ran exactly as programmed without the possibility of censorship, downtime, or third-party interference. Ethereum Classic is a distributed network consisting of a blockchain ledger, native cryptocurrency (ETC) and robust ecosystem of on-chain applications and services." "Ethereum Classic is the product of a hard fork after the Ethereum network split in different ways following an infamous hack in 2016."
"“[Grayscale] holds a sizable percentage of the circulating supply in Ethereum Classic, which is locked up in the trust that will never be liquidated,” [Meltem Demirors, the chief strategy officer at CoinShares] said." "Grayscale started its ETC Trust in April 2017."
“It would be very difficult for us to comment or point to our operating a vehicle around a particular protocol as being influential to the prices,” Michael Sonneshein, managing director of Grayscale, said in a phone interview with CoinDesk, pointing out his company also has large positions in bitcoin and ether. Grayscale, like CoinDesk, is a unit of Digital Currency Group.
"The “honest[y]” of more than half of miners is a core requirement for the security of Bitcoin and any proof-of-work cryptocurrencies based on Bitcoin. Honest action, in this context, means following the behavior described in the Bitcoin white paper. This is sometimes described as a “security risk” or “attack vector,” but is more accurately described as a known limitation to the proof-of-work model."
"Failure to meet this requirement breaks several core guarantees of the Bitcoin protocol, including the irreversibility of transactions. Many other cryptocurrencies, such as Ethereum Classic, have also adopted proof-of-work mining."
"For the Ethereum Classic blockchain, 51% attacks have been a threat for a long time. Unlike Ethereum, from which it was hard forked, the Ethereum Classic network is committed to the Proof-of-Work (PoW) consensus algorithm, which is also used by [bi]tcoin. But for large networks like Bitcoin, a 51% attack is prohibitively expensive to do given the enormous amount of computational power required by PoW to successfully do it. Ethereum Classic’s hashrate is much smaller, making it far more vulnerable to 51% attacks."
On "July 31, 2020, Ethereum Classic [was] 51% attacked." The "51% attack [resulted] in approximately $5.6 million worth of the cryptocurrency being double-spent."
"A report published by Aleksey Studnev of blockchain forensics firm Bitquery on August 5 has revealed the extent of the incident, with Bitquery estimating that the attacker made off with 807,260 ETC." "The report estimates the hacker reaped more than a 2,800% return for his efforts, having spent roughly 17.5 Bitcoins (BTC) worth $192,000 on renting hash power from Nicehash to execute the attack."
"According to OKEx's findings, from June 26 to July 9, 2020, the attacker(s) registered five accounts in preparation for double-spending ETC. All five accounts passed through OKEx's Know Your Customer protocols, passing to the platform's second and third KYC levels, which allow for increased withdrawal limits. From July 30 to July 31, 2020, the five newly registered accounts deposited 68,230.02 ZEC onto OKEx in multiple transactions. On July 31, the attacker(s) exchanged the full sum of deposited ZEC for ETC on OKEx's spot market. Next, the attacker(s) withdrew the newly purchased ETC from OKEx to multiple external ETC addresses, withdrawing a total of 807,260 ETC — worth approximately $5.6 million at the time."
"[A]fter trading ZEC for ETC on OKEx and then withdrawing the ETC to external addresses, the attacker(s) began the 51% attack of Ethereum Classic's blockchain in full. The whole operation can be broken into three stages: 1) the creation of a "shadow chain" or a secret, alternate chain to ETC's mainnet, 2) the actual double-spend and 3) the deep chain reorganization that resulted in losses to OKEx." "[T]he attacker(s) — having purchased enough hash rate to gain majority control of the ETC network — began to mine blocks on the Ethereum Classic network from block 10904146, which was mined at 16:36:07 UTC. The attacker(s) did not broadcast the newly mined blocks to other nodes, creating a so-called shadow chain that only the attacker(s) knew about."
"The attacker(s) then deposited the 807,260 ETC back to OKEx again, a transaction that was confirmed on the ETC mainnet. However, the attacker(s) manipulated that same transaction on the shadow chain, making the destination of the 807,260 ETC a second shadow chain address of their own, instead of an address on OKEx. The conclusion of this process was that the attacker(s) successfully completed a double-spend: the 807,260 ETC was both moved to OKEx on the ETC mainnet and remained on the second wallet address on the ETC shadow chain."
"The attacker(s) then traded the mainnet ETC on OKEx for 78,941.356 ZEC, again via spot trading. They then withdrew the ZEC to multiple external addresses." "Once the ZEC was withdrawn from OKEx and the transactions were confirmed, the attacker(s) broadcast 3,615 ETC shadow chain blocks to the ETC mainnet. These shadow chain blocks included the transaction of 807,260 ETC that had been sent to the personal address of the attacker(s), not the transaction sent to an OKEx address."
"On August 1, several figures associated with Ethereum Classic (ETC) took to Twitter to inform the community of issues with the ETC blockchain. Among the first was Ethereum Foundation member Hudson Jameson who stated that: “Exchanges need to pause deposits and withdrawals.”" "[A]nother large 51% attack occurred on ETC which caused a reorganization of over 4000 blocks. Until further notice ETC pool payouts are disabled and we encourage all our miners to switch to our ETH pool in the meantime." "During the attack, the offending miner managed to double-spend 807,260 ETC ($5.6 million) after spending 17.5 BTC or $200,000 (at time of writing) to acquire the hash power for the attack."
Speculation at the time was that a miner went offline, rather than an attack. "In a later report, Ethereum Classic developers said the reorganization instead could have resulted from "the offending miner [having] lost access to internet access for a while when mining," a scenario later confirmed by Culver."
"It could be that the offending miner has lost access to internet access for a while when mining, which led to a 12 hour mining period and about 3000 blocks inserted. On the first 2000 blocks, there was 1 miner and a total of 5 transactions. It also seems that the offending miner has uncled their own blocks by how fast they were mining. It doesn’t appear actively malicious. It might be a deliberate attack as well, but it doesn’t seem there was any major double-spend attack. More investigation of what happened is underway and more information will be released soon." "There was about 3000 block-insertion by a miner who was mining (either offline or there total difficulty could have exceeded current network difficulty while they were honestly mining) for about 12 hours on Core-Geth."
"After what appeared to be inefficient communication with other participants in the larger crypto community — including exchanges like OKEx, wallets and ETC miners — the ETC community at this point made the decision to move to mining the now-broadcasted shadow chain, given that it was longer than the original mainnet." The advice given to miners was to "[c]ontinue mining the chain as-is (chain is currently following the heaviest work which includes the about 3000 block inserted). This is the recommended option as the chain is following Proof of Work with the longest chain as intended."
"The ETC that the attacker(s) traded on OKEx became invalid when the attacker(s) accomplished a double-spend on the Ethereum Classic network." The attack "impacted Ethereum Classic (ETC), resulting in approximately $5.6 million worth of the cryptocurrency being double-spent. A report published on August 5 revealed the extent of the incident, estimating that the attacker made off with 807,260 ETC."
"As a result of the double-spend carried out by the attacker(s), OKEx suffered a loss of approximately $5.6 million in ETC, as this ETC was rolled back in the confusion around the existence of two competing ETC chains. The loss was fully borne by OKEx, according to its user-protection policy, and did not cause any loss to the platform's users. The ETC that users have deposited on OKEx remains safe."
NiceHash, a hashpower broker, acknowledged its platform may have facilitated the recent 51% attacks, in a blog post on Sept. 1, but it also concluded that such attacks cannot be prevented or mitigated in a "truly decentralized proof-of-work solution." "The only thing one can do is make the price of an attack higher than the attacker reward," the post added.
"James Wo, founder of ETC Labs, the leading organization supporting the Ethereum Classic network, told CoinDesk via a spokesperson that his team has been trying to enhance the network’s security in the past year, including expanding the network’s core development team, and partnering with companies such as Chainlink, Swarm and Bloq."
"The company announced two new hires on Sept. 3 to ETC’s core development team. “These developments and partnerships are working to quickly propel the advancement of ETC and ensure a bright future for the network,” Wo said, who added that ETC’s price has held “strong” even with the recent 51% attacks."
"Following the first incident, OKEx promptly halted deposits and withdrawals of ETC. This ensured that OKEx users and the exchange were not affected in the second attack on the network, which took place on Aug. 6. OKEx has suspended ETC deposits and withdrawals until the network is deemed stable again. The exchange also plans to increase confirmation time for ETC deposits and withdrawals accordingly, to avoid similar incidents in the future."
"Due to the mainnet upgrade of ETC, the depositing and withdrawal services of ETC were suspended from 7:00 Aug 1, 2020 (UTC) until the upgrade is complete. We apologize for any inconvenience this may cause." "OKEx will continue to independently investigate the five accounts associated with the ETC attack."
"Ethereum Classic’s price has demonstrated strong resilience." "However, some warn that unless it improves its blockchain and makes it safer, additional attacks on Ethereum Classic could trigger a market sell-off and lead to a collapse of its digital asset." "The recent 51% attacks on the Ethereum Classic network also have not led to any additional questions or worries from Grayscale’s clients on this crypto asset, according to Grayscale’s Sonneshein."
OkEX is a trading platform which provided a high volume of liquidity for Ethereum Classic trading, a proof of work blockchain with limited hash power. The Ethereum Classic blockchain is vulnerable to 51% attacks due to the low hash power.
In the 51% attack, a single group or individual purchases or repurposes a massive amount of hashing power. This enables them to produce a blockchain history in which they didn't make an accepted payment, and feed that back to the network. As a result, they keep their funds, and whatever they received for their payment.
The 51% attack was successful since what happened was not realized, and the network made the decision to adopt the longest chain, as produced by the hacker. This resulted in a loss to the OkEx platform, which they have not passed through to their customers.
HOW COULD THIS HAVE BEEN PREVENTED?
The solution to mitigate 51% attacks is to increase block confirmation times and institute checkpoints, where all miners agree that transactions up to that point are valid. If a large reorganization occurs, it will be rejected by miners, and the attacker will simply lose the funds spent on the attack.
Attacks are relatively easy to spot because they result in massive chain reorganizations, which miners can easily decide to reject.
Platforms can protect themselves against 51% attacks by ensuring that they only deal with coins which use checkpoints, and have sufficient block confirmation requirements on deposits.
@etherchain_org - Twitter (Aug 1)
Ethereum Classic Blockchain Splits Due to Reorg by a Single Miner (Aug 1)
51% Attack Bleeds More Than $5M From Ethereum Classic (Aug 5)
Is ETC 102% Screwed After Second 51% Attack? (Aug 6)
$5.6 Million Double Spent: ETC Team Finally Acknowledges the 51% Attack on Network | Security Bitcoin News (Aug 6)
OKEx Responds to Ethereum Classic 51% Attacks, Reveals Its Hot Wallet System — Incident Report | Company Updates| OKEx Academy | OKEx (Aug 15)
OKEx Mulls ETC Delisting After Losses From Two 51% Attacks - CoinDesk (Aug 17)
Ethereum Classic 51% Attack: Okex Crypto Exchange Suffers $5.6 Million Loss, Contemplates Delisting ETC | Security Bitcoin News (Aug 17)
@JayHao8 - Twitter (Aug 20)
Crypto Hacks 2020: A Comprehensive List - ImmuneBytes (May 18)
SlowMist Hacked - SlowMist Zone (Jun 26)
https://blog.coinbase.com/coinbases-perspective-on-the-recent-ethereum-classic-etc-double-spend-incidents-1fd19ef215f3 (Sep 11)
