51% Attack - How to rewrite the blockchain.
  • Hash256
  • Hash160
  • Reverse Bytes
  • Hexadecimal
Youtube

51% Attack Rewriting the blockchain.

A 51% Attack refers to the act of intentionally building a new longest chain of blocks to replace blocks in the blockchain. This allows you to replace transactions that have been mined in to the blockchain.

This kind of attack is easiest to perform when you have a majority of the mining power, which is why it’s referred to as a “Majority Attack” or a “51% Attack”.

How does a 51% Attack work?

Nodes always accept the longest known chain of blocks as the valid version of the blockchain. So if you want to “undo” a transaction from the blockchain, you just need to build a new chain of blocks without that transaction in it.

Let’s say we paid for a car in bitcoin and drove off with it.

When nodes receive this new longer chain of blocks, they will perform a chain reorganisation to deactivate blocks in their old longest chain, and activate the blocks in the new longest chain you have given them.

Transactions in the old chain are now invalid. Our payment for the car never happened.

So by building a new longest chain to replace an existing one, you are effectively rewriting the blockchain and creating a new history of transactions for every node on the network to accept. As a result, you have reversed transactions that we previously thought to have been a permanent part of the blockchain.

However, actually performing a successful 51% Attack is not quite this simple…

Note: You would want to include a replacement transaction in the new chain to send the bitcoins to a new destination (e.g. to your address and not to the car dealer’s). Otherwise the original transaction could get mined in to the main chain again.

What prevents a 51% attack?

Every miner is incentivised to build upon the current longest chain of blocks. So if the combined mining power of every other miner on the network is greater than yours, it makes it incredibly difficult to be able to outwork the other miners to build a longer chain and replace the existing one.

Miners working together can build a chain faster than you can on your own.

But of course, if you can actually acquire more mining power than all other miners combined, then you have the ability to outrun the current longest chain and build a new longer chain for everyone else to adopt.

It’s just a matter of time before you build a longer chain if you have the majority of mining power.

So to prevent this from happening we need to ensure that no single miner has the ability to acquire a majority of the mining power. This is achieved by allowing anyone in the world to mine, and incentivising these miners to do so by offering block rewards.

Miners are incentivised to work on the longest known chain.

As a result, miners focus their energy on building the same chain, making it difficult for any individual to be able to rewrite what has already been written to the blockchain.

As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. – Satoshi Nakamoto

How difficult is it to perform a 51% attack?

The tricky part would be getting all the hardware needed to be able to perform the attack in the first place. That would be incredibly expensive and difficult. However, if you did manage to acquire a majority of the mining power, then it’s only a matter of time before you build a new longest chain.

Having said that, it does take more work to replace a large number of blocks than it would to replace just a few. So the further down a transaction makes it in to the blockchain, the more time and energy it’s going to take to reverse it.

Transactions get harder to replace the further they get in to the blockchain.

But again, this is assuming you can get the hardware to attain 51% or more of the mining power to outpace all the other miners. Good luck with that.

Nonetheless, you can still try and perform this kind of attack with less than 50% mining power, but the odds are very much against you…

Can you rewrite the blockchain with less than 50% mining power?

Yes, but you’ll need to have luck on your side.

Mining is unpredictable, so even if you’ve got a small amount of mining power, there’s nothing to say that you wouldn’t be able to get lucky and mine the next 2 blocks in a row. It’s highly unlikely, but not impossible. The probability depends on how much mining power you have relative to everyone else.

Of course, the further down a transaction is in the blockchain, the luckier you’ll need to get to be able to mine X blocks in a row. If nobody has a majority of the mining power, it gets exponentially more difficult to replace a transaction the further it gets in to the blockchain.

e.g. If a miner has 40% of the mining power, they have roughly a 50% chance of being able to replace a transaction 5 blocks deep in the chain.

So unless you’ve got a significant proportion of the total mining power on the bitcoin network, your chances of replacing a mined transaction are slim, and those chances diminish quickly as the transaction makes it further down the chain.

Here’s a table of your exact odds:

Probabilities of replacing top X blocks in the blockchain based on how much mining power you have.
50% Control 40% Control 30% Control 20% Control 10% Control
1 100% 73.6% 44.6% 20.4% 5.1%
2 100% 66.4% 32.5% 10.3% 1.3%
3 100% 60.3% 23.9% 5.3% 0.4%
4 100% 55.0% 17.7% 2.7% 0.1%
5 100% 50.4% 13.2% 1.4% 0.02%
6 100% 46.2% 9.9% 0.7% 0.006%
7 100% 42.5% 7.4% 0.4% 0.001%
8 100% 39.1% 5.6% 0.2% 0.0004%
9 100% 36.0% 4.2% 0.1% 0.0001%
10 100% 33.2% 3.1% 0.06% 0.00003%

Tip: The numbers in the table above assume you are attempting to replace blocks by building an alternate chain that is one block longer than the current longest chain.

Equation

The probability of being to able to intentionally rewrite blocks in the blockchain is just a function of how much mining power you have and how many blocks you want to try and replace.

The proof that blocks get harder to replace the further down they are in the chain is an important part of the system’s integrity and security. This equation is from the Bitcoin Whitepaper (Section 11).

Anyway, here’s what that equation looks like in Ruby code:

# p = probability honest node finds the next block
# q = probability attacker finds the next block
# z = number of blocks to catch up

def attacker_success_probability(q, z)
  p = 1 - q
  lambda = z * (q / p) # expected number of occurrences in the poisson distribution
  sum = 1.0

  for k in 0..z
    poisson = Math.exp(-lambda) # exp() raises e (natural logarithm) to a number
    for i in 1..k
      poisson *= lambda / i
    end

    sum -= poisson * (1 - (q/p)**(z-k) )
  end

  return sum
end

# Example
puts attacker_success_probability(0.4, 5) #=> 0.5506251290702077

Tip: The equation above works out the probability of catching up with the longest chain (from being a specified number of blocks behind). If you want to replace blocks in the chain, you need to go one block longer.

Another Chart

You can see the exponential decay in probability of being able to replace a transaction the deeper it makes it in to the blockchain.

FAQ

Has anyone successfully performed a 51% Attack on Bitcoin?

Nope, not yet.

Some miners have come close to reaching 50% or more of the total mining power over Bitcoin’s history, but nobody has actually performed a successful 51% Attack.

GHash.io came close to reaching 50% in 2014.
github.com/in3rsha/bitcoin-mining-distribution

Note: Even if a miner gets over 50% mining power, it doesn’t necessarily mean that they’re actually going to perform an attack (it just means that they can). If anything, if you’ve got that much power it’s probably more lucrative to keep mining blocks and collecting block rewards than it would be to reverse a single transaction (and sink the value of bitcoin because of your attack).

How much hashpower do I need to perform a 51% Attack?

You can use the current target value to estimate how much hash power you would need to get majority control.

Tip: The target moves up and down based on how much quickly all miners on the network are able to mine new blocks. We can therefore use it to figure out how fast we need to be able to hash to outpace the current speed of the network.

First of all, we can get the current target by looking at the “bits” field inside the block header of the most recently mined block.

$ bitcoin-cli getblockcount
607504

$ bitcoin-cli getblockhash 607504
00000000000000000011663be6abf8890af242638dd32090b41d55491c498cb8

$ bitcoin-cli getblockheader 00000000000000000011663be6abf8890af242638dd32090b41d55491c498cb8 | grep bits
  "bits": "1715dbd2",

Now, this “bits” value is just the target in compact format. So converting from bits to target we get:

0x00000000000000000015dbd20000000000000000000000000000000000000000

So that’s the number that all miners need to get below to mine a block.

We can work out how many hashes we would need to perform (on average) to get below this by dividing the range of all possible hash results by this target value:

$ irb
irb(main):001:0> (2**256) / 0x000000000000000000148edf0000000000000000000000000000000000000000
=> 55306459560542772293455

So that tells us that we need to do 55306459560542772293455 hashes on average to mine the next block. Or in other words, this is roughly how many hashes all miners on the network are performing every 10 minutes.

See the chainwork calculation explanation for more information on how we get this “expected number of hashes”.

Anyway, using this number we can work out the hashes per second of the network:

$ irb
irb(main):001:0> 58805356298556988331095 / 600 # there are 600 seconds in 10 minutes
=> 92177432600904620489

So the current combined hash rate of every miner on the bitcoin network is 92177432600904620489 hashes/sec. Converting this to Th/s we get:

php -a
php > echo number_format(92177432600904620489 / 1000**4);
92,177,433

Therefore, to acquire 50% control over mining blocks, we need to build a mining farm that is capable of performing over 92,177,433 Th/s.

  • Coin Dance - Latest Blocks - Pretty website showing a pie chart of the current bitcoin mining distribution. The more distributed the better.

By Greg Walker,

Last Updated: 25 Oct 2019
  • 25 Oct 2019: 51% attack (fourth draft - edits, links)
  • 24 Oct 2019: 51% attack (third draft - charts and live data)
  • 23 Oct 2019: 51% attack (second draft - images)
  • 22 Oct 2019: 51% attack (first draft - text)

Hey there, it's Greg.

I'll let you know about cool website updates, or if something seriously interesting happens in bitcoin.


Don't worry, it doesn't happen very often.