Ethereum Classic, the original version of the pre-forked Ethereum blockchain, has been experiencing the second 51% exploit in less than a week.
The second attack happened tonight and caused the reorganization of more than 4000 Ethereum Classic (ETC) blocks. The latter intrusion came just 6 days after the first one, which occurred on the first day of August, reorganizing the 3.693 blockchain blocks.
The attack was first noticed by Binance cryptocurrency exchange and Bitfly, which runs Ethereum mining pool Ethermine. According to Binance, its alert system automatically halted all ETC withdrawals and deposits the moment the attack was noticed. Meanwhile, Bitfly also announced to currently disable the miner’s payouts.
51% attack refers to a chain reorganization attack on a blockchain network when a single miner or the organization takes control over more than 50% of the network’s mining hash rate or computing power. The majority of the mining power then allows the attacker to reorganize transaction blocks, halt the transactions from being confirmed, or even reverse the already completed ETC transactions.
Ethereum Classic is a decentralized blockchain designed for building and deploying the decentralized applications. The open-source platform is the original version of the pre-forked Ethereum blockchain, that operates on the Proof of Work (PoW) protocol and supports its native ETC cryptocurrency.
The first 51% attack occurred between July 31 and August 1. The network exploit resulted in 807 thousand stolen ETC coins, worth around $6 million according to the asset price of $7.51 at the moment.
As stated in the analysis of blockchain data intelligence company Bitquery, the attack was carefully planned by exploiting the Ethereum Classic protocol and the ability of not being detected for several days.
The hacker first withdrew 807k ETC from exchange to his own crypto wallets and later deposited funds back to the exchange on ETC blockchain. He then started to mine ETC blocks by renting extra hash power to gain the majority (or 51%) of the network’s hash power. The attacker then created private transactions inserted into the blocks he was mining and sent funds to his own wallets. Meanwhile, the blocks were not published and thus invisible to the network for nearly 12 hours.
The hacker however exploited the timeframe by sending funds to exchanges via the intermediary wallets on the non-reorged chain and withdrawing stolen funds by the series of smaller amount operations to avoid the suspicion.
Finally, the attacker published his blocks showing that transactions to the exchanges never happened and all the funds are possessed in the attacker’s wallets.
All the attacks came from the single address in the Ethereum mainnet, however, the exact owner of it is not clear yet. The analysts however guess that it may belong to the OKEx exchange or its affiliates as the same address has numbers of related activity to OKEx wallets.
It is not known yet if the first attack was implemented by the same person or organization as the latter one, that was implemented tonight. During the latter 51% attack, the Ethereum Classic network suffered the 4000 blocks reorganizations, however, the exact amount of damage is not announced yet.