“We have proposed a system for electronic transactions without relying on trust,” concluded Satoshi Nakamoto, the mysterious inventor (or inventors) of Bitcoin, in the 2008 paper that unveiled its design. But late last week it became clear that the digital currency—now worth more than $7.6 billion—does rely on trust after all.
All day Friday, a bitcoin-mining company known as GHash.IO was in a position to blockade transactions or spend bitcoins more than once.
That power came from the fact it controlled the majority of the computing power in the global network that processes and verifies bitcoin transactions (see “What Bitcoin Is and Why It Matters”). Contributing computing power to the network is rewarded with newly minted bitcoins, so a considerable industry has grown around the practice.
Nakamoto had foreseen how such an attack could work, but he had designed the system under the assumption that it would be impractical for anybody to amass so much computing power.
In fact, as the currency has grown in value, a handful of very large players such as GHash.IO have come to dominate bitcoin mining. Although an attack would be quickly detected, the effect on the perception and price of bitcoins would be severe. The coders who maintain Bitcoin now face the challenge of altering the system’s protocol to prevent such a thing from happening.
GHash.IO is a mining pool, a collective that people join to make the returns from running mining software more predictable. A pool operator shares out the sporadic wins of members across the entire pool, taking a small cut. GHash.IO became so large because it made it so easy for miners to get started and to convert their winnings into other currencies.
That GHash.IO had come to control the majority of mining power was brought to light in a blog post by two researchers at Cornell last Friday. One of them, postdoctoral researcher Ittay Eyal, told MIT Technology Review that the Bitcoin protocol should be updated to prevent mining pools from being able to amass so much computing power.
Discussion about how to do that has begun, but no easy-to-implement front-runners have yet emerged. There is also little precedent for such a tweak to Bitcoin’s design, Eyal says. “A change like that has to be done extremely carefully,” he says. “At its core right now Bitcoin mostly works according to Satoshi Nakamoto’s original paper.”
The process is complicated by the fact that any such change could potentially invalidate much of the specialized hardware that bitcoin miners have built up over the years and that powers the processing and verification of bitcoin transactions (see “Custom Chips Could Be the Shovels in a Bitcoin Gold Rush”). “That industry is the reason that Bitcoin is secure, and so it needs to be kept happy,” says Eyal.
In a blog post Monday, the bitcoin exchange CEX.IO, which operates the GHash.IO pool, said it was trying to convene discussions between major mining operations and the Bitcoin Foundation, which exists to support the core software, about ways to guard against majority attacks. “A long term preventative solution to the threat of a 51% attack does have to be found,” the post says.
In the short term, negative attention may offer some deterrent against anyone amassing a majority of mining power again. The power of GHash.IO’s pool had dropped to 39 percent at time of writing, after concerns about its influence led some members to switch to alternatives. However, someone that managed to hack or coerce GHash.IO and one or two more mining pools could still stage a majority attack.
Gavin Andresen, chief scientist for the Bitcoin Foundation and previously core maintainer of the Bitcoin code, has long warned that mining has become too centralized. In a blog post reacting to concerns about GHash.IO, he cautioned, “Bitcoin is still a work in progress, and you should only risk time or money on it that you can afford to lose.”
Nonetheless, many people and companies are heavily invested in the cryptocurrency. CoinDesk reported last week that some $113.2 million has been invested in bitcoin companies in 2014 alone.