Saturday, January 23, 2021

FIRO fire sale…51% attacks, chain rollbacks?

The recent attack and fallout from the 51% attack on Zcoin / FIRO has received a lot of buzz recently. However, many are unaware of just how bad what Zcoin / FIRO is going to do is for every other decentralized project. The precedent they are setting — screams centralized authoritarian decision making, caving to centralized exchanges demands and highlights the necessity of having SOLID blockchain developers, as attacks and mishandling of the followups puts individuals’ cryptocurrency (funds) at grave risk. Beyond this, their sweeping decision screams centralized control and set a standard to exchanges that anytime there is an attack, that it is encumbent upon the projects to refund lost amounts.

Exchanges run a business. Many blockchain projects do as well, however, many are run by a community, or DAO, or DAC. Blockchains, while many have come a long way, still may present bugs, and worse yet, some do not have quality active development, putting these projects into a very high-risk category, where users’ funds are on the verge of being lost or inflated to oblivion.

However, for those active, high quality, decentralized projects, when an attack occurs, putting the onus on the project itself to cover any lost revenue from an exchange is a VERY interesting dilemma. Yes, the project gets the benefit of having their project on a CEX for exposure, inroads for use, etc. However, the exchange makes significant amounts of money (upfront listing fees sometimes in the millions, transaction fees, counter trading order books, market making, and the list goes on). Projects don’t ever see any of these profits or revenues. Thus, when an exchange suffers a loss, to then demand a project pony up is a hard pill to swallow.

But that’s not the main point here. Let’s look at what happened with Zcoin / FIRO, what the 51% attacker was able to do, and then the decision (Which I feel is a terrible one) to in essence create new coins to payback Binance.

Essentially, in Proof of Work, peers follow the chain with more work aka the longest chain. Reorganization is part of the protocol and happens often, thus why exchanges, third-party services, and even the core wallet has a minimum amount of confirmations before they let you transfer the coins that you received/sent. This is standard and is baseline protection for the entire network.

Now... what happens if I have the hashing power majority in the network? Let’s say suddenly, I rent (for NOT that much money) mining power to direct to a network for 24–48 hours.

With enough power/control, I could force a reorganization at any time. This means that I can send a transaction to the exchange, wait for the confirmations, exchange the coins for btc/monero/whatever, and then *poof* reorganize the chain to another one… one in which in THAT chain returns the coins that I had just spent to the exchange back to me. How is this possible? Well, because in that alternate chain that I just pushed the network onto, those coins were never spent in the new chain that I created. So now, my wallet experiences never having any of my Zcoin / FIRO moving, but, I now have all this new BTC as well (as a result of the prior chain sending Zcoin / FIRO to the exchange, quickly trading for BTC, and whala, “free money”). Another way to think of it is this: It’s like temporarily pushing this reality into an alternate reality…long enough to do something, before people catch on and then push back to the “original” reality.

Now, imagine doing this over, and over, and over as long as I have the dominant power/hashing power.

In the case of the Zcoin / FIRO attacker, the attacker pwnd the chain for an entire day, so they won every single block in those 25hs (5 min per block, 12.5 FIRO per block I think). Thus, the amount of coins that they were able to spend and re-spend was VERY large (5–10% of the total coin supply).

So…what happened? Binance basically took in a ton of FIRO, swapped for BTC, and then poof…those FIRO are no longer there in THEIR wallets (because the chain was just re-organized BACK).

So, this is pretty bad right? This has been one of the tenets of the issues with Proof of Work (coins like Zcoin / FIRO), because anyone with enough power (money or resources) can in essence OWN the network, go spend coins onto markets to get BTC, and then “bloop” those coins magically were never spent, leaving the attacker with a fat stack of the coin + BTC/some other coin as well.

And it doesn’t cost as much as you might think. For some of these PoW networks, it might cost a few hundred dollars (or even a few thousand dollars). Pull it off (which this attacker did to Zcoin / FIRO), and you could end up with a LOT more (in this attack, they abused Zcoin / FIRO to the tune of at least 4million+ USD (conservative approximation: 900,000 FIRO x $4.47 per FIRO)).

— —

So what is Zcoin/FIRO doing that’s so bad? Well, if the above isn’t enough to ruin your day… Zcoin / FIRO seems to be unilaterally making a decision to go against their decentralized “premise”, paying off exchanges, and setting a terrible standard.

Instead of just calling it what it is (again, we don’t know the conversations between Zcoin / FIRO and Binance), where the attacker scalped a boatload from this attack…

Zcoin / FIRO is seemingly choosing to do the following:

Rollback the chain (which itself is a highly controversial decision)

Issue “themselves” (to Zcoin / FIRO) a NEW amount of coins (That mirror the amount of coins that was double-spent to Binance)

Use these newly minted coins to payback Binance.

I don’t know about you, but this is just insane.

You are a decentralized project now “unilaterally” creating new coins

You are then using these coins to pay a literal money machine (exchange)

You are setting a precedent that in the future, any loss on an exchange, that it’s upon the project to pony up to cover those losses.

Look. Reuben is careful in choosing his words. He is making it seem like Zcoin / FIRO are rolling back the chain and are taking the coins from the attacker. However, this is impossible as those coins don’t exist anymore (chain rollback).

So if indeed they are paying off Binance, where are those coins coming from?

This is also not the first time Zcoin / FIRO has been successfully attacked.

Back in 2017, 370,000 fake Zcoin were created which perpetrators sold for over 400 Bitcoins ($440,000 at the time). Curiously, back then, they were proud to say they were choosing to not be like Ethereum during the DAO event where ETH rolled back the chain to “remove” the attackers’ coins.


No comments:

Post a Comment