While undoubtedly complex and necessary for the world of crypto and NFTs, the ideas that underpin and connect to blockchain technology are relatively simple to understand. One of its most important concepts is the so-called “51 percent attack:” an almost unrivaled threat to decentralized technology (and the crypto industry it supports). To understand what that is and its potential wide-reaching implications for Web3, we need to look at the fundamentals of the blockchain itself.
The blockchain is a distributed digital database that moves and tracks data in blocks that link together to form a chain-like record of information flow. The important thing to know here is that blockchain systems are managed by a network of users and computers called nodes, which collectively validate transactions in place of a third party like a bank or a centralized data server controlled by a Big Tech company.
But what’s a 51 percent attack?
In theory, the number of validating nodes in a blockchain system corresponds to the security of that network. To successfully hack the system, a group or an individual would need to take control of the majority of nodes in the system — 51 percent of them — to alter the blockchain record and forge transactions involving crypto and NFTs, potentially resulting in the loss of countless millions worth of digital assets. In essence, then, a 51 percent attack allows bad actors to hijack the blockchain network, giving them the ability to manipulate transactions in the network with disastrous financial effects.
This could occur through the collusion of groups and individuals that control the nodes or through hackers taking control of them. The greater the number of nodes, the more difficult this is to do. The Ethereum blockchain reportedly has hundreds of thousands of validators in its network, for example, while other chains have far fewer.
Examples of 51 percent attacks
In March 2022, hackers with ties to the North Korean government successfully gained control of five of nine of the Ethereum-linked sidechain Ronin’s validating nodes on the popular play-to-earn game blockchain-based game Axie Infinity. The hackers forged withdrawals from the network that amounted to roughly $625 million, making it the largest hack in that network’s history. When the Ronin team realized what had happened, they took a centralized step and paused the blockchain network entirely for months before restarting transactions in late June.
Another 51 percent attack occurred in 2020 when hackers took control of Bitcoin Gold, a small crypto token that split from the Bitcoin blockchain in 2017. The hackers were able to double-spend over $72,000 worth of the cryptocurrency. Double spending is when a cryptocurrency is used twice or more, allowing the individual who initiated the transaction to reclaim their spent tokens.
Just how likely is a 51 percent attack?
Vulnerability to this kind of attack directly correlates to the network size: the bigger the blockchain, the more secure it is. For systems running on energy-intensive proof-of-work (PoW) consensus mechanisms (like Bitcoin), the computing power required to pull off a 51 percent attack is massive and decreases their likelihood; it’s simply not worth the hackers’ time and money to even attempt to do so.
If they can pull it off, however, there is no way to revoke the physical hardware enabling them to attack the system, meaning they could continue to do this until network administrators initiate a “hard fork.” A hard fork is a significant change to a blockchain’s protocol (its basic set of rules) that branches it into two now incompatible versions of itself. Such events are often the point of origin for new cryptocurrencies, as was the case with Bitcoin Gold.
But there are ways to disincentivize 51 percent attacks. Proof-of-stake (PoS) consensus mechanisms, like the one the Ethereum blockchain runs on, are exponentially less energy-intense than PoW-operated networks. These rely on validators putting up (staking) an amount of cryptocurrency to be accepted as a validating node. In the case of Ethereum, that’s a hefty 32 ETH. In theory, if enough validators in a PoS system colluded, they could take control of the network. Still, even if this occurred, Ethereum administrators could “slash” this staked ETH, meaning the violating nodes would simultaneously lose their investment and their ability to attack again.
Ethereum Co-Founder Vitalik Buterin has addressed this issue several times over the years, claiming that, while undesirable, a 51 percent attack wouldn’t be fatal to its blockchain.
The decentralization debate
In the days before Ethereum’s merge to the much more energy-efficient PoS consensus system it now runs on, Buterin posted a Twitter poll in which he asked how long people would want to wait before they supported “extra-protocol” intervention. The idea was simple: would the community support a centralized authority stepping in and making a judgment call for the entire blockchain in the event of extreme circumstances?
The question isn’t rhetorical, either. Bitcoin isn’t the only blockchain that was forced to hard fork in the event of an attack. In 2016, Ethereum instituted a hard fork after attackers exploited flaws in an application running on the blockchain, causing the system’s administrators to roll back the transactions related to the exploit to return users’ funds to them.
Such centralized actions are the antithesis of the very concept of blockchain technology: While the largest single group of respondents to Buterin’s poll supported the idea of centralized intervention, the thought of such action sits uneasily with a significant portion of the Web3 community, as evidenced by the comments below the same poll. However, for the time being, they remain an unfortunate necessity to ensure the stability of these systems in times of extreme need. Regardless, they remain a controversial center of discussion in NFT and crypto circles. Much like the discussion surrounding decentralized Web3 marketplaces, it may be that decentralization by centralized means is the best, albeit paradoxical, path forward.