Tuesday, January 31, 2023

Guard Against ‘Replay Attacks’ as Bitcoin Judgment Day Nears

Guard Against ‘Replay Attacks’ as Bitcoin Judgment Day Nears

Bitcoin’s slow march towards a split continues, and now it seems inevitable that there will be two blockchains a month from now. The good news is: if you have your own keys, then a split gives you two coins — likely BTC and BCC. The bad news is: two blockchains means the chance of “replay attacks”. Read on to find out more…

Also read: Big Block, Bitcoin Cash Hard Fork Beyond Our Control: Bitmain

First: Why Some Kind of Split Looks Inevitable

First of all, this article is not an endorsement of one version of Bitcoin over the other. Nor is it a prediction that either will succeed or fail. We know there are strong passions surrounding this issue, and mentioning them does not confer legitimacy.

Fork in spaghettiTired of trying to convince the other side of their righteousness, both the SegWit-only and big-block congregations have retreated to their churches — to listen to fiery sermons about how only they represent the “true Bitcoin”.

Like it or not, Bitcoin will get SegWit and “Bitcoin Cash” will fork. Everyone is waiting for that August judgment day, when the almighty invisible hand will begin to show its preference.

But wait! Bitcoin is not your soul — you only get one of those to sell (and many already have). With two Bitcoin blockchains, you still have a shot each way. You can be faithful and a heretic. It’s up to you to capitalize on that.

If you have your own private keys, you’ve made a good start. If the network splits into Bitcoin (BTC) and Bitcoin Cash (BCC), you automatically get equal amounts of both.

Again, this is not a guarantee that either will be worth riches, or even anything. But as the saying goes: better to have it and not need it, than to need it and not have it.

Sounds Good. So What Is a Replay Attack?

Replay attacks, despite the name, can be accidental or deliberate. Here’s the why and how:

So you have two identical blockchains. Both function in exactly the same way, and they have the same history. Protestants and Catholics both pray to the same Jesus and, for the sake of this metaphor, imagine He’s listening to all of them.

mirror double catsIf you make a Bitcoin transaction and there are two chains, it could get broadcast to both of them. You might have spent BTC and BCC when you only meant to spend one of them.

Note that you won’t lose coins if you don’t move them from your wallet, so it might be best to wait until everyone’s policy is clearer — including non-custodial wallets.

Some wallet developers may update their software or firmware to protect against this, by including an OP_RETURN flag in the transaction data telling the “other” network to ignore it.

Note: some reports say Bitcoin Cash developers have built replay attack protection into its code. However there is still some uncertainty over how it works.

Deliberate Replay Attacks

Aware of this “twin blockchains” quirk, hackers will try to exploit it. For example, third parties could still theoretically “listen” for a transaction on one chain and repeat it manually on the other.

They’ll likely target exchanges, which will have plenty of new tokens to go around. Unless the exchange has prepared for it, attackers could deposit and withdraw in quick succession, collecting both tokens somewhere else (see below for more detail).

In the next section we’ll look at how this happened to Ethereum last year.

The Ethereum Fork Case Study

Maybe replay attacks are something to worry about, and maybe they aren’t. Our best guide is to look at what happened to Ethereum in July 2016.

Ethereum Classic Logo GitHubThat was the month Ethereum’s high priests performed a dramatic hard fork to reverse the hack performed on The DAO, and return $50+ million to unlucky investors. Some cried heresy, claiming the “new” Ethereum was “not real Ethereum” and continuing to mine the original blockchain — called Ethereum Classic (ETC). In turn, ETH proponents ridiculed the ETC believers.

Sounds pretty familiar, eh?

Most expected the “classic” chain to wither and die — but there was community and trader demand for it, and so it still remains today.

At first, exchanges didn’t know what to do. Some simply ignored ETC, not expecting it to have any value. Rumors held that some providers secretly kept the tokens, while telling users they wouldn’t support them.

Then, some exchanges reported ETC tokens were “lost” in replay attacks. Some targeted Coinbase (either theoretically or literally), after it said it wouldn’t support ETC.


Coinbase eventually took steps to protect wallets against replay attacks, and said it had sufficient funds to cover any losses.

Chinese exchange Yunbi also claimed it lost 40,000 ETC tokens to replay attacks. At today’s ETC value, that’s about half a million dollars. Yunbi also promised to cover its users.

In Conclusion: Pray Quietly, and Hold Your Bitcoins

There’s always more danger of falling victim to a replay attack if your funds are on a centralized service, like an exchange or custodial wallet. Like they did with Coinbase and Poloniex last year, attackers may exploit their different support policies.

Praying handsIf you own your own coins (i.e.: hold your own private keys) then you can decide. Even if you do, it’s best not to move any coins from there until you’re sure you won’t be doing an accidental replay.

So, as you sit in the pews with your family awaiting the Bitcoin Rapture, remember that a hard fork may not mean immediate salvation or damnation for either side. After all, religions have been arguing for centuries and none has proved itself “right” or others “wrong” yet. At least not empirically.

It’s best to have a bet each way, and with Bitcoin it’s free. Just guard your coins for now, and wait for more information.

How are you looking after your stash? Is Ethereum a useful example here? Please share your thoughts in the comments.

Images via Pixabay, Wikimedia Commons

Bitsonline Email Newsletter