Monero appears to be in the midst of a successful 51% attack
240 comments
·August 12, 2025vlugorilla
vlugorilla
Qubic never actually hit 51% btw. Don't fall for it.
However they do have a large enough hashrate to perform multi-block re-orgs with their selfish mining strategy.
They disabled API hashrate reporting so that they could lie about it.
Keep mining and ignore the noise.
reorder9695
I am not that well versed in crypto. I understand the concept of a blockchain and what an n block reorg is, but what is the downside of a reorg? Like who can profit financially and why?
cyanydeez
America would be screwed if owning 51% of its value meant you could rewrite ownership.
*gestures wildly*
01HNNWZ0MV43FF
Good thing you need 30 percent, a larger number
mvdtnz
What's a "6 re-org"?
acjohnson55
I'm a little rusty with the terminology, but in a blockchain, the canonical current block is the one that has the greatest amount of proof of work (I think they call this the heaviest chain). Typically, each new block is the descendant of the most recent block. But it is possible to create a heavier chain from an earlier block. This invalidates any transactions on what was previously known to be the heaviest chain, and is called a reorg.
The farther back, the less likely a reorg is, so to have a reorg that invalidates is blocks is extremely unusual.
If one entity has a majority of the hash power, they gain the ability to try to force reorgs with a likelihood that increases with their advantage in hash power.
I typed all this before realizing I could have recommend you ask an LLM, and it probably would have given you a better answer.
jmholla
This was a great answer. I'm glad you spent the time on it. Though I am curious what the 6 indicates.
skarz
[flagged]
tromp
No, it's not 6 blocks longer. It just needs to be 1 longer (i.e. 7 blocks since the last common block), which guarantees a higher cumulative difficulty and thus all honest miners will switch to the new branch, obsoleting 6 blocks on the old branch.
1270018080
It would be impossible to enforce, and a place that HN that has leaders who evangelize AI as a cure-all would never do it, but "I asked AI and here's what it said" comments should be against the rules.
NooneAtAll3
who are "they" you're talking about?
vlugorilla
"They" refers to Qubic (by Sergey Ivancheglo), a blockchain network that uses a "Useful Proof-of-Work" system, so it is not built for traditional cryptocurrency mining that solves arbitrary puzzles. Instead, it uses the collective processing power of its miners to train an AI. Qubic's AI-training work is performed by CPUs, same as used by RandomX (Monero's mining algo).
Qubic was able to orchestrate its network of miners to temporarily halt their AI-related tasks and redirect their collective CPU power to mine on the Monero network instead.
Also, Qubic has implemented an economic strategy that involves selling the Monero it mines for a stablecoin like USDT and then using those funds to benefit its own ecosystem and attract more miners, and renting hardware to gain more hash power. The proceeds from the sale of XMR are used to buy Qubic's native token (QUBIC) from exchanges. These purchased tokens are then "burned" or permanently removed from circulation.
sidewndr46
This seems oddly similar to the whole IRON/TITAN thing years back, but with extra steps.
greazy
What's their objective?
moomin
To summarise:
* One actor in the space appears to have done a proof of concept takeover of 51%.
* It’s not clear there was any malicious action nor intent in doing so.
* Performing something like this is definitely expensive.
* The potential impact of doing so is disputed.
* Whether or not it was achieved is also disputed
However, what has been known you some time is that the largest BitCoin miners have more power than the entire community of many alt-coins. Whether this is an issue is a matter for debate. Certainly, until now, no-one has chosen to flex like this.
nickysielicki
> Whether this is an issue is a matter for debate.
Monero uses RandomX, which is intentionally chosen to make it difficult to accelerate using hardware that is common with other coins. It’s almost certainly not what happened here.
lagniappe
>until now, no-one has chosen to flex like this.
The two networks have wildly different proof-of-work algorithms, they're incompatible. A BTC ASIC will never mine Monero, ever.
soganess
I ask this not as a gotcha (I don't know the first thing about this), but rather because I'm interested: How do you know not "ever"?
Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine, hence I can use it to run whatever algorithm I want. Would that be more efficient than using a modern OoO superscalar? Almost surely not, but that doesn't mean it can't be done, just that it shouldn't be done that way.
*: I realize that the ASICs used in Bitcoin miners don't have dram access, but that isn't a general limitation of ASICs, just those ASIC 'chips' (and maybe not even those chips, just their implementations in bitcoin miners)
EDIT: Thanks to everyone who answered! For some reason, I had it in my head that the way we implement fixed function stuff in an ASIC was basically the same as a "burn once" FPGA. Brains gonna brain.
tux3
>Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
No, that doesn't follow at all. An ASIC doesn't mean a general purpose CPU or FPGA. A chip that only knows how to do, say, video decoding is an example of ASIC. The video chip can't do bitcoin, the bitcoin chip can't do monero. They're not general purpose.
BoppreH
You might be confusing ASICs with FPGAs. You can't reprogram an ASIC, the algorithm is fixed at design time, and the chip built for this single purpose.
blibble
> Like, trivially, it's an ASIC, so I can use it to simulate a von Neumann[*] machine
asic does not mean turing complete
good luck simulating a von neumann machine on a sha256 accelerator
rokkamokka
That's not true for all altcoins however
scyclow
Pretty much everything other than bitcoin, monero, and dogecoin are running proof of stake these days anyhow, so it kind of doesn't matter.
yieldcrv
Its always hilarious when someone launches an L1 with an algorithm everyone can already dominate and it gets attacked immediately
Last time I saw that was on photonics processor blockchains
idiotsecant
That's not at all relevant to parent post's point. BTC mining is famously centralized, and continues to get more so. It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash. It's inevitable. It's bad system design - it makes being able to manufacture your own custom silicon table stakes to run a financial system for some reason.
BTC will have to move to a proof of stake design to survive. It's unavoidable.
ifwinterco
That is debatable, but also besides anything else, changing to PoS means changing the tokenomics (some tail emission for staking rewards, no 21m hard cap), which means it's incredibly unlikely to happen
LikesPwsh
BTC can't move to proof of stake because religious zealots would keep their money in the old fork.
It's doomed in general, see the cash fork.
robocat
> It is inevitable that a manufacturer of BTC asics with access to cheap power will become large enough to control 51% of the hash
The ASIC manufacturer would also need a backdoor. ASIC manufacturers don't control mining.
Large miners are unlikely to allow backdoors into their mining network.
mattwilsonn888
"Performing something like this is definitely expensive"
That is false. A 51% attack is only expensive to the degree to which the hashpower required to exceed 50% is obtained at negative margins.
If an attacker can collect the total 51% or more hashpower at what would be a profitable rate despite the attack, then the attack is not "definitely expensive" - no, the attack is definitely profitable and the expense falls sorely on the minority.
hombre_fatal
Just because something is profitable doesn't mean it's not expensive, which only means it costs a lot of money.
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed. And the attack is not available to you if you can't front those resources (because it's expensive rather than cheap).
marcosdumay
I guess the clearer term for that would be "capital intensive".
ozlikethewizard
surely the fall in value of XMR caused by such an attack would make it unprofitable as well
blantonl
Or, you need to spend a lot of resources to do the attack even if it's the case that you get that money back when you succeed.
There is a word for this. We call it risk.
dumbfounder
Unless they drive the price into the ground.
ethagnawl
Right? If an attack like this is successful _and_ obvious/detectable, then it _should_ drive the price into the ground.
bawolff
When people say foo is expensive, they mean the gross cost not the net profit.
devmor
If I buy a yacht for $2 millón and sell it for $4 million, it’s still an expensive yacht. Profit doesn’t make it less expensive.
apercu
In all seriousness, can you explain why the "impact of doing so is disputed". In my laypersons understanding, if you control ~51% of the hashrate you can outpace everyone else in producing blocks, which means you can change (reorganize) your blockchain history which means the ledger isn't trustworthy. Right?
PhilippGille
It's worth being precise here:
- The attacker can doublespend their transactions if their hashing power is high enough to create more blocks than what the recipient is waiting for. E.g. you buy a lambo, the shop waits 10 blocks after the tx is in a block and gives you the lambo, then you create a longer chain with 11 blocks to replace the other one, and don't include the original lambo tx. 51% of hashing power is enough to create new blocks, but not enough to create 11 alternative blocks. That requires more hashing power.
- The attacker can prevent other transactions from landing in a block, as long as they have majority
- But the attacker can't create fake transactions (e.g. if they only have 1k Monero, they can't create a tx with 2k Monero). Because all nodes (not only miners) still verify the transactions
- And the attacker can also not steal your money, because they don't have your private keys
apercu
In my head I kind of simplified it - if I can reorder the blocks in my history I can "reverse" a transaction, like "erase" that I bought a lambo yesterday so today I have not only the lambo, but the money that was in my account before I bought the lambo, too. But maybe me trying to over simplify and missing the forest for the trees (this is very much not my domain).
null
corimaith
That's the point, you can only change YOUR history. From the perspective of future merchant, that's the trivial to deal with. And for existing transactions, you'd need the value of the goods from the transactions to exceed the cost of controlling to network to be worth it. But what kind of goods that can be transferred so quickly be worth that much?
xnorswap
Maybe there's more resilience to prevent chain swaps now, but my understanding of the original blockchain algorithm is that:
At block N someone could start to privately mine (empty) blocks.
They keep mining in private until block N+x is public, at which time the private (51%) chain is length N+x+1.
They then announce their longer chain.
By the protocol, this longer chain (technically "most work" chain) is the more trusted one, and undoes any transactions in N+1 through N+x.
the_sleaze_
Yes.
nomilk
Newb question, but why's it expensive, aren't they mining the whole time and can therefore make the usual money from that mining?
treyd
You are correct. It's expensive if you want to go rewrite history. 51% is when that becomes economically viable to do on its own.
soared
Way more context here https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t...
mvdtnz
No one is spending $75M a day to do a proof of concept. There's obviously some kind of intent to profit.
fruitworks
Qubic aims to profit from the publicity
rahen
This is odd. The current hash rate is around its nominal 5 GH/s, and neither any pool nor individual seems to be above 50%:
https://miningpoolstats.stream/monero
This Qubic group claims to concentrate 3 GH/s of hashing power, yet there has been no increase in the global hash rate either:
https://www.coinwarz.com/mining/monero/hashrate-chart
Could this be just a bait?
fruitworks
Peek the % of unknown miners in the pie chart at the bottom
znpy
dumb question: i took a look at https://miningpoolstats.stream/ethereumclassic for ethereumclassic and f2pool.com seems to have ~64% of the total hashrate... is that a takeover as well ?
idiotsecant
I mean, it means that eth classic's ledger is rewritable on a whim by that that pool, if it has central control.
chuckadams
The thing about 51% attacks is they're hard to pull off in secret. And once they happen, who's going to accept the coin anymore? Plenty of potential for sheer destruction, but it seems pretty counter-productive to value.
chaboud
If only someone offered derivatives contracts that could be used to make money from destruction...
SilasX
Reminder: if you want to bet on an asset's demise (i.e. short it), you don't need a derivatives market, you just need to be able to borrow the asset and sell it. So you could accomplish the goal there by borrowing Monero and converting it to USD. A lot of smartcontract platforms let you do this -- including on other chains, where they hold a token convertible into the original chain's native unit.
I bring this up because people are always asking what platforms are allowing me to short cryptocurrencies, which seems to miss that it's enough to just have a debt denominated in what you want to bet against.
this_user
It's Game Theory problem. If you are getting more value out of the system by maintaining it in the long-run, it would make no sense to attack it and destroy its value. However, once you can extract more value in the short-term through the attack than by being a long-term participant, it becomes attractive.
With BTC's block reward continually being reduced, TX fees will have to increase in order to avoid reaching the point where large miners could become tempted to attack the network.
dyauspitr
Monero has been under constant attack from its inception. It’s one of the only truly anonymous, untraceable payment systems so there has been a huge push to make it unviable. It was unexplainably delisted from major crypto exchanges in the past and now is under direct attack.
cassonmars
It's not inexplicable, they just don't want to explain that their asset listings are effectively beholden to banking partners in the same way that steam was forced to remove certain games because of Visa and Mastercard.
dehrmann
Unknown crypto vulnerabilities and 51% attacks are crypto currency risks that are theoretically out there, but we mostly haven't seen play out.
At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin. You're right that it destroys confidence in the coin, so if you short Bitcoin futures before the attack, you might make money.
15155
> At some point, someone doing AI might amass enough GPUs to do a 51% attack on Bitcoin.
This is electrically impossible for Bitcoin specifically, modern ASICs exceed 3 orders of magnitude more hashes/Joule and hashrate/chip than a RTX5090 and cost $2-40 retail per chip.
Sohcahtoa82
People haven't mined Bitcoin on GPUs in over 10 years.
lblume
vlugorilla
typpilol
Looks like they are winning.
Looking at that website I see that the unknown pool keeps getting a longer chain and it switches to it
Etheryte
Unless I'm missing something, this doesn't pass the sniff test. If a 51% attack was successful, every other miner could easily spot this and would stop mining. The fact that this has not happened is more trustworthy than a random guy on Twitter.
treyd
Unless the attacker was actively choosing to exploit the 51% hashrate power they have then it would still make economic sense for remaining minority miners to keep mining.
immibis
Why would every other miner stop mining, making it a 100% attack?
Yesterday I was running a Monero node and looking at it, and got an unusually very high number of chain reorganization messages. I could believe a 51% attack happened.
max_
>Sustaining this attack is estimated to cost $75 million per day.
This is how proof of work systems operate.
They are very expensive to attack but very cheap to recover from.
$75m per day is clearly unstainable.
Soon they will give up and the network will recover cheaply.
The attack is more of a nuisance than the end of Monero.
arrowsmith
> $75m per day is clearly sustainable.
Is this a typo or am I misunderstanding something?
transcriptase
I’m guessing it’s implied that the return would be higher than $75m a day.
sschueller
Depends what the goal is. A state that wants to break the anonymity of the system doesn't care about $75m per day, specifically a state that can just print that...
woah
I'm not familiar with Monero's privacy system, so I can't say for sure, but it is very, very unlikely that a reorg could in any way break anonymity.
fruitworks
Reorgs dont break anonyminity
idiotsecant
The problem is not that the system is constantly under attack. It's that it can no longer be trusted to be secure. Nobody with money on chain will say 'oh well, probably nobody will steal my money today'.
do_not_redeem
A 51% attack doesn't let you steal random people's money.
idiotsecant
It absolutely does, just not directly. Say that you have 100k fiat equivilent in monero and I demonstrate a successful monero double-spend attack. How much do you think your monero is worth?
soared
Much better link - https://www.cointribune.com/en/qubic-hits-52-72-of-moneros-t...
Appears to be legit, but not really a nefarious attack.
sigmar
>Did Qubic really attack Monero ? No, according to official statements, it was a planned stress test to identify vulnerabilities in the Monero network.
"not really a nefarious attack" is an insane summation of this article. There's zero way for someone outside of qubic to verify that they didn't do something nefarious while controlling the network. Stated another way- anyone could call their 51% attack a "stress test"
Stevvo
That entire article reads like propaganda/doublespeak.
"Planned test". Planned by whom? Planned by the attackers. The reorg did happen.
spoaceman7777
This is a bot hoax. The only news here is that twitter still hasn't fixed its insane spam account problem
rmm
Qubix(group performing attack) founder x post
polotics
This man is a true poet, just beautiful look at this quote found on his exTwitter:
(quote starts here)
"""Writing this date here to memorize when the concept of Decentralized Artificial Intelligence (#DAI) got its final shape.
Not bullshit like "It runs on a #blockchain so it must be decentralized". In this concept each entity holds a secret know-how which modifies #IntelligentTissue (in cooperation with other know-hows owned by other entities, if needs to solve a complex task). Secrecy of each know-how ensures nobody can copy it, others can only attempt to create something similar by spending computational resources.
Each #AI is an original object, #IntelligentTissue is its hologram. #Qubic is the platform for AI creation, their convergence and intelligent tissue hosting"""
isoprophlex
Psychosis or marketing scheme? Who can even tell the difference anymore...
typpilol
He's a bit insane. I did the same thing to the iota Network and brought it down to 0% confirmation for a month
Trust me he did not like it
Husieandr
[flagged]
art_vandalay
100% a fed action. Government influence has been pushing Monero off of exchanges and now this. Why? Because Monero has true anonymity.
rootsudo
Interesting, I don’t disagree but would like to learn more.
nickysielicki
If you exchange Bitcoin for cash, the IRS can retroactively look at every wallet that this money originated through. If they decide that they don’t like how certain coins were earned, they can mark them and any wallet they touched as poisoned, and put you in jail if you try to exchange them further.
Monero transactions are inherently obfuscated, which solves this problem. If you want more details, the Monero whitepaper is well written to be accessible for the common reader.
The tldr is it works atop ring signatures: https://en.m.wikipedia.org/wiki/Ring_signature
vintermann
> Monero transactions are inherently obfuscated, which solves this problem.
It solves the problem by making all participants culpable. The blockchain community is very good at imagining they have technical solutions to social problems.
ysofunny
fiat money has to be a monoply
specially given its only backing is "trust" (trust that you won't get invaded or overthrown)
anonymous alt coins, real digital cash, are competition to the monetary system. there can be only one.
fnands
I am way OOTL with crypto drama.
Anyone have any context about who Qubic are, and what their deal is?
fruitworks
It's a long story, I wrote a blog about it here: https://rdrama.net/h/slackernews/post/385556/chud-chudsmug-u...
fnands
Thanks!
A 6 re-org does not mean a '51% attack' was successful. In that case, we'd see unbounded-depth re-orgs/no blocks mined by any other mining pool (assuming the adversary censors other mining pools, as this one does).
It does mean an adversary with a high amount of hash got lucky. I noted there's a discrepancy between their claimed network hashrate and pools' claimed network hash rate.
They may not be including their own hash rate in the network's, in which case they'd need to exceed it. Having 51% would only be 34% of total.
They're an unreliable narrator and I wouldn't trust any data from them. There's insufficient evidence to claim they have 51% of the network's hash power.
(https://nitter.net/kayabaNerve/with_replies)