Reorg Attack

A reorg attack occurs when an attacker with significant hashing power (in Proof-of-Work) or stake (in Proof-of-Stake) secretly mines or validates blocks to create a competing chain. Once this private chain is longer (or has higher weight) than the current public chain, the attacker broadcasts it. The network's consensus rules then adopt this new chain as canonical, orphaning the blocks from the original chain and reversing the transactions they contained.

The most common objective of a reorg attack is double-spending. The attacker:

• Makes a legitimate transaction on the public chain (e.g., sends crypto to an exchange, converts it to fiat, and withdraws).
• Creates a private chain where that transaction is excluded.
• Successfully reorgs the chain, erasing the original transaction, while keeping the withdrawn fiat. This allows the attacker to effectively spend the same coins twice.

A successful reorg attack is often synonymous with a 51% attack (or majority attack). The attacker must control over 50% of the network's hashing power (PoW) or staking power (PoS) to consistently outpace the honest network and build the longest chain. The depth of the reorg (how many blocks are reversed) is directly proportional to the attacker's hashing/stake advantage and the speed at which they can produce blocks.

Reorgs undermine probabilistic finality. In chains like Bitcoin, transactions are only considered secure after a sufficient number of confirmations (block depth). A reorg attack demonstrates that older blocks can still be reversed, requiring services like exchanges to wait for more confirmations for high-value transactions. This attacks the core security assumption of Nakamoto Consensus.

Blockchains employ defenses to limit reorg depth and establish finality:

• Checkpointing: Periodically finalizing a block (e.g., every 200 blocks in Geth) to make earlier blocks immutable.
• Finality Gadgets: Protocols like Ethereum's Casper FFG (Friendly Finality Gadget) add a layer of economic finality where validators explicitly vote to finalize epochs, making reorgs past a finalized checkpoint prohibitively expensive and detectable.
• Longest Chain Rule Modifications: Some protocols penalize chain reorganizations beyond a certain depth.

A Time-Bandit attack is a sophisticated variant where an attacker with significant historical hashing power attempts to reorg the chain from a point far in the past. This is not to double-spend recent transactions, but to alter the entire history of the chain, potentially to claim block rewards or transactions from the past. It highlights the importance of economic finality over pure longest-chain rules.

A reorganization attack occurs when a malicious miner or validator with significant hashing power (or stake) secretly mines a longer, alternative chain that does not include certain transactions from the main chain. When this longer chain is broadcast, network consensus rules force nodes to adopt it, orphaning the previous blocks and reversing the transactions they contained.

• Key Mechanism: The attacker must produce blocks faster than the honest network, a 51% attack in Proof-of-Work or a comparable stake majority in Proof-of-Stake.
• Goal: To double-spend cryptocurrency or censor specific transactions.

The most direct financial impact of a successful reorg is double-spending. An attacker can:

1. Deposit funds into an exchange or purchase goods in a transaction on the main chain.
2. Secretly build a parallel chain where that transaction does not exist.
3. Release the longer chain, causing the original deposit/transaction to be invalidated.
4. Spend the same funds again, as they were never truly transferred.

This undermines the fundamental immutability and finality guarantees of the blockchain for affected parties.

The security against reorgs increases with block depth (confirmations). A transaction 1 block deep is highly vulnerable, while one 100 blocks deep is considered extremely secure on robust networks like Bitcoin.

• Probabilistic Finality: In Proof-of-Work, finality is not absolute but becomes exponentially more certain with each new block.
• Absolute Finality: Modern Proof-of-Stake chains (e.g., Ethereum post-merge) use checkpointing and finality gadgets to provide cryptographic finality after a certain number of blocks, making reorgs beyond that point practically impossible.

Beyond double-spending, reorgs can cause significant disruption:

• Network Instability: Frequent reorgs create uncertainty, degrading user and developer trust.
• Miner/Validator Revenue Loss: Honest miners lose block rewards and transaction fees from orphaned blocks.
• Smart Contract State Corruption: Applications relying on recent block hashes (e.g., for randomness via blockhash) can malfunction if history changes.
• Exchange & Bridge Vulnerabilities: Services with short confirmation policies are primary targets for double-spend attacks.

Protocols and services defend against reorgs through several methods:

• Increasing Confirmations: Exchanges and merchants require more block confirmations for high-value transactions.
• Checkpointing: Embedding authoritative block hashes at intervals to prevent rewriting past a certain point.
• Finality Mechanisms: Using Casper FFG (Ethereum) or Tendermint finality for instant, irreversible settlement.
• Monitoring & Alerting: Services monitor chain health and hash rate/stake distribution for signs of an impending attack.

Understanding reorgs requires knowledge of adjacent security topics:

• 51% Attack: The possession of majority hashing power that enables a reorg attack on Proof-of-Work chains.
• Nothing at Stake: A theoretical problem in early Proof-of-Stake where validators could vote on multiple chains without cost, encouraging reorgs.
• Long-Range Attack: A reorg attempt that rewrites history from far back in the chain's past, often mitigated by checkpointing or weak subjectivity.
• Chain Finality: The property that a block/transaction cannot be reversed, a key security goal.

A reorg attack exploits the Nakamoto Consensus rule that the longest valid chain is accepted as truth. An attacker with significant hashing power (in Proof-of-Work) or stake (in Proof-of-Stake) secretly mines or validates blocks, creating a competing chain. When this private chain surpasses the public chain in length, the network nodes will reorganize to adopt it, orphaning the previously accepted blocks and their transactions.

The most critical threat from a successful reorg is double-spending. An attacker can:

• Broadcast a transaction (e.g., pay for goods) that is included in the public chain.
• Simultaneously, exclude that transaction from their private chain.
• After the merchant delivers the goods, the attacker releases their longer chain, causing the original payment transaction to be reversed, while the attacker's funds remain unspent on the new canonical chain.

Blockchains implement economic and finality mechanisms to deter reorgs:

• Proof-of-Work: The cost of acquiring >51% hashing power makes attacks economically irrational for most chains.
• Proof-of-Stake Finality: Many PoS networks (e.g., Ethereum) have finalized checkpoints. After two-thirds of validators attest to a block, it is cryptographically finalized and cannot be reorged without slashing a massive amount of staked ETH.
• Settlement Layers: Networks like Bitcoin rely on probabilistic finality, where the cost of reverting a block grows exponentially with each subsequent confirmation.

Ethereum Classic has suffered multiple successful 51% attacks resulting in deep reorgs:

• January 2019: A reorg reversed over 4,000 blocks, enabling double-spends worth ~$1.1 million.
• August 2020: Another attack caused a reorg of over 7,000 blocks. These events highlight the vulnerability of chains with lower total hash power, where renting sufficient mining capacity to attack becomes feasible.

Projects employ active defenses against reorgs:

• Exchange Confirmations: Exchanges require high confirmation counts (e.g., 100+ for ETC) before crediting deposits.
• Chain Monitoring Services: Tools like Chainalysis and internal systems watch for hash rate fluctuations and unusual chain dynamics to provide early warnings.
• Modified Consensus: Some chains implement timestamps or checkpointing of known-good blocks from trusted authorities to prevent deep reorgs.

A Time-Bandit Attack is a sophisticated variant where an attacker uses future, more efficient mining hardware to rewrite distant history. By going back to a historical block and mining a new chain from there with superior hardware, they could potentially reverse long-settled transactions. This theoretical attack underscores the importance of cryptographic security assumptions and the immutability provided by sufficient cumulative proof-of-work.