Ethereum Classic may have been targeted by a 51% attack, one of the only known ways to compromise the blockchain and execute “double spend” transactions that credit the attacker with free money.

The stewards of the Ethereum Classic blockchain requested that exchanges and mining pools suspend ETC deposits and transfers while they work out what’s going on.  Crypto exchange Poloniex has suspended trading, though other major exchanges, such as Binance, have not. The coin’s price remains stable and trading volume for Ethereum Classic has not declined following the hack, according to data from metrics site Coin Gecko.

Ethereum Classic is the leftover blockchain from a 2016 hard fork; the more successful fork is now referred to simply as Ethereum, while Ethereum Classic continues to operate as an independent project.

According to analysis from Yaz Khoury, who heads developer relations at the Ethereum Classic Cooperative, the potential attack took place in the early hours of August 1 when someone mined 3,693 extra blocks on the ETC blockchain.

The 3,693 additional blocks were far more than the Ethereum Classic blockchain could handle since incorporating them would require recalculating several hours worth of solved block hashes.

Additionally, the blocks were added while 2Miners, a mining pool collective on ETC and by far the largest provider of the network’s overall hash power, was offline for maintenance. Since they were providing the vast majority of the hashing power, they would have otherwise have stopped the invalid blocks from becoming a part of the chain.

When 2Miners was back online, it and other competing miners picked up the chain containing the rouge empty blocks and accepted it as the real main ETC blockchain.

In short, while the lights were off for 2Miners, a single source of mining power mined more than 3,000 blocks that became accepted as the real ETC blockchain, despite not being verified when they were created by other ETC miners.

If the 2Miners pool had remained online, generated blocks would be verified across the entire network of miners before being added to the end of the chain, preventing this type of bulk addition. Since the mystery miner controlled more than 51% of the total network hashing power when the blocks were added, however, that didn’t happen.

In theory, the new blocks could have contained double-spend transactions or other malicious activity that blockchains are designed to prevent. It’s not yet certain, however, that the blockchain reorganization was the result of nefarious intentions.

Khoury noted the nature of the potential attack, as well as the added blocks—many of which contain no transactions at all—don’t appear to be actively malicious.

He suggested that they could have been generated when a rogue miner lost internet access for several hours while continuing to mine. Internet access is required to receive information about previous blocks in the chain, but miners are able to continue to generate invalid blocks even without this information.

When internet access was restored, the absence of powerful competing miners like 2Miners providing hash power to sustain the existing blockchain allowed the mystery blocks to be added and accepted as normal.

Source: Decrypt