A paper has recently surfaced entitled “Two Bitcoins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin” which purports to have successfully crafted fraudulent double-spend transactions. It’s an amazing paper and the vulnerability it discloses is a big deal – it’s also 17 pages long and filled with enough arcane-looking math to make your head spin. This is an extremely important subject to understand since it changes the way merchants should look at unconfirmed Bitcoin transactions and the educated opinions of users will determine how we should move forward. This paper may be an erudite 17 page masterpiece, but useful to the average user it ain’t. Let’s see if we can simplify things, shall we?
Let’s start by defining what it means to “double-spend.” Let’s say we’re in a gold-based economy (wishful thinking, I know) and I’m a scammer. I can go buy a 10 oz gold bar, hollow out 5 oz of gold from the middle, replace it with tungsten and then use the 5 oz I scraped out to create an identical tungsten-filled gold bar. I can then spend both bars as though I had 20 oz of gold, even though I only ever had 10. The definition of a double-spend changes a bit depending on your transaction system, but it basically accounts to spending the same money two or more times.
The way Bitcoin is built, a double spend attack is basically impossible, as long as you wait for the transaction to get into a block – but what if you didn’t? Given that it takes an average of 10 minutes to generate each block, for certain types of transactions it’s not really feasible for the merchant to sit and wait for confirmations before letting you walk away with product. Can you double-spend an unconfirmed transaction? As it turns out you can, and now someone has.
The attack works because of a very simple factor that most folks don’t account for: connectivity. When miners decide which transactions get into a block, they decide based on which transaction reaches them first. Because an attacker could fudge a timestamp with a non-standard client and there’s no central authority (by design) we can’t trust timestamps, so we go by which transaction reaches us first in the case of a conflict. All an attacker has to do is send two simultaneous transactions, one to the merchant and one to an address he controls and make sure that each one reaches its intended target first – easy, right?
Not really. Reaching the miners first is pretty easy, all you need to do there is be more connected than the merchant is. If you’re a Bitcoin scammer, there’s a fair chance you’ve got access to a botnet and can install your own Bitcoin client on thousands of PCs, directly connecting your own client to each of them and making your immediate network absolutely massive. The average merchant probably hasn’t even set up their router properly to get more than 8 connections so beating them on connectivity won’t be hard. The hard part is getting the transaction the merchant wants to see to them first.
Transactions are broadcast indiscriminately, with no client aware of the addresses belonging to the clients it is connected to. This means that your botnet can’t usually target the merchant and force feed them a specific transaction, but there are a few things that increase that likelihood. First, most of the cases for accepting unconfirmed transactions are in-person purchases, so it’s entirely plausible that by sending the vendor’s transaction from somewhere geographically close to them and originating the fraudulent transaction from a more connected but distant client that the mere delay of relaying the transaction could be enough. It’s also plausible that a certain amount of delay could be added between the two transactions, so long as it’s not long enough that the merchant’s transaction can reach the miners first. Finally, if you’re able to compromise the merchant’s network or otherwise gain the IP address of their Bitcoin client, you actually could directly connect to them and send their transaction with zero delay.
Regardless of the methods used to send the conflicting transactions, the result is the same: The merchant sees a 0/unconfirmed transaction, the scammer walks away with product and the merchant’s transaction is invalidated and never gets into a block, allowing the scammer to re-spend those coins.
The silver lining here is twofold:
- It’s not 100% effective, so the scammer always risks “losing” his coins to a legitimately completed transaction.
- It’s fairly easy to combat and there are even suggested remedies in the paper itself.
One way to beat the scammer here is to be so connected that the cost of being more connected than the merchant is absurdly high. It would also be fairly simple to implement a sort of “listening network” that watches the network for conflicting transactions. Since the conflicting transaction would have to be broadcast at most a few seconds after the legitimate transaction, a wide enough network could catch such instances of fraud before the scammer has a chance to walk away. This “listening network” could even be built into Bitcoin itself, with any node receiving conflicting transactions relaying information about that transaction back through the network, alerting anyone listening for such information.
It’s important to note that while this does represent an unpatched security vulnerability and the researchers were able to perform double-spends in their experiments, there are no known examples of this technique having been used by real scammers yet and all you have to do to protect yourself is wait for confirmations. If you must accept zero-confirmation transactions, make sure you check with some trusted third party source before letting anyone walk away.