Double-Spending Made Easy

A practical guide to double-spending with Bitcoin

Prepared and presented by Charles Hill

Inputs and Outputs

All bitcoin transactions contain inputs and outputs, where the inputs to one transaction are outputs from a previous transaction. There is one exception - coinbase transactions - which have no inputs and only have outputs.

What is a Double-Spend?

Spending the exact same input twice with two different transactions. Alice broadcasts Transaction A where Bob is the recipient. Bob sees the transaction and thinks he has been paid. Alice attempts to broadcast Transaction B, but the transaction is rejected as a double-spend.

Race Attack

Alice creates Transaction A that pays Bob. Then Alice creates Transaction B using the exact same input, but the recipient is Alice. Finally, Alice broadcasts Transaction A followed quickly by Transaction B. The first transaction that is mined (confirmed) in a block is valid. The other will be invalid.

Finney Attack

Alice creates Transaction B that pays herself. Alice mines a block with this transaction included, but doesn't broadcast it. Alice creates and broadcasts Transaction A which pays Bob with the exact same input as Transaction B. Alice broadcasts the mined block.

Alternative History Attack

Alice creates and broadcasts Transaction A, while privately mining an alternative blockchain fork in which she has included Transaction B. Once her privately mined chain is longer than the public chain, she broadcasts her fork.

Replace-by-fee (RBF) Attack

RBF is a feature of the Bitcoin protocol that allows users to increase the fee paid by a stuck transaction, improving the odds that it will be confirmed. This feature can be abused to double-spend quite easily, but only for unconfirmed transactions.

Live Demonstration

How to Protect Yourself or Business

Wait for at least one confirmation - more for high-value transactions. If you absolutely must accept zero confirmation ("0-conf") transactions, use an app that warns you when a transaction is replaceable and when it has been double-spent.

For businesses such as cafes, restaurants, or bars - accepting unconfirmed Bitcoin transactions is a bad idea and it is no longer necessary now that there is a real solution for this use-case.

The Lightning Network (LN)

A peer-to-peer, second-layer network that facilitates instant, trustless, low-fee payments. The ecosystem around LN is developing rapidly. Download and give a try to one of several Lightning-enabled apps available today:

Lightning-enabled Mobile Wallet Apps

  • Eclair
  • Zap Wallet
  • Lightning App
  • Zap Wallet
  • Lightning App

Thanks!

degreesofzero.com/talks/double-spending-made-easy

Scan the QR code for a link to this presentation