Home » Articles » Risks Of The Double Spending Attack
Click Here To Hide Tor

Risks Of The Double Spending Attack

You may not know that Bitcoin is not the first digital coin project in history. Before it, other ideas were developed in order to create a digital currency but they all failed due to a very serious security issue that developers were not able to solve. Just to use simple words, when you spend your banknotes, you have to physically give them to the shopkeeper to pay him. If the shopkeeper doesn’t see the banknotes in his hands, he will not let you go away with the item you bought. Once you give him your money, you cannot spend the notes again because you simply don’t have your money anymore. While in the physical world this whole payment process is very simple, we cannot say the same about the digital world. In fact, in theory (let me underline “in theory”), it is relatively simple to copy your digital money and spend it twice! The so called double spending attack consists exactly in sending the same payment to two recipients at the same time. Bitcoin has been the first digital currency being able of resolving the double spending problem. In this article we will explain how Bitcoin attempts to contrast double spending attacks.

The Blockchain

Bitcoin solves the double spending attack by implementing the Blockchain. From the beginning of its transactions’ history, every transaction was registered and timestamped by Bitcoin. A group of transactions is called a block, and all the blocks linked together, form the Blockchain.

Every node in the chain, keeps memory of the whole chain, ever since 2009 and for this reason, when you download the official Bitcoin wallet called Bitcoin Core, you have to download more than one hundred gigabytes of Blockchain. Bitcoin also uses a system of confirmations, this means that when you send your payment it must be confirmed before being received by the recipient.

How can you be sure that every transaction is legit? When a transaction is made, it is included in a block encoded using the hashing system. A hash is a sequence of characters that is generated converting information in a single block using a mathematical formula. Once a hash is created, it is impossible to know what’s the sequence of characters that generated it. If only one character in a block changes, the correspondent hash will change. Furthermore, every hash is computed using a piece of the precedent block, so every block is related to the precedent. If someone wants to change a block to create a fake transaction, miners would notice that the hash of that block would not correspond to the precedent block and would pull that fake block out of the network.

Returning to our double spending example, the client sends his money to the merchant’s address. The payment waits for confirmation. Then he sends the same money to another address and also that payment waits for confirmation.

For the reason that every transaction is timestamped, the miners, who are responsible to control the ledger, will allow only the first transaction they see, pulling the second one out of the network. In the case the miners receive both the transactions simultaneously, they will validate only the transaction with more confirmations. A confirmation is nothing more than a block added to the first one. If a block is successfully added to your payment block, this means that your block is legit because every block is mathematically related to the previous one. If a merchant waits for a minimum of six confirmations, he can be sure no one will be computationally able to reverse the six hashes and tamper with the block.

Double Spend Attack Cases

-If someone could own the 51% of the computational power of the network, he could effectively create a fake blockchain everyone could trust. Due to the costs of hardware and electricity, this is physically impossible at the moment.

-Theoretically speaking, if the customer sends his payment to the merchant and to himself, he could receive the six confirmations before the merchant. In this case if the merchant did not wait for the six confirmations, he won’t receive his payment.

-The Finney Attack: this attack takes its name from Harold Thomas Finney, a PGP programmer and developer of several video games. He received the first transaction from Satoshi Nakamoto.

From Cyberpunks Mailing List:

“It seemed so obvious to me; here we are faced with the problems of loss of privacy, creeping computerization, massive databases, more centralization – and Chaum offers a completely different direction to go in, one which puts power into the hands of individuals rather than governments and corporations. The computer can be used as a tool to liberate and protect people, rather than to control them.”

The Finney attack requires the attacker to be the miner who controls his own block of transactions. It also requires to own a hash power less than 50%. The attacker sends the payment to the merchant and to himself without broadcasting the transaction. Once the merchant accepts the payment without waiting for confirmations, the transaction is broadcasted by the attacker, and the payment is invalidated. So the attacker can leave with the item he bought without having spended a single bitcoin.

One comment

  1. This is why waiting for confirmations is so important

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *