Bitcoin Double-Spends an Inevitable Network Feature, Legitimate or Not

Published at: July 7, 2020

Double-spending is an issue that has existed ever since Bitcoin’s (BTC) inception, and according to a recent report from ZenGo, it still persists across cryptocurrency wallets such as BRD, Ledger Live and Edge.

Although these companies have updated their product offerings since ZenGo pointed out this discrepancy, it is speculated that millions of crypto users could have been exposed to this particular exploit, dubbed BigSpender. Ledger, one of the impacted crypto wallet firms, even claimed that this vulnerability is only a user experience flaw.

What is double-spending?

Double-spending is a flaw that arises across digital cash platforms wherein a single digital token can be spent more than once. Although this is not a weakness that is unique to blockchain and cryptocurrency, it becomes a very significant issue for crypto users. With centralized currencies, this issue is solved by having a trusted third party in place that verifies if the token has already been spent.

With decentralized currencies such as Bitcoin, the unique selling point is that they offer a system that is not linked to any central bank, with the double-spend issue attempting to be solved by having many servers store up-to-date copies of the public transaction ledger.

The hurdle faced by this approach is that once broadcasted, transactions will reach each server at slightly different times, and if two transactions attempt to spend the same token, each server will consider the first to be valid and void the second transaction. If these two servers were to disagree then there would be no way to reconcile the true balance, as each server’s observation is considered valid. Cointelegraph spoke about the matter with Bilal Hammoud, founder and CEO of NDAX — a cryptocurrency exchange based in Canada — who said that despite recurring issues, Bitcoin does have a prevention system in place:

“Bitcoin network utilized multiple measures to prevent such attacks such as time to produce 1 block which averages about 10 minutes and recommendation of 6 confirmation which makes it near impossible to reverse a transaction unless the attacker owns a significant network hash power.”

Legitimate and fraudulent ways

There are myriad ways that a crypto user or an entity can double-spend. While some of these methods are legitimate, most are, unsurprisingly, fraudulent. Some of the well-known double-spending techniques are race attacks, Finney attacks, Vector76 attacks, the aforementioned BigSpender attack and the main threat to the Bitcoin network, 51% attacks.

A race attack — also known as a replace-by-fee, or RBF, attack — happens when the merchant or receiving party accepts a transaction with zero confirmations. It is the most common double-spend, where a user sends a transaction to a merchant, and once the transaction has been accepted and goods are delivered, the attacker sends a conflicting transaction to another address with a higher transaction fee, forcing it to be validated before the original transaction. On this kind of attack, Hammoud commented:

“These kinds of transactions are not always fraudulent. Exchanges like NDAX typically carry out these transactions as they control a Bitcoin node with a method that is called RBF (replace by fee) to reverse a transaction whereby the transaction fee was low and they need the transaction to go faster or if the user of the exchange sent to the wrong address and exchange attempt to reverse the transaction.”

A Finney attack, however, is a fraudulent double-spend that relies heavily on network hash rate and requires participation from a miner. This type of attack is extremely rare in the current scenario, as it requires Bitcoin’s hash rate to be extremely low. A Vector76 attack is also a rare attack that is a combination of Finney and race attacks.

The main threat to the Bitcoin network is a 51% attack, which could happen if a group of miners that control more than 51% of the network’s hashing power agrees to reorganize the transaction. This allows attackers to prevent new transactions from being confirmed by interrupting payments between some or even all users on that network. This attack also makes it possible to reverse transactions that were already completed, thus contributing to the double-spend issue. 

One of Bitcoin’s forks, Bitcoin Gold (BTG), was hit by such an attack twice, in 2018 and 2020. On this particular type of attack and attackers, Hammoud stated that Bitcoin is unlikely to be affected by it: “This type of attack is very unlikely as it threatens the entire network integrity, such an attack can only be coordinated if miners decide to destroy the entire bitcoin value rendering useless.” 

Solutions in crypto

The way that crypto firms/wallets detect attempts to double-spend is through the use of hashes. A hash is created using an algorithm and is essential to blockchain management in cryptocurrency, as these long strings of numbers serve as proof-of-work. When a given set of data is run through a hash function, there can only be one unique hash that is generated. Any tiny change to the data will create a totally unrecognizable hash when compared with the one generated originally. The algorithms used to create such hashes are called consensus algorithms.

Despite the use of these consensus algorithms on blockchain networks, there have been several instances of double-spends that have been detected where either the users or the firms themselves have been impacted. Gregory Klumov, founder and CEO of Stasis — an issuer of a euro-backed stablecoin — spoke to Cointelegraph on why the issue is still ongoing: 

“There are centralized and decentralized risks. In the first case, there are several points of failure hacking into which you can take ownership or take assets or whatever else. In the case of a decentralized network, most of it must be taken under control to carry out attacks. There is no alternative, so debates are happening which model will be sustainable in the longer run.”

However, some believe this to be an inherent flaw in the system. While speaking to Cointelegraph, Evgen Verzun, founder of decentralized cloud platform Hypersphere, revealed: “This is one of the basic flaws, so system creators should always remember about it and design their consensus algorithm in a way to avoid it.” Hammoud, however, holds a more liberal view on the nature of double-spends, holding the attackers more liable than the system itself: 

“Double spend is not necessarily an issue or a design flaw. The majority of users use double-spend for legitimate reasons. [...] Unfortunately, some bad actors do take advantage of that and by simply following the rules above like waiting for the necessary confirmations and disabling incoming connections to a merchant node can simply stop 95% of these attacks.”

What can crypto wallet firms do?

Since crypto wallets could be considered merely a door to the blockchain or an access interface, there are only limited efforts that can be taken to negate the risk of double-spending, according to Hammoud, who said that wallets can implement rules that forbid setting low transaction fees or setting up a ledger system that places funds on hold. He added: “But unfortunately, there is no wallet that can be foolproof as an attacker can simply run their own node or extract their seed from wallet providers and use a third-party to execute the attack.”

Since the current talk of the town is the recent RBF attack on various crypto wallet firms dubbed “BigSpender,” there are actions that merchants, users and firms can take to reduce the chances of these attacks in the future. Hammoud echoed the suggestions made by Verzun, noting: “Another measure would be also to implement a cool-down period where the wallet provider prevents users from exporting their private seed within 20 mins of sending a transaction or payment,” adding that:

“Merchants and users can stop these attacks by waiting for 6 confirmation on the blockchain. Some merchants and companies can also accept less than 6 confirmation, by disabling incoming network connection and making sure they are connected to a well established node.”

Though these solutions are simple in concept, they are often extremely difficult to implement. It’s now up to the security innovation processes of wallet firms, merchants and users alike to determine the chance of these double-spend fiascos happening in the future. These innovations should be a priority for all parties involved, given the monetary and, more importantly, reputational risks that impact merchants and ultimately the whole blockchain industry.

Tags
Related Posts
Microsoft employee sentenced to 9 years in first U.S. Bitcoin case involving tax fraud
A former Microsoft engineer has been sentenced to nine years for stealing more than $10 million in digital value from his past employer in the form of “currency stored value," or CSV, including gift cards. Volodymyr Kvashuk, a 26-year-old Ukrainian citizen residing in Washington, used the accounts and identities of his fellow employees to steal and then sell the CSV — making it appear as though his co-workers were responsible for the fraud. Kvashuk also used a Bitcoin (BTC) mixing service to further obfuscate the paper trail, telling the Internal Revenue Service that the $2.8 million worth of crypto that …
Bitcoin / Nov. 10, 2020
UK Crackdown Pulls Thousands of Crypto Scams Offline
Over the past four months, the National Cyber Security Centre, or NCSC, removed over 300,000 URLs pertaining to fake celebrity-endorsed investment opportunities. More than a half of these sites belonged to fraudulent cryptocurrency investment schemes. Per an announcement published by the NCSC on August 14, an increasing number of these scams utilized fake endorsements from national celebrities, such as Ed Sheeran and Richard Branson. This raised red flags for authorities, prompting the launch of a massive retaliatory campaign. Ciaran Martin, CEO of the NCSC, commented: “These investment scams are a striking example of the kind of methods cyber criminals are …
Bitcoin / Aug. 14, 2020
AMFEIX Threatens Users Who Share Coverage That Criticizes the Company
Last week Cointelegraph published a story about investors having difficulty getting their money back from a crypto fund called AMFEIX, which promised high-yield profits for investors who sent them Bitcoin (BTC). Our story described more than 500 pending withdrawals from users trying to get their money back, and AMFEIX’s unsatisfactory communication with those users. The company addressed its users via its official Telegram channel after the story was published, suggesting that the withdrawal delays were due to technical difficulties that had been an issue since May. It also stated that “members who show loyalty to AMFEIX will have priority” in …
Bitcoin / July 28, 2020
Crypto Firm Accused of Fraud, Duping Investor Into Buying $2 Million in Tokens
A lawsuit recently filed in a United States district court in New York claims that an investor was misled into investing $2 million dollars in the cryptocurrency MCash, a Feb. 1 court filing states. The filing alleges that the plaintiff Lijun Sun transferred $2 million to New-York based investment group Blue Ocean Capital Group, Inc. to purchase MCash tokens, stating: “Not only was the MCash Token not properly registered with the U.S. Securities and Exchange Commission (SEC), but more importantly, in connection with selling the MCash Token, Defendants made numerous misrepresentations and omissions that induced Plaintiff to invest $2 million.” …
Bitcoin / Feb. 6, 2019
FTX hacker reportedly transfers a portion of stolen funds to OKX after using Bitcoin mixer
Hackers who drained FTX and FTX USA of over $450 million worth of assets just moments after the doomed crypto exchange filed for bankruptcy on Nov. 11, continue to move assets around in an attempt to launder the money. A crypto analyst who goes by ZachXBT on Twitter alleged that the FTX hackers have transferred a portion of the stolen funds to the OKX exchange, after using the Bitcoin mixer ChipMixer. The analyst reported that at least 225 BTC — worth $4.1 million USD — has been sent to OKX so far. 1/ Myself and @bax1337 spent this past weekend …
Blockchain / Nov. 29, 2022