Let’s Spend it Again! Bitcoin DoubleSpending Attacks Explained

Take a minute and imagine with me a fanciful world where you could spend money more than one time. Instead of forking over your hard-earned cash when picking up that next order of tacos, you could simply show the person in the food truck your $10 bill without having to give them the money. How many times would you attempt to spend that money? Over and over again! This is the same idea with Bitcoin DoubleSpending Attacks.

In the real world, unless you physically remove the bill from your hand and place it in the hand of the person to whom it is owed, you will never receive the good or service they are hoping to provide. (obviously credit cards are different, but stick with me)

DoubleSpending Problem

Unless a cryptocurrency uses a robust scheme for signing transactions, “doublespending” (as it’s referred to in this sphere) of currency could occur. Bitcoin has successfully implemented safeguards to ensure that when someone pays you, they are actually giving you the money. In essence, they are not simply showing it to you and spending it again somewhere else. If they were able to spend it again, you wouldn’t really ever have the money. Meaning you might be sleeping on the street next month instead of paying your rent!

how does doublespending happen?

Let’s establish a few basic principles and then take a look at this from a practical attacker’s standpoint. One of the foundations of Bitcoin itself is the “blockchain”.

Ready for a highly technical definition? A blockchain — is a chain of blocks. Take a few minutes to gather yourself before we move on.

Blockchain Properties

Phew. But kidding aside, a blockchain consists of a persistently linked chain of blocks. Where a block is basically a collection of Bitcoin transactions that have occurred recently.

Approximately every 10 minutes, a new block is verified and added to the blockchain. There is one important point of distinction to note. When a new block is verified, only the block itself is verified – not the transactions within the block. Transactions are validated as blocks are added to the ledger and over time become more and more trusted.

Let’s talk a little bit more about a transaction.

A quick recap on what transactions are – the current owner of a bitcoin combines the new owner’s public key along with details from the previous transaction and hashes the values. This creates a 256-bit number (or 64 hexadecimal characters) that is then signed by the current owner’s private key. Anyone can verify the transaction by taking the current owner’s public key and validating the newly minted digital signature on this transaction. Thanks to public-key cryptography, we can be quite certain that the transaction has, indeed, passed the bitcoin from the current owner to the new owner.

DoubleSpending Bitcoin

What if we tried to spend the bitcoin and then quickly spend it again? There are two possible scenarios here:

If both transactions go into the unconfirmed pool but aren’t queued simultaneously, only the valid expenditure will be confirmed by miners and placed into the next block. The other transaction will not get many, if any, confirmations and will be deemed to be invalid.
If both transactions go into the unconfirmed pool simultaneously, the transaction with the highest number of confirmations will win out and the other will be dumped from the pool.

At this point it’s important to remember: although the block is verified cryptographically, the transaction itself may not be fully “trusted” from the community’s perspective. After only a single block has been confirmed, it may be cryptographically possible to reverse the transaction using some surreptitious attack vectors (described briefly below) and allow for a doublespending of bitcoin to take place.

How does a Bitcoin transaction gain more trust?

By waiting for more confirmations from the community in the form of allowing more blocks on the blockchain to authenticate it.

Bitcoin Confirmation Threshold

The rule of thumb in the Bitcoin world is to wait for 6 confirmations before being certain that a double-spending attack cannot occur. (check the links below if you want to better understand why.) After a transaction has been confirmed by 6 blocks being added to the blockchain, it is safe to use the bitcoin for another transaction.

Some Bitcoin brokers require even fewer confirmations.

Now we know what double-spending is and how it can be effectively prevented using the scheme present in the Bitcoin architecture. That doesn’t mean that attackers aren’t constantly looking for new ways to subvert the system. While there are quite a few attacks out there, let’s focus on one in this post – we’ll include some links below if you want to read more on the other varieties of attacks.

Bitcoin 51% Attack

Let’s talk about the so-called “51% attack” and why it can be so damaging.

In fact, the 51% attack just occurred a few days ago (as of the time of this writing) to the Bitcoin Gold fork of Bitcoin. For reference, take a look at this article. About 7,000 BTG (around $70,000 USD) was stolen.

The 51% attack refers to a group of rogue actors on the network who control more than 50% of the mining rate (or computing power). If such a group exists (or even if a single node controls over 50% of the mining rate), they can effectively shut down payments between some or all users on the network. They do this by disallowing any confirmations of queued transactions. During their control of the network, they can also reverse transactions and double-spend bitcoins. All hope isn’t lost in this situation as they could only pose to do so much damage.

Although, These attacks can be very frustrating and cause the community to lose confidence in a cryptocurrency. This can potentially move users to a different option. This type of attack has occurred in the past on Bitcoin as well as other cryptocurrencies.