What is a double-spend attack
A double spend attack, also known as double spending, refers to fraudulent activities carried out on the blockchain when an attacker attempts to make a transaction and then delete the data about it from the registry.
Such manipulations give the hackers ownership of the transferred cryptocurrencies and the ability to resend them (the funds are typically resent to a different address).
Bitcoin creator Satoshi Nakamoto mentions double spending several times in the White Paper. He refers to the solution to the double spending problem as "a peer-to-peer distributed timestamp registry to generate computational proof of the chronological order of transactions." Furthermore, he notes that "the system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes."
Honest nodes verify transactions following the protocol algorithms. One of the most important rules to remember when it comes to double spending attacks is that only the first transaction to transfer coins from a specific address is a true one. All subsequent attempts to send the same coins from this address are invalid.
How does the double-spend attack work?
Double spending is a potential attack vector for any decentralized cryptocurrency. Even though the blockchain is protected by the registry's structure, it has some flaws. They are used by attackers to modify transaction blocks.
Double spending occurs when the same amount is used twice or more to pay for multiple services or goods. This is a technical vulnerability that makes it possible to duplicate sent amounts.
Cryptocurrencies are simply files that exist on the internet. A skilled hacker can make multiple copies of the same currency file and send them to various addresses.
In addition, there are more sophisticated ways of double-spending, namely:
- using a copy of the currency and not the original one;
- reversing a completed transaction so that it happens two times;
- receiving rewards both for confirmed valid blocks and fake ones.
Types of double spending attacks
There are different types of double spending attacks:
1. Finney Attack. It describes the scenario in which one of the parties accepts fictitious money through a fake transaction. The attacker uses eclipse attacks to conceal the source block. Following the recipient's confirmation of the transfer, a real block with the same amount of money sent by the hacker from one of his wallets to another appears on the network. Such actions can only be carried out by a miner who has already taken control of someone else's address and can confirm his fraudulent transaction as a validator.
2. Race attack. This is a type of attack in which there is a “race” between two transactions. An attacker sends the same amount of money to two different merchants from the same address using different devices. The merchants send their goods (or digital money), but the payment received later gets invalid.
3. Attack 51%. This type of attack is prevalent in minor altcoin blockchains. It can be done if more than 50% of the computing power belongs to a pool or group of compromised nodes. Attackers in this scenario can take advantage of every protocol flaw, but double spending is typically their main focus.
A still unidentified group of people who had access to a significant portion of computing power (51%) were able to attack Bitcoin Gold in May 2018. Then there was a successful double-spend attack for about $17.5 million.
How to prevent a double-spend attack
There are two approaches to preventing blockchain hacker attacks.
A centralized solution involves using a third party to check the accounts of the participants in the transaction. It verifies and authorizes the transaction. Such methods are used in traditional banks and on CEXs.
A multi-confirmation stage is used in a decentralized environment. Their number reaches six on trustworthy blockchains. You can be confident that the transfer of funds in this situation is secure and irreversible. Yes, it takes much longer, but it ensures that the transaction will be completed successfully.
Receiving and sending only BTC is an alternative option. The Bitcoin consensus algorithm is reliable, and double-spend attacks are too expensive to carry out.