Double-Spend Attacks Examined: Past, Present, and Future

“Unconfirmed Transaction” Attacks

You’re only vulnerable to a race attack or Finney attack if you accept an unconfirmed transaction. Race attacks are simply a “race” between two transactions that have been broadcast at near-identical times. The idea is to replace the first transaction with another one that returns the funds to a wallet you control, prior to the first transaction being written on the blockchain.

In December of 2019, a viral video showcased bitcoin being double-spent at locations that accept bitcoin. These attacks were made possible using Replace-By-Fee (RBF), a somewhat controversial upgrade to the Bitcoin protocol. The first transaction was sent to the merchant, followed by a second transaction with a higher fee attached. This RBF transaction overrode the first transaction as the higher fee meant it would be processed preferentially, allowing it to be double-spent.These attacks worked because the merchants accepted unconfirmed transactions. In a similar incident earlier in the same year, some Canadian bitcoin holders were able to “cash in” their bitcoin without actually cashing it in. It appears they sent bitcoin to Bitcoin ATMs, where they were able to withdraw cash. After receiving the cash, they cancelled the transactions, since they had yet to be “confirmed.” The key takeaway is to never trade cryptocurrencies, cash, or anything else for unconfirmed transactions.

Finney attacks can only be executed by miners, and are therefore fairly technical and obscure. The miner pre-mines a transaction into a block from one wallet to another. Then, they use the first wallet to make a second transaction and broadcast the pre-mined block, which includes the first transaction. This requires a very specific sequence to work, and there's no evidence that any major Finney attacks have taken place. This type of attack is named after its discoverer, Hal Finney, who received the very first bitcoins from Satoshi Nakamoto.

51% Attacks: Double Spending Problem

This is the type of double-spend attack that many in the cryptocurrency space find to be the most worrying. If a group is able to control 51% or more of the hashing power of a network, they are able to reorg (or, reorganize) the blockchain for as long as they have the majority of the hash power. If they reorg the blockchain, they can execute double-spends.

To this day, there is no evidence that a 51% attack has been executed on Bitcoin likely because of the vast amount of hashing power on the network — meaning, it would take a tremendous amount of cost and coordination in order to control that much hashing power, ultimately nullifying any financial incentive to do so. Bitcoin’s vast amount of hashing power makes it the most secure decentralized protocol by a large margin. It appears that after two block confirmations, it’s more profitable to mine than to attempt this attack. The consensus seems to be that even an attacker acting economically irrationally, in order to destroy Bitcoin, wouldn’t be able to do it due to the enormous amount of resources needed to have a majority share of the network.

Have Successful 51% Attacks Happened?

Although Ethereum and Bitcoin have never been successfully attacked in this way, several other cryptocurrencies have been. These include “forks” of Bitcoin and Ethereum. Ethereum Classic was 51% attacked in 2019 and 2020, and Bitcoin Gold was 51% attacked in 2018 and 2020.

These double-spend attacks were possible because these forks are generally mined in the same way as Bitcoin and Ethereum, but have much less hashing power across their networks. A big and malicious miner can switch from mining Bitcoin or Ethereum to suddenly and secretly mining something on a network with much less hashing power and then execute an attack. As a preventative measure, some platforms have increased the number of confirmations needed to transact and trade. This makes it more difficult to execute a 51% attack.

How Does a 51% Attack Work?

For these attacks to be profitable, bad actors tend to target exchanges. First, they send a large amount of cryptocurrency to an exchange. Then, they convert it to another cryptocurrency and move the traded funds off the exchange to an address they own. Once completed, they reorg the blockchain using this attack vector and “orphan” or “erase” their first transaction, leaving them with both the assets they traded with and the assets they traded for.

Don’t Accept Unconfirmed Transactions and Always Use a Reputable Exchange

Double-spend attacks may never go away, but as Bitcoin and other cryptocurrencies undergo attacks, they become more resilient. And, if you don’t accept unconfirmed transactions, you can be confident that your transactions won’t be Finney- or race-attacked.

As far as 51% attacks go, some say you should only engage with cryptocurrencies that have never been successfully attacked in this way. Many others would say you can still use these currencies as long as you don’t own millions of dollars’ worth since only large addresses and exchanges are appealing targets. That being said, if you store any significant amount on an exchange, make sure it’s a trusted exchange, preferably one that is also insured against losses.