Crypto Intro: Double Spend attacks
Note: This is Part 3 in the Crypto Intro: Attack series, with Part 2 here. This article was produced for Radix and the original copy can be found here. If you enjoy this article please follow me @flatoutcrypto
One of the key challenges faced by digital currencies is preventing the duplication and spending of the same digital asset. Whereas a person holding a dollar bill would be physically unable to use it twice (they would have given it to another person who would now be in possession of it), no such physical limit exists within the digital realm.
Solving the double spend problem for a digital currency, without requiring a trusted central authority, was Bitcoin’s main achievement. However, the nature of a distributed and decentralized network means that it remains possible to spend the same digital asset twice under certain conditions.
These double spend attacks are an assault on the network as the same assets are spent more than once, at least for a period of time. A double spend attack exploits the basic principle that the consensus algorithm employed will not allow for the same funds to be spent twice when the entire network is in sync. A malicious actor can use this to their advantage by acting when the entire network is not in sync and then using the network’s logic to reverse a transaction previously assumed to be valid by a victim.
Users of networks such as Bitcoin are therefore advised to wait for a number of confirmations (the amount varies by network, but Bitcoin users are usually advised to wait for 6 confirmations while Ethereum is generally 30) to ensure that the network is synced and in agreement on their particular transaction. However, this is inconvenient, particularly for merchants providing fast delivery such as digital services or ATMs who do not wish to wait up to an hour for these confirmations.
Using the Bitcoin network as an example, there are several types of double spend attacks which increase in the amount of the resources required for a successful assault.
Named after Hal Finney following his description of it in 2011, a Finney attack involves an attacker mining blocks in which they include txs from and to themselves. The next time they mine a block they would delay publishing it, instead creating a tx to a merchant in exchange for immediately rendered services without waiting for blockchain confirmations. As soon as the goods are released the attacker would publish their block. This then becomes the legitimate tx, and the merchant would find their tx invalidated. The attacker ends up with both goods and original BTC.
A malicious actor creates two txs for the same digital asset. The tx they don’t want to succeed would be the one sent to the merchant’s address. The second tx, spending the digital asset to another wallet the malicious actor controls, would then be broadcast to a larger number of nodes on the network than the first (the more nodes controlled by the attacker, the better their chances of success). This is done so that the second tx has a better chance of being confirmed before the original one. The odds of a successful attack can be additionally increased through methods such as knowing the network topology. If successful, the attacker retains the original BTC sent but also ends up with the merchant’s services or products.
A withhold attack builds upon the Finney and Race attacks, as it can succeed even if the merchant waits for confirmations. An attacker would send a tx to the merchant, as in the race attack, but would also send a duplicate tx to themselves. However, unlike with the race attack, the attacker would instead send the tx on a private alternative blockchain fork that they were mining.
The merchant would release the goods after waiting for the requisite number of confirmations. At this point the attacker would be able to publish their chain to the wider network. If the attacker has been able to find more blocks than the wider network has been able to this point then their chain becomes the legitimate chain and as such the tx sent to the merchant would be deemed invalid. The attacker would again hold both goods and original funds.
The withhold attack is more resource intensive than the previous two attacks, as the malicious actor would need to have a significant amount of the network hashpower. The Bitcoin whitepaper (section 11) sets out the likelihood of success an attacker can expect, determined by the proportion of hashpower controlled and the number of confirmations the merchant requires (the more confirmations required, the more hashpower is needed).
For example, possessing 20% of the hashpower with a merchant requiring three confirmations would give the attacker a 10% chance of success. Two confirmations sees that rise to 20%. Even if a user waits for the advised six confirmations an actor with 20% of the hashpower would still have a 1.5% chance of success – a slim chance, but a chance nonetheless.
This slim chance outlined in a withhold attack rises to 100% (almost regardless of confirmations) if the malicious actor is in possession of enough hashpower. This is known as a 51% attack, which is where a malicious actor controls over half of the network hashpower (although under some circumstances control of less than 51% can be sufficient) and can therefore impose their will even if all other miners on the network act as one.
51% attacks take on a similar form to the withhold attack but are more dangerous as the attacker can create blocks at a faster rate than the rest of the network combined. As such, regardless of when they started mining an alternative chain, their chain would eventually become the legitimate chain, with the attackers ‘alternative history’ overruling all of their published txs to date.
A malicious actor could use this to target large victims, such as exchanges, using the following steps:
- An attacker with over half the networks hashpower starts mining a private fork
- They then send a large amount of their chosen target asset to an exchange which they exchange for a different currency and subsequently withdraw
- At this point they publish their fork, now longer than the existing chain, and therefore becomes the ‘real’ chain
- They now have their original asset back as well as their chosen other currency.
An example of this can be seen in the Bitcoin Gold attacks in May during which multiple exchanges were targeted at an estimated cost of c. $18m. Unlike the previous types of attacks, there are no real measures to defend against a 51% attack other than the significant resources (even for a smaller network) required and the reliance on game theory that a 51% attack would destroy the network’s value.
A 51% attack is made easier if a network uses sharding to increase scalability. Sharding is where a DAG or blockchain is split up into many different pieces as it is faster to process 100 1/100ths of a network than it is the network as a whole. This causes a problem, as it means that an attacker can attack just some subsets of the network rather than the entirety of it. A 51% attack becomes possible with far less than 51% of the network hashpower.
The way by which a DAG shards also causes an issue. While all shards operate to the same protocol, they now only see parts of ongoing txs and associated history. This causes issues with preventing double spending.
How can double spend attacks be prevented?
Just as double spend attacks vary by implementation, so too do they vary by how they can be prevented.
Bitcoin, for example, has mechanisms designed to prevent attacks, including the discarding of simultaneous txs and the waiting for confirmations. Exchanges can observe the network to be aware of any significant drops in hashpower while merchants can also take precautions such as disabling incoming connections (certain attack methods rely on access to the merchant’s node) and connecting to well connected nodes.
A network such as Bitcoin’s biggest security resilience is the size and scale of the network and the resources required to carry out an attack. This is why the smaller networks are more commonly targeted, as they represent lucrative but far more vulnerable targets. The spate of recent double spend attacks across many of these PoW networks is a testament to the relative ease with which they can still be carried out. This is part of the reason why some smaller chains such as Namecoin seek additional security by using ‘merged mining’ to take advantage of Bitcoin’s mining community.
However, as seen above, these measures alone do not guarantee safety against double spend attacks from a determined and well-resourced actor. It is also worth noting that double spending is frequently the intended outcome of other attacks. DLT networks have grown in value to such an extent that they now represent 24/7 targets for those seeking to profit from potential attack vectors.
Ultimately a double spend attack can not be completely prevented if the attacker has sufficient resources. If over 50% of the network is controlled by a dishonest actor then no network can survive, unless there is a centralized authority in place to guarantee security. The question, as with any security, is not how do you acquire perfect security (there is no such thing), but instead how do you make the resources required to attack as high as possible. The higher the bar, the better the security.