What are double-spend attacks and why should I care?

According to Satoshi Nakamoto’s whitepaper, Bitcoin was designed to be a peer-to-peer form of electronic cash. It is decentralized digital money that can exist without a central bank backer or the edifice of deposit taking institutions and payment systems required to keep the fiat economy turning. It can do all that, by itself.

It manages this - and this is the genius of the blockchain - by distributing responsibility for maintaining the ledger of ownership of Bitcoin to the user network as a whole, eliminating third party intermediaries altogether. The primary challenge for such a decentralized currency system is that it is exposed to what is known as double-spending.

What is double spending?

Put very simply, a double spend is when a user makes two transactions at once, spending the same coins twice. This problem doesn’t exist with centralized clearing and settlement. Payments and transactions are matched and balances netted off.

A decentralized system needs a similarly reliable means of clearing payments. Otherwise, merchants, exchanges and regular end-users are at risk of thinking they have been paid when, in fact, the funds have been sent elsewhere. 

How does Bitcoin solve the double-spending problem?

Bitcoin solves this problem by requiring over half the computer processing power on the network to validate each batch (block) of transactions using its ‘Proof-of-Work’ consensus protocol.

Miners pull transactions from a pool of transactions awaiting confirmation and hash (combine) together that information using a particular algorithm. The aim is to produce an output hash that satisfies the difficulty requirement, which is essentially that the hash be smaller than a given number.

The first miner to produce a hash that satisfies the difficulty requirement (provides a proof of computational work) communicates the block of transactions to the network for confirmation. Once over half of the network has confirmed that the block is valid it is added to the chain.

A bad actor could still attempt to use the same transaction identifier for different transactions. But whichever one is first to be incorporated in a valid block is taken to be the correct transaction and the other is discarded.

The theoretical possibility of a double spend attack

Despite the ingenuity of this system, double spending of Bitcoin has always been theoretically possible. A bad actor or group of bad actors could take control of over half of the hash power on the network and use that to permit it to make transactions then overwrite those blocks with new ones that return payments to their own wallet. This is a so-called 51% attack.

But this was always considered very unlikely. It would be hugely expensive, in terms of both hardware and electricity to secure over half the network. In practice, there may be a limit to the share of computing power that can be taken over, especially in networks already dominated by a small number of large pools.

Even if such a takeover were possible, it was thought that the public nature of the ledger would ensure that other users would be alerted to the double spend very quickly. Once aware of the attack, a token could be forked or simply sold by investors. As such, it was supposed that any attack would undermine confidence in the currency, and its price, to such a degree, that it would be entirely self-defeating.

In other words, there was thought to be no incentive for anyone to seek to falsify the ledger, as doing so would crash the market and negate any potential upside. 

The reality is that 51% attacks are already happening

Even in the early days of Bitcoin, however, the possibility of a successful double spend became practical reality. Back in June 2014 researchers at Cornell University observed that the anonymous mining pool GHash had, at times, accounted for over half of the total hash power on the network.

Those periods of 51% control were initially short-lived - not long enough to tamper with the integrity of the blockchain. But then, on 12 June, GHash maintained control for 12 hours continuously - long enough to execute a double-spend.

At the time, no evidence of this was detected, but it highlighted the vulnerability of the Bitcoin consensus mechanism. Since then there have been no more episodes of 51% control of the Bitcoin blockchain. Doing so would be prohibitively costly for most, although the Chinese miner Bitmain is reportedly very close.

Small cryptocurrencies are vulnerable to attack

While Bitcoin’s large size makes it harder for any single miner or pool to gain a majority of the hash power, there are many smaller cryptocurrencies that are vulnerable - either to groups of miners, or even individuals in the case of very small projects with low hash rates.

In fact, there have been a number of 51% attacks this year. Of the known attacks, the biggest project to have been hit is Bitcoin Gold (BTG), currently ranked 21 by market capitalisation at $465 million. Bittrex has since requested that the team behind the coin cover the losses experienced by the exchange as a result. The team has failed to do so, however, and BTG is to delisted by Bittrex.

The popular altcoin Verge (XVG), ranked 41 at $217 million, also saw a successful 51% in May, its third known double spend to date. Monacoin, Zencash and Litecoin Cash have all also been successfully targeted this year. It’s becoming quite common to hear of Proof-of-Work based projects that have come under attack.


Double spends threaten the integrity of the entire system

In these episodes, a miner or group of miners secure over half of the hash power on the network. They then start adding blocks to a new, private, chain. As it has more hash power, the private chain will become longer than the public ledger that the rest of the network is mining.

Funds on the public chain are deposited on a centralised exchange, swapped for other currencies, and withdrawn - to be stored safely elsewhere. The private chain of the coin that is under attack is then broadcast to the network. The network will will accept it as the honest chain, because the longest chain is automatically considered the valid one - as it must be the product of the greatest hash power.

On the new chain, the initial currency holdings were never spent. So the attacker now has both the initial holding of the double spent coin, plus the other cryptocurrencies it has withdrawn from the exchange. Meanwhile, the exchange has a hole in its balance sheet.

What can be done following a successful attack?

There are several potential responses to a double spend, but most are problematic. In principle, it may be possible to reverse all fraudulent transactions by returning a chain to an earlier, legitimate, block - at which point in time the double spend had not occurred.

The problem here, is that this would result in the redistribution of holdings in a way that would penalise some users and benefit others. Unpicking the web of all transactions during the period when the attack was underway, to avoid such arbitrary transfers of wealth, is simply impossible. 

Alternatively, the venue where a double spend was executed could be made whole, if the team behind the coin in question reimburses any losses. Again, this is probably not feasible in most cases. Teams may be anonymous, have insufficient funds, or simply unsympathetic to the plight of users.

This leaves open the possibility that the venues where double spends are carried out, could be left technically insolvent. In turn, that means losses for users. Haircuts may be applied, or there may be a rush for the exit, which sees some depositors able to withdraw all their funds, with others potentially receiving nothing.

There could even be negative spillovers to the prices of other coins, if the hit to wider confidence in the cryptocurrency market is sufficiently great, or if the ability of the exchange to meet withdrawals is in doubt.

What does the future hold?

The rising frequency of double spend attacks may be partly due to declining prices. Lower prices means mining is less economical, causing less efficient miners to withdraw from the network. In turn this lowers the overall hashrate and makes it easier for bad actors to secure half of the hash power. The further altcoin prices fall, the more likely that attacks will become.

Rapid rises in computational power also tend to raise the probability of 51% attacks. And specialised mining equipment can be optimised to target specific consensus protocols.

There are some reasons to be hopeful, however. For one thing, losing some of the less worthwhile projects may be a healthy development. For another, there are now alternative consensus protocols that may rise to the surface. It is noteworthy that all of the above mentioned attacks occurred on Proof-of-Work based blockchains. Some of the newer consensus protocols seem far less prone to such attacks - in practice, even if not in theory.

Proof-of-Stake is one such protocol and there are already popular coins in the top 100 that use this approach. There is even talk of Ethereum, the number two cryptocurrency by market capitalisation, switching to Proof-of-Stake.

Our very own BitBay is also based on Proof-of-Stake. To take control of the block generating process for BAY, a bad actor would need to own half of all of the staked coins on the network. That’s a lot of skin to have in the game for someone seeking to perform an action that will, in all likelihood, undermine the price of those staked coins. An attacker’s losses due to a fall in the price of their staked coins would be highly likely to exceed any potential gain. Contrast this with Bitcoin. A malicious Bitcoin miner need not hold any Bitcoin at all.

To date, to the best of the knowledge of this author, a Proof-of-Stake coin has yet to be successfully double spent. And while it may be possible, it’s much harder even in theory, to carry out a 51% via proof-of-stake, and there is much less financial incentive in practice, for such attacks to occur. They would, realistically, need to be motivated by purely destructive reasons.

So, when picking your investments and where you hold them, remember, Proof-of-Work coins are not immune to attack. And if you store your coins on a centralised exchange, be prepared to lose them.