There’s more than one way to skin a cat. This is certainly true for Bitcoin double spends. I will explain what I call the "the 1,000 Lego sets attack" in this article. It’s a way a miner could perform a double spend attack, that I haven't given much thought until now. But first, I’ll explain what a double spend attack is and also some properties of double spend attacks. If you feel very confident about you knowledge on double spend attacks you may jump straight to 1,000 Lego sets.
Double spend attacks
A double spend attack is when Joe, the attacker, buys a Lego set for bitcoin, and then reverses the transaction, so he ends up with a Lego set and he gets to keep his bitcoins.
In more detail, Joe spends bitcoins to get a Lego set in return. When Joe receives the Lego set, he manipulates Bitcoin’s blockchain to replace the original transaction with another transaction that spends the same bitcoins as the original transaction, but sends them to Joe’s address instead of the merchant’s address. After a successful double spend attack, Joe has the same amount of bitcoins and a Lego set.
There are several other types of double spend attacks, and most of them are described on the Bitcoin wiki. I will only focus on the most general form of double spend attacks, as other forms are trivial to protect against by waiting for one or two confirmations.
The kind of double spend attack I’m going to consider from now on is one where a miner, Joe, tries to perform a selfish mining double spend attack under various circumstances.
Double spend tutorial
Follow these simple 7 steps to own your victim:
- Order a Lego set
- Prepare two conflicting transactions Ts and Td, that both spend the same coins but Ts pays to the seller, and Td pays to yourself.
- Start mining on a secret chain, starting from the tip of the honest chain. Include Td in it.
- Pay for the Lego set with Ts
- Wait until you have the Lego set in your hands, which could for example be after Ts has two confirmations on the honest chain.
- Keep mining your secret chain until it is stronger than the honest chain. This might already be the case.
- Publish your stronger chain. Nodes (including miners) will switch to your stronger chain, which effectively removes Ts from the blockchain and includes Td in it instead.
Let’s have a look at some properties of this attack.
A successful attack is free
If Joe succeeds in his attack he
- reaps all the block rewards from his blocks
- gets to keep his bitcoins
- gets to keep the Lego set
- pays his mining expenses
All in all, he gets the profit or loss he would have gotten if mining honestly, plus a Logo set.
Update: David Harding pointed out on mastodon that there's another cost: "Joe must include Td [his fraudulent transaction] in his block where he could've instead included someone else's transaction that paid him a fee."
An unsuccessful attack is expensive
If Joe fails he
- gets no block rewards
- has bought a Lego set
- pays his mining expenses
All in all, he pays the expenses for mining.
Joe might succeed with <50% of the hashpower.
It’s commonly known that if a miner has 51% of the hashpower, they can arbitrarily make double spends as they please. (This is not entirely true in practice; see my next point.)
But a double spend attack can be performed with less than 50% too. Suppose miner Joe has 30% of the total hashpower in the network, he can still try to perform a double spend attack. If Joe gets a lucky streak, he can temporarily outperform the honest chain and succeed in his attack.
A 51% attack may fail
If miner Joe has 51% of the hashpower, he can try to perform a double spend attack. Since he has the majority hashpower, he should be able to outperform any competing chain.
However, this is only true if Joe is willing to keep the attack running indefinitely. Consider a scenario where Joe is really unlucky and the honest chain happens to find blocks faster than Joe. Of course, over time Joe will win, but Joe can’t know in advance how long it will take. If he’s unlucky, he must at some point decide to shut down his attack, because he can’t afford to keep it running. He can’t pay his mining expenses because he has no income.
You can think of it as a game of roulette, where Joe is the croupier and the single player—the group of all honest miners—bet all their chips on black every time. Joe has a slight advantage because he wins if the number turns up red or 0. Over time Joe will win. But the casino has a limited amount of money, which means that if the player is really lucky, the casino will go bust and have to stop spinning the wheel. The attack fails and turns out to be extremely costly.
1,000 Lego sets
You’ve probably heard people say that the higher the value of the transaction, the more confirmations you should await before trusting the transaction to be final. For example, if you sell Lego sets for $100, you might settle with 1 confirmation, but if you sell a house for $100,000, you might want to await 10 confirmations before handing over the house. I mean, who would perform a double spend attack just to gain a Lego set? It’d make more sense for Joe to double spend on a house. After all, he’d lose a lot of money should the attack fail, so the upside of his bet must be worth that risk.
The line of thought above makes sense only if you know that Joe will double spend just a single transaction.
Joe is smarter than this. He calculates that if he can make 1000 separate purchases, each for one Lego set worth $100 and double spends them all in one single double spend attack, he’ll end up with 1000 Lego sets in profit, that’s $100,000. Not too shabby.
But wait, what implications does this have on the old saying "Higher transaction value, more confirmations"?
Small amounts also at risk
It seems to me like the Lego store is just as vulnerable to double spend attacks as the house seller. In fact you might even say the Lego seller is more vulnerable, because he only waits for 1 confirmation. This makes Joe more likely to chose the 1000 Lego sets approach, because this might give him a higher chance of success. He needs to run his secret chain for a shorter period of time. Let’s think about this.
If Joe has <50% hashpower, the probability to win within X blocks decrease with increasing X. He can only be lucky for a short period of time. This means that Joe is incentivized to go for the 1000 Lego sets approach.
If Joe has >50% hashpower, the probability to win within X blocks increase with increasing X. He can only have bad luck for a short period of time. This holds until his cost limit of Y blocks (Remember the casino), after which it’s game over. If Y is a problem for Joe, he might want to go for the 1000 Lego sets approach. Otherwise, it doesn’t really matter to him which approach he uses.
It’s reasonable for the Lego seller to await at least the same amount of confirmations as the house seller.
On the other hand, it’s not as catastrophic for the Lego seller to lose $100 as it is for the house seller to lose $100,000, but you could argue that the collective pain for all 1000 Lego sellers is equal to that of the single house seller.
If one Lego seller increases the required confirmation times, it will marginally strengthen the security of the whole network, because you marginally decrease the attack surface for Joe.
Update: David Harding pointed out on mastodon that the 1,000 Lego set attack becomes less attractive for Joe as transaction fees increase: "By implication, the closer typical fees are to the amount of the attack, the less profitable a multi-transaction attack will be. E.g., if fee/tx is $1, then the $100 Lego attack only nets $99 compared to honest mining."
Conclusion
No one is safe from double spends. If double spending is to occur, we can’t know whether high-value or low-value transactions will be targeted. An attack on high-value transactions is less complex to pull off, but it takes more time to succeed. An attack on low-value transactions is more complex to pull off, but it might succeed quicker. If people start requiring more confirmations for their low-value transactions, then the high-value transactions become more attractive for Joe to attack.
I would love to be challenged and corrected on the contents of this article, so please shout at @kallerosenbaum on Twitter or @kalle@mastodon.cloud on Mastodon
Update: Thanks to David Harding for feedback
