NFT Scams: How They’re Hurting The Market
Read to be aware, learn new things, and know how to secure yourself from NFT scams.
🇺🇦 Hacken stands with Ukraine!Learn more
An attacker stole over $1.6 million by spending the same tokens more than once on the Ethereum Classic chain. The hack remains one of the record-breaking double-spending attacks in history. Double spending is a fatal attack that every blockchain should do its best to avoid.
It can also happen to regular users. Knowing the inner workings of double-spending and how it can unfold will help you keep your assets safe.
Double-spending is a form of exploit where the manipulator spends the exact crypto more than once. It has some interrelated historical background with the Byzantine Generals’ Problem, which reflects the challenge of achieving consensus with no central authority. The technological design behind Bitcoin eventually fixed this problem. To date, the Bitcoin network itself has never witnessed a double-spend problem. But Ethereum has faced it several times due to its complex operating mechanism.
Double spending is when someone spends the same cryptocurrency twice.
Recall that blockchains are a series of transaction blocks. A new block must have a hash, an important cryptographic function that contains all the details about public transaction data and the date when the new block was added.
Double-spending happens when services consider a non-final block as a final one. It can also occur when services do not confirm transactions well, thereby spending the due payment for a transaction more than once.
Another notable cause of double-spending problems is flawed smart contract logic. The users can possibly spend the same tokens twice if there is no sound signature validation to checkmate this act.
Double-spending problems exist in all facets of financial transactions, whether online or offline. But the mode of occurrence differs based on each context. This is a real-life scenario of how it can happen:
John told Alice or Bob on a video call that one of them will pay Jane 200$ in cash. Jane approached Alice and demanded $200, which she got. That should suffice for their agreement. But before Alice told Bod that she already gave Jane 200$, Jane already comes to Bob and asks for 200$. Bob gave her the $200 because he wasn’t aware that Jane had earlier paid Alice and didn’t expect her to be so tricky.
In the above scenario, Alice and Bob paid Jane twice. That is also double-spending within this context.
They appear in various forms, including:
Hal Finney came up with the idea of this attack. The hacker mines a block and includes a transaction where they send funds from wallet A to wallet B. But they wait to broadcast this.
While this happens, they pay a vendor for a product and send funds to their wallet C. After the vendor might have waited for some minutes without getting an alert, they can assume that the transaction is still in the mempool and transfer the product. The attacker can now broadcast his block. At this point, their first transaction to wallet A overtakes the most recent one to wallet C. So the vendor never receives the payment, while the attacker has sent the same funds to his other wallet.
ByteCoin, a senior member of the Bitcoin network, coined the phrase. The race happens when two transactions run to get into a block first. The transaction that gets in is deemed successful, while the one that doesn’t make it fails.
This is how an attacker carries out a race attack: They send a victim some crypto but never broadcast it. Simultaneously, the attacker makes another transaction with the same crypto and broadcasts it to the network. The validators approve adding the second transaction to the block first since it is the first they see. The victim’s transaction has lost the race to the block. Hence, the payment never succeeds.
A 51% attack is when one entity takes control over a blockchain network as a majority staker, and causes network disruption. With that, they gain the power to do and undo: prevent transactions from confirming, re-write transaction history, and execute double-spend transactions.
Double-spending can never occur in a blockchain with a sound consensus mechanism. Consensus mechanisms enable miners or validators to properly perform their duty of maintaining the integrity of the network. Its security-tight logic and design will prevent accidental or voluntary double-spending issues by default.
Nonce is a difficult cryptographic value that must be hashed before a block can be mined. The value of nonces can only be used once. They help secure the blockchain against replay attacks because their values cannot be duplicated. Nonces maintain the integrity of each block.
Each successful transaction has a timestamp. A timestamp proves that a particular block was added to a chain at a specified time. A block becomes irreversible the moment it is timestamped. Any conflicting transactions that attempt to double-spend the crypto in a timestamped block regular users fail.
Double-spending manipulation often requires that the attacker manages one or more nodes. In the case of a 51% attack, the hacker needs to dominate more than half of the nodes within the network.
A major way blockchains can mitigate the double-spending is to raise the bar of node operation. For instance, Ethereum requires staking 32 ETH ($54,135) to become a node manager. This requires any double-spender to forgo a significant amount of money.
Double spending can rarely happen in the traditional banking system because there are authorities that monitor and approve each transaction. It is impossible to spend the same note twice. Blockchains can also adopt this security check. After all, double-spending happens because there is no single centralized entity to verify transactions. However, this solution is a dilemma because it breaches the idea of decentralization. Hence, the reason some blockchains might never adopt this method.
Unspent Transaction Output is a loop of information about the history and the current state of a transaction. Each transaction on the blockchain has an output that can become the new input in a fresh transaction. This new input becomes the new UXTO only after a user has spent it. Preventing double-spend means including a system to check whether or not a UXTO has been spent.
Double-spend problems often exist due to vulnerabilities in the inner working of a blockchain protocol and even smart contract. The best way to discover and fix this high-severity vulnerability is a thorough and professional audit.
Apart from blockchains, regular users can also be victims of double-spending. The main check is to wait for 6 block confirmations. The receiving parties can fall for Finney Attack and Race Attack by assuming that a transaction will go through when there are only one or two confirmations.
A transaction can neither be reversed nor overridden once there are 6 block confirmations. Usually, there should be 6 block confirmations within 3 to 30 minutes at most.
But some users can be quite impatient or presumptuous. The best approach is to wait for 6 block confirmations, no matter how long it takes, to be double-sure the transaction was successful. Most blockchains have recently developed a rule to speed up the pace of the confirmations so there won’t be a space for foul play.
Double-spending is a serious manipulation that can affect the integrity of a blockchain. Hackers have attacked Ethereum Classic and Litecoin Cash with a 51% attack, a double-spending variant.
Attackers can also defraud vendors or service providers with double-spent tokens. Blockchains can prevent this attack with centralized supervision, timestamps, audits, and high node operation cost. Individuals can avoid being victims by waiting for 6 blocks of confirmation.
At the same time, double-spending vulnerabilities are rarely that simple. Blockchain protocol audit is the right solution exactly for these complex vulnerabilities that can enable double spending attacks. Book your audit today!
Double-spending in crypto is an illegal practice of spending the same crypto token in one or more transactions.
Crypto solves the double-spending problem by quickly broadcasting the details of genuine transactions to all the nodes. Thereby making it extremely difficult for an attacker to spend crypto twice.
Always wait for 6 block confirmations to ensure a transaction is genuine and the crypto will soon land in your wallet.
Blockchains can avoid double-spend through protocol audits, timestamps, high node operation cost, and centralized supervision.
The problem of double-spending can be understood as the game theory of BGP. The Generals must agree on a perfect time to make key military moves. But there is always an assumption that one or more traitors among the Generals might attempt to confuse the rest. The main problem was how the loyal generals would reach an agreement.