š
Original date posted:2013-05-20
š Original message:The current BitCoin implementation is subject to relatively easy double
spend attack for 0 confirmation payments. Yet 0 confirmation payments
are needed for typical in person transactions like most purchases at a
local business.
Notably, it is easy to transmit two transactions from the same output at
the same time to different sets of nodes on the network by using two
instances of bitcoind with same wallet file and a spend on each daemon
initiated by RPC by some easy to implement code. If the first attempt
to pay the merchant doesn't go through because they received the "wrong"
transaction it could be quickly followed up with another initiated spend
from a different output switching which daemon sends the transaction the
merchant is expecting. This means an unsophisticated attacker can
reliably get away with this attack and it would be worth while for small
transactions. Given this, I would be reluctant to trust 0 confirmation
transactions at all though I think many do in practice. Someone could
write and publish a special daemon to execute this attack further
reducing the cost.
Right now a node will drop any second spend of the same output in the
memory pool. After the first transaction has propagated through the
network issuing a second double spend transaction isn't likely to be
seen by a significant number of miners as most nodes especially non
miner nodes will drop this transaction. Today, it is necessary to
transmit both transactions on the network nearly simultaneously to
reliably get away with this simple attack. If in this case, the
receiving end is quickly notified of the double spend this attack
becomes more more difficult to get away with.
If the second transaction is relayed instead of being dropped to notify
the receiving party of the double spend, most miners will receive both
transactions and it is possible that some or even many of the miners
would replace the first transaction with the second if it has a higher
fee as it would be in their short term interest. This can happen some
time after the first transaction has propagated through the network so
the receiving end wouldn't get a timely notification of the double
spend. Depending on the choices of the miners, this approach to double
spend notification could exacerbate the very problem it was attempting
to fix compared to the current implementation. While miners might
continue to drop the second spends, the easy availability of the second
spends would increase the short term reward for changing this policy.
This problem can be fixed if instead of sending the second transaction a
new double spend message is sent with proof of the double spend but not
the complete transactions. This would allow the receiving end to be
quickly notified of a double spend while in no way increase the chance
over the current implementation that a double spend would be successful.
The proof of the double spend would include the scriptSig (input) from
the original transactions and the hashes from the "simplified"
transaction used by OP_CHECKSIG of the scriptPubKey (output) but not the
entire transaction. This is the hash computed by the SignatureHash
function in script.cpp. The double spend notification message should
contain proofs of both signed transaction spending the same output
ordered by hash to produce a canonical proof for a specific two
transactions. To reduce DOS potential, the proof should not be relayed
unless one of the original transactions has been received to ensure
there is some commitment to the block chain and different double spend
proofs of the same output should not be relayed. The forwarding of
transactions should remain exactly the same as it is now where the
second transaction is dropped but a double spend message is transmitted
if appropriate.
The existing block chain needs to be checked to make sure the proof of
double spend couldn't have been derived from the block chain and a
single spend in the memory pool. This could happen if there was already
an identical transaction in the block chain. This would typically only
happen if someone was paying someone else the same amount they had
before and neither side changed addresses. In this case double spend
detection wouldn't be reliable as it could be generated by anyone, but
both the sending and receiving client could detect this situation and
warn the user.
It would still be possible for an attacker to send the second
transaction directly to powerful miners but this is a distinctly less
viable attack than the current double spend attack.
I would expect this double spend notification implementation to make
double spends more costly than they are worth for most cases today that
0 confirmation acceptance is needed. That said over time this provision
might become less effective. As the reward for each block mined
decreases, transactions fees will become a more significant part of the
mining reward accordingly increasing the incentive to replace
transactions with higher fees. Today most BitCoin participants have a
high expectation of significant future appreciation of BitCoins and
recognize anything that brings into question the integrity of the system
is likely to reduce that future value so they have a long term self
interest to keep up the impression of integrity. As BitCoin becomes
more establish this incentive will decrease.
On the other hand, non mining nodes have no incentive to replace by
fee. The continued increased capital costs of mining would likely
increase the proportion of non mining nodes typically run by those with
an incentive to assure integrity of the network such as merchants. But
increasing transaction volume is likely to increase node costs which
would push out non mining nodes with lower incentive more than mining
nodes. Accordingly increasing block size would have a tendency to
reduce the effectiveness of double spend notification. The primary
point is there are multiple counteracting forces that make predicting
the future effectiveness of double spend notification uncertain.
I don't believe this necessary warrants conceding that we can not
provide any protection from non trusted 0 confirmations transaction as a
replace by fee implementation would do. But it would still be important
to work towards more robust solutions notably various forms of 3rd party
trust. This could be tamper resistant devices trusted to not duplicate
spends, 3rd party certificates with proof the transaction was spent by
the holder of the certificate or multi signature transactions on the
block chain that must be signed by a trusted 3rd party to spend. I
would expect it would take significantly longer for the companies and
technologies to be built to implement this on a wide scale than adding
double spend proof messages to the current implementation. In addition,
there will likely always be some use cases where a 3rd party
(centralization) is not viable.
Should a BIP and pull request implementing a double spend notification
as described be accepted?
- Quinn
Quinn Harris [ARCHIVE] /
npub18zā¦u3jvu
2023-06-07 15:02:14
in reply to nevent1qā¦k3uj
Author Public Key
npub18zpfny5rg862xszvk3d4hnna037cj0dem7dpg36azurwx99wpnfquu3jvuPublished at
2023-06-07 15:02:14Event JSON
{
"id": "d4def1cf6a8adccfcf586d3efb65b79e2bf6e2e6f78b603f100e8aeee44e774b",
"pubkey": "388299928341f4a3404cb45b5bce7d7c7d893db9df9a14475d1706e314ae0cd2",
"created_at": 1686150134,
"kind": 1,
"tags": [
[
"e",
"e2b0d4c9e9ef91bcdbcf2583000e9ebb8fa15ef27e8a01c38f0772dbda8190a9",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "š
Original date posted:2013-05-20\nš Original message:The current BitCoin implementation is subject to relatively easy double \nspend attack for 0 confirmation payments. Yet 0 confirmation payments \nare needed for typical in person transactions like most purchases at a \nlocal business.\n\nNotably, it is easy to transmit two transactions from the same output at \nthe same time to different sets of nodes on the network by using two \ninstances of bitcoind with same wallet file and a spend on each daemon \ninitiated by RPC by some easy to implement code. If the first attempt \nto pay the merchant doesn't go through because they received the \"wrong\" \ntransaction it could be quickly followed up with another initiated spend \nfrom a different output switching which daemon sends the transaction the \nmerchant is expecting. This means an unsophisticated attacker can \nreliably get away with this attack and it would be worth while for small \ntransactions. Given this, I would be reluctant to trust 0 confirmation \ntransactions at all though I think many do in practice. Someone could \nwrite and publish a special daemon to execute this attack further \nreducing the cost.\n\nRight now a node will drop any second spend of the same output in the \nmemory pool. After the first transaction has propagated through the \nnetwork issuing a second double spend transaction isn't likely to be \nseen by a significant number of miners as most nodes especially non \nminer nodes will drop this transaction. Today, it is necessary to \ntransmit both transactions on the network nearly simultaneously to \nreliably get away with this simple attack. If in this case, the \nreceiving end is quickly notified of the double spend this attack \nbecomes more more difficult to get away with.\n\nIf the second transaction is relayed instead of being dropped to notify \nthe receiving party of the double spend, most miners will receive both \ntransactions and it is possible that some or even many of the miners \nwould replace the first transaction with the second if it has a higher \nfee as it would be in their short term interest. This can happen some \ntime after the first transaction has propagated through the network so \nthe receiving end wouldn't get a timely notification of the double \nspend. Depending on the choices of the miners, this approach to double \nspend notification could exacerbate the very problem it was attempting \nto fix compared to the current implementation. While miners might \ncontinue to drop the second spends, the easy availability of the second \nspends would increase the short term reward for changing this policy.\n\nThis problem can be fixed if instead of sending the second transaction a \nnew double spend message is sent with proof of the double spend but not \nthe complete transactions. This would allow the receiving end to be \nquickly notified of a double spend while in no way increase the chance \nover the current implementation that a double spend would be successful.\n\nThe proof of the double spend would include the scriptSig (input) from \nthe original transactions and the hashes from the \"simplified\" \ntransaction used by OP_CHECKSIG of the scriptPubKey (output) but not the \nentire transaction. This is the hash computed by the SignatureHash \nfunction in script.cpp. The double spend notification message should \ncontain proofs of both signed transaction spending the same output \nordered by hash to produce a canonical proof for a specific two \ntransactions. To reduce DOS potential, the proof should not be relayed \nunless one of the original transactions has been received to ensure \nthere is some commitment to the block chain and different double spend \nproofs of the same output should not be relayed. The forwarding of \ntransactions should remain exactly the same as it is now where the \nsecond transaction is dropped but a double spend message is transmitted \nif appropriate.\n\nThe existing block chain needs to be checked to make sure the proof of \ndouble spend couldn't have been derived from the block chain and a \nsingle spend in the memory pool. This could happen if there was already \nan identical transaction in the block chain. This would typically only \nhappen if someone was paying someone else the same amount they had \nbefore and neither side changed addresses. In this case double spend \ndetection wouldn't be reliable as it could be generated by anyone, but \nboth the sending and receiving client could detect this situation and \nwarn the user.\n\nIt would still be possible for an attacker to send the second \ntransaction directly to powerful miners but this is a distinctly less \nviable attack than the current double spend attack.\n\nI would expect this double spend notification implementation to make \ndouble spends more costly than they are worth for most cases today that \n0 confirmation acceptance is needed. That said over time this provision \nmight become less effective. As the reward for each block mined \ndecreases, transactions fees will become a more significant part of the \nmining reward accordingly increasing the incentive to replace \ntransactions with higher fees. Today most BitCoin participants have a \nhigh expectation of significant future appreciation of BitCoins and \nrecognize anything that brings into question the integrity of the system \nis likely to reduce that future value so they have a long term self \ninterest to keep up the impression of integrity. As BitCoin becomes \nmore establish this incentive will decrease.\n\nOn the other hand, non mining nodes have no incentive to replace by \nfee. The continued increased capital costs of mining would likely \nincrease the proportion of non mining nodes typically run by those with \nan incentive to assure integrity of the network such as merchants. But \nincreasing transaction volume is likely to increase node costs which \nwould push out non mining nodes with lower incentive more than mining \nnodes. Accordingly increasing block size would have a tendency to \nreduce the effectiveness of double spend notification. The primary \npoint is there are multiple counteracting forces that make predicting \nthe future effectiveness of double spend notification uncertain.\n\nI don't believe this necessary warrants conceding that we can not \nprovide any protection from non trusted 0 confirmations transaction as a \nreplace by fee implementation would do. But it would still be important \nto work towards more robust solutions notably various forms of 3rd party \ntrust. This could be tamper resistant devices trusted to not duplicate \nspends, 3rd party certificates with proof the transaction was spent by \nthe holder of the certificate or multi signature transactions on the \nblock chain that must be signed by a trusted 3rd party to spend. I \nwould expect it would take significantly longer for the companies and \ntechnologies to be built to implement this on a wide scale than adding \ndouble spend proof messages to the current implementation. In addition, \nthere will likely always be some use cases where a 3rd party \n(centralization) is not viable.\n\nShould a BIP and pull request implementing a double spend notification \nas described be accepted?\n\n- Quinn",
"sig": "d8aaa6175516b106b7bf2cf61d221ca91f0b99c5303e54a7dae0692ca70a6a6c95853bd19821fe71006cdbbe01e80369f6ed8c47136cd7e218da4909304c39ca"
}