The General Double-Spending Attack: The Race Attack

Setting up a double-spending attack

To do a double-spending attack, an attacker sends two conflicting transactions in rapid succession into the network and thus will start a double-spend race against the rest of the network by secretly mining an alternate blockchain with the intent to create a longer chain than the authoritative one in order to replace the last blocks. This kind of attack is called a race attack.

Race attack

A race attack is released if an attacker sends two conflicting transactions in rapid succession into the network.

We outline the steps of this attack. Let’s assume that there’s a merchant who accepts a cryptographic currency in exchange for goods, while Mallory is a customer who intends to use the vulnerability of the blockchain algorithm. We assume that the block $B_{n}$ is the latest block $n$ of the blockchain. The attacker, Mallory, follows these steps (Krzysztof Okupski (2016)Krzysztof Okupski. Bitcoin developer reference. http://enetium.com/resources/ Bitcoin.pdf, Jul 2016. Accessed: 2018-07-02.):

1. Mallory sends a transaction $t x_{0}$ to the network that moves coins from one of his addresses to one of the merchant’s addresses.

2. The merchant waits for the transaction to appear in the block $B_{n+1}$ that has to block $B_{n}$ as its predecessor. Knowing that the security of the transaction grows in lengths of descendant blocks, he is looking for the $k$-th confirmation of the transaction, so he waits for the block $B_{n+k}$, as shown in Figure 1.

3. The merchant sends the goods to Mallory.

4. Now, Mallory starts the double-spending attack as shown in Figure 2: Mallory initiates a conflicting transaction $t x_{1}$ that moves the coins from his address to a new address that also belongs to him and creates a new block $B_{n+1}^{\prime}$ which has to block $B_{n}$ as predecessor and confirms $t x_{1}$. Now, he releases a chain of new blocks $B_{n+2}^{\prime}, \ldots, B_{n+k+l+1}^{\prime}$ (since the network of honest miners also created $l$ new blocks in the meanwhile and he needs to outpace them) in order to go one block ahead of the authoritative chain.

5. Since the newly-mined chain now maintains one block more than the alternative one, Mallory’s attacking chain becomes the new authoritative chain, whereas the blocks $B_{n+1}, \ldots, B_{n+k+l}$ of the alternative chain get orphaned.

6. The transaction $t x_{0}$ isn’t part of the authoritative chain any longer and thus it’s considered as if it never happened, whereby the conflicting transaction $t x_{1}$ is now considered as the valid one. Mallory has now both the good and his coins.

Figure 1