[bitcoin-dev] Significant losses by double-spending unconfirmed transactions

Peter Todd pete at petertodd.org
Wed Jul 15 15:18:25 UTC 2015

On Wed, Jul 15, 2015 at 07:35:21AM -0700, Tom Harding via bitcoin-dev wrote:
> You perform a valuable service with your demonstration, but you
> neglected to include the txid's to show that you actually did it.
> Your advice is must-follow for anyone relying on an unconfirmed tx: it
> must pay a good fee and be highly relayable/minable.

Actually, I was looking at what I believe was (part of?) this attack
yesterday in the logs on my full-RBF nodes and the txs involved *did*
have good fees and were highly relayable/minable - the double-spent txs
had near 100% propagation on blockchain.info (who has unfortunately
purged the relevant data already)

Shapeshift.io depends on Blockcypher's "confidence factor" model(1)
under the hood - yet another one of those sybil attacking network
monitoring things - to estimate tx confirmation probability by looking
at the % of nodes a tx has propagated too. But miners frequently use
customized Bitcoin Core codebases that don't follow normal policies, so
those measurements don't actually tell you what you need to know.

hapeshift confirmed(2) the attack - confirming that they disabled
unconfirmed tx acceptance - said they're going to "improve" their
system... It'll be interesting to see what that actually entails.

1) https://medium.com/blockcypher-blog/from-zero-to-hero-bitcoin-transactions-in-8-seconds-7c9edcb3b734
2) https://www.reddit.com/r/Bitcoin/comments/3ddkhy/bitcoindev_significant_losses_by_doublespending/ct468p7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 650 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150715/8a1f1ad2/attachment.sig>

More information about the bitcoin-dev mailing list