Double-spending

Double-spending is the unauthorized spending of the same money (either digital or conventional) more than once. As with counterfeit money, double-spending leads to supply inflation by creating a new amount of copied currency that did not previously exist. It can also devalue the currency and diminish user trust in the currency.

There are many fundamental cryptographic techniques to prevent double-spending while preserving anonymity in a transaction, including the introduction of a centralized authority (proof-of-authority) for blind signatures and, particularly in offline systems, secret splitting.^[1]. Other methods to mitigate the double-spend problem include decentralized consensus protocols such as proof-of-work and proof-of-stake.

Centralized digital currencies

Prevention of double-spending is usually implemented using an online central trusted third party that can verify whether a token has been spent.^[1] This normally represents a single point of failure from both availability and trust viewpoints.

Decentralized digital currencies

See also: Blockchain § Finality

In a decentralized system, the double-spending problem is significantly harder to solve. To avoid the need for a trusted third party, many clients must store compatible copies of a public transaction ledger. As transactions (requests to spend money) are broadcast, they will arrive at each client at slightly different times. If two transactions attempt to spend the same tokens, each client will consider one transaction to be valid while rejecting the other transaction. Conflicting transactions or blocks will cause a chain-split.

Decentralized systems reduce the risk of double-spending by using consensus protocols where clients agree on which is the valid chain, also known as the canonical chain. Two notable types of consensus mechanisms are proof-of-work and proof-of-stake.

By 2007, a number of distributed systems for the prevention of double-spending had been proposed.^[2][3]

Proof-of-work

Main article: Proof_of_work

The cryptocurrency Bitcoin implemented a protocol to address the double-spending problem in early 2009. It uses a proof-of-work consensus mechanism where transactions are batched into blocks and chained together using a linked list of hash pointers (blockchain). Any miner can produce a block after winning a lottery race that's determined by finding a valid hash of the block with a sufficient number of leading zeroes.

Bitcoin's proof-of-work protocol has probabilistic finality where transactions are never technically "final" because a conflicting chain of blocks can always outgrow the current canonical chain. However, as blocks are built on top of a transaction, it becomes increasingly costly and thus unlikely for another chain to overtake it. Because competing chains and reorgs can arise naturally, it is recommended that participants wait a number of blocks (i.e. "confirmations") before accepting the probabilistic finality of the transaction. The more confirmations a participant waits, the less risk of encountering a reorg or double-spend.^[4]

Double-spending scenarios

Not waiting for sufficient confirmations (race attack)

Proof-of-work blockchains naturally allow for blocks to reorg and thus have probabilistic finality. Competing miners race to submit blocks and build the longest chain. If a competing miner takes over as the longest chain, the blocks of the losing chain are reorged and no longer considered canonical. Any client or merchant that doesn't wait for a sufficient number of confirmations is at risk of experiencing a double-spend if the tokens they received are reverted during a natural reorg.^[4][5]

51% attack (majority attack)

In proof-of-work, large miners and mining pools with greater hash power have a larger chance of mining blocks. Any entity with over 50% hash power can always produce the longest chain in the long run, allowing them to control block production. They can secretly mine the longest chain and then broadcast their blocks all at once, leading to a large reorg when their blocks are accepted as the canonical chain. Any reverted transactions can then be double-spent on attacker's new chain.^[4][5]

Examples of double-spending caused by 51% attacks

There are many known examples of double-spending as the result of majority attacks on proof-of-work protocols:

Bitcoin

In March 2013, Bitcoin experienced the first known example of a cryptocurrency double-spend when the chain split due to a bug in the Bitcoin 0.8.0 client. While on the 0.8.0 chain, a merchant (OKPAY) confirmed a $10k deposit from a customer. Bitcoin miners then 51% attacked the network, reverting 24 blocks and reversing the transaction leading to the customer's deposit. The customer then double-spent the bitcoin on the canonical pre-0.8.0 chain as an experiment.^[6]

Bitcoin Gold

One of the Bitcoin forks, Bitcoin Gold, was hit by two double-spending attacks as the result of a 51% attack. This cost exchanges $18M in Sept 2018 and $72k in January 2020.^[7][8][9]

Ethereum Classic

An Ethereum fork, Ethereum Classic, experienced a 51% attack in 2019,^[10][11] followed by multiple more in 2020, significantly impacting its security and market perception. Attackers attempted a $1.1M double-spend on Coinbase and successfully double-spent $200k on Gate.io. These attacks involved malicious actors reorganizing transactions to double-spend coins, leading to concerns regarding the long-term viability and security measures of the Ethereum Classic blockchain.^[12]

Atomic Ownership Blockchains

Atomic Ownership Blockchains (AOB) is a theoretical public network of multiple private blockchains. Each private blockchain can transfer assets to other private blockchains. Each participating blockchain is responsible for their own security when conflicting blocks are detected. AOB discourages double-spending by allowing each individual blockchain to blacklist double-spenders, creating a network-split without the attacker.^{[13][non-primary source needed]}