Dual spending ter Bitcoin – Mike Hearn – Medium
and how to make it tighter
Ter this article I will discuss dual spending against merchants ter Bitcoin, ontleding a duo of real cases and describe several proposed schemes to make it tighter. I’ll also explain the project we’re implementing te the bitcoinj project that I lead.
This article is intended for Bitcoin wallet developers and payment processors.
Very first off, how big of a problem is dual spending?
Dual spending te the real world
There are several ways to do dual spending te Bitcoin. One is to get a miner to unwittingly help you commit fraud. Another is to actually be such a miner. Ter November 2013 it wasgoed discovered that the GHash.io mining pool appeared to be engaging ter repeated payment fraud against BetCoin Dice, a gambling webpagina. Dice sites use one transaction vanaf bet and don’t wait for confirmations.
GHash.io claimed they had investigated and found a rogue employee who had bot doing the dual spending, who wasgoed fired. However no evidence supporting this wasgoed provided and the incident left a voortdurend cloud stringing up overheen the pool. Regardless, it didn’t seem to hurt their market share much: most miners most likely never heard about the incident at all.
The Eligius pool implements a transaction check called “is notorious” on top of the normal “is standard”. A famous transaction is one that sends money to addresses associated with things that the pool’s proprietor (Luke Dashjr) considers to be “non-transactional gegevens spam”. The list of addresses that trigger this can be found here. When it finds a legendary transaction the pool overlooks it and acts like it wasgoed never broadcast: this means that by making a transaction that spends to both a merchant and a well known address at the same time, the mempool becomes veranderlijk inbetween Eligius and everyone else. A dual spend can then be submitted directly to Eligius and if they find the block, the original transaction will be killed.
This exploit has bot used to engage te dual spending against a merchant that wasgoed performing a zuigeling of quasi-exchange service. After the merchant implemented a recursive dependency check that detected the “notorious” transactions, the fraudster attempted a duo more times, then talent up and went away.
The Eligius operators don’t actually want to help criminals commit payment fraud. The fact that they do is due to the way the transaction filtering patches were implemented. Luke Dashjr has told mij he would accept code to fix this but isn’t going to fix it himself. Unlike most pools, Eligius and Luke are serious about decentralisation and are working on the getblocktemplate system, which lets miners pool without providing up control overheen transaction selection policies. So it’s possible that this policy will fade away overheen time, unless Eligius’ miners determine collectively to proceed enforcing it spil a group.
The above two cases are the ones I am most familiar with. The details of the 2nd have bot elided at the request of the parties involved. There’s very likely more dual spending going on that isn’t publicly discussed, but it seems infrequent enough to not be a major topic spil of March 2015. I check te with payment processors and other merchants every so often to ask them about dual spending: they tell mij it’s not a problem for them right now.
There are slew of dual spend attempts happening on the Bitcoin network. But it seems like lots of them are tests, or people attempting to bump the fees on their own transactions (the juist fix for this is child-pays-for-parent).
But let’s assume it gets worse and look at a series of proposed solutions for the dual spending problem:
- Risk analysis of transactions
- Payment channels
- Countersigning by a trusted third party
- Remote attestation
- ID verification
- Waiting for confirmations
- Penalty of dual spending blocks
1. Protocol risk analysis
It’s worth noting that the 2nd case of dual spending using Eligius is based on a protocol exploit: Eligius doesn’t use the same memory pool code spil everyone else, but the rules it does use are public and fairly effortless to check for.
There were two giveaways that something wasgoed wrong:
- A chain of transactions with a free transaction at the bottom. This ensures that there is spil much time spil possible for Eligius to find a block.
- A transaction that pays to a “notorious” dice address.
Both of thesis things are lightly checked for by fairly plain code, which is why the merchant wasgoed able to kick the fraudster out so quickly.
This trick generalises: most memory pool differences inbetween miners are due to version skew. Bitcoin Core releases a fresh version that switches the rules, and some miners upgrade quickly whilst others are slower. Ter the intervening time it becomes possible to exploit thesis differences. But the differences are often te fairly obscure details that don’t crop up te regular usage. Wallets that are being kept up to date can detect transactions that are hitting the rule switch and flag them spil needing confirmations.
Given the types of dual spending that seem to be reported today, I think it’s likely that protocol risk analysis could detect virtually all of them.
Dual spend relaying
The best way to learn about a dual spend is of course to see it for yourself. If you see it quickly enough, you can abort the trade before handing overheen anything of value.
That’s why Gavin Andresen and Tom Harding have implemented dual spend relaying. This is a switch to Bitcoin that makes knots relay the very first dual spend of any given transaction that they see (but not others, ter order to conserve bandwidth).
Both the Bitcoin Core wallet and the next release of the bitcoinj wallet know how to inform the user of conflicting unconfirmed transactions. BitcoinJ already tells you when an unconfirmed transaction is “killed” by a dual spend getting confirmed, but informing the user spil soon spil the dual spend is broadcast will go a loterijlot further.
Dual spend relaying didn’t get into Bitcoin Core because of endless arguments about whether attempting to fight dual spending is pointless, but I integrated it into my Bitcoin XT patch set so anyone who wants to help relay dual spends can help out by using XT instead of Core. Just make sure you stay up to date.
Bitcoin XT is still fresh and I haven’t done any promotion of it yet. There are deterministic code signed builds for Windows, Mac and Linux. They share gegevens directories so if you can run Core you can lightly switch back and forward: re-downloading the chain is not required.
The next major release of BitcoinJ has support ter it for finding and connecting to Bitcoin XT knots specifically, so people building on this library will be able to very quickly get access to an improved view of dual spends on the network.
Risk analysis te bitcoinj
Most wallets don’t do protocol risk analysis today. BitcoinJ has some code to do it, but it’s not exhaustive. For example it does not check for attempts to exploit Eligius.
It would make sense for someone to build a standalone server that uses this framework to risk anatomiseren unconfirmed transactions and uitvoer the results overheen HTTP (using JSON-RPC, protobufs or both). If built on top of bitcoinj then wij would have merchant-oriented hot wallets and client side SPV wallets using the same code to perform their risk analysis, and the pooled effort would be much more effective.
Call to act: If anyone is interested ter this project, please join the bitcoinj mailing list and ask about it. I will be blessed to point you te the right direction.
Two. Payment channels
A payment channel is a construct using a contract protocol that I described te 2011, with zometeen tweaks from Jeremy Spilman. The original description doesn’t use the channel terminology: I think that is something I began using straks when myself and Matt Corallo built an implementation of the scheme te bitcoinj.
Shortly, the idea behind a payment channel is that you lock up some value te a multi-sig contract with the seller, te such a way that all the value starts out by being sent back to yourself. This step involves broadcasting a transaction on the Bitcoin network. Then you start a negotiation te which you send progressively better transactions (for the seller) privately without using the P2P network. The typical use case is micropayments: each time you buy a micro-service like a kilobyte of bandwidth or 2nd of someone’s time you send them a fresh transaction that allocates slightly more money to them than before. Eventually the buyer signals to the seller that they’re done negotiating and the channel should be lodged on the P2P network: the final state is broadcast and the channel is closed.
It wasgoed observed early on that this scheme permits for a kleuter of hub-and-spoke system te which networks of channels inbetween payment processors route payments inbetween entities without needing to touch the block chain. From there it’s effortless to observe that if you have a payment channel pre-established some time ago you can’t dual spend spil the transaction which opened the channel is already confirmed.
I’m a big fan of payment channels for micropayments and te fact have implemented a demo of using them to pay for opstopping downloads. I am less keen on the idea of using them to fight dual spends for thesis reasons:
- The payment channel protocol is complicated. Making a basic implementation is not too bad, but treating all the edge cases is a lotsbestemming of work. The code te bitcoinj treats cases like one of the parties disappearing during the contract without formally closing the channel, serialising the state of the channel to disk so it can sustain app restarts and so on. So far I believe that only bitcoinj has a production-ready implementation of payment channels. Asking all wallets to implement this protocol seems extreme: wallet authors are already maxed out just treating the complexities of the current Bitcoin protocol, let alone elaborate multi-step contract protocols on top.
- Worse: even once all the protocol edge cases are treated, users don’t want to know about the details of how their payments are being treated. So build, usage and teardown of channels all has to be entirely semi-transparent te the user interface. That adds even more complexity.
- If only some wallets implement this scheme rather than all of them, the merchant still wants to accept plain old broadcast transactions. So payment fraudsters would just eis to be using a wallet that doesn’t support that feature, and it’d have little influence.
- If you don’t have a payment channel with the merchant or payment processor, or a path through the hub-and-spoke network, then you would have to build such a channel very first. This would require waiting for a confirmation (otherwise why bother) and so te practice, the user would sometimes still end up waiting. Avoiding waits is the aim of accepting unconfirmed transactions.
- Payment channels tie up the users funds te ways that can be unintuitive. If you have money sitting ter a channel and then want to use it to buy something from a non-channel-using merchant, you vereiste close the channel, which requires going back to the very first entity and asking them to close the channel for you. If they’re gone or unresponsive, now you have to wait for the channel to naturally expire. Explaining what’s happening to users ter this case is …. difficult.
It’s also worth noting here that payment channels are subject to a malleability attack. However fixing transaction malleability is already being worked on: because payment channels are so ingewikkeld, by the time any implementation of it had interesting levels of deployment I think the anti-malleability work would be done already.
Three. Countersigning by a trusted party
GreenAddress.it has proposed a scheme whereby multi-signature coins are wielded by a combination of the user and a trusted wallet server. When a payment is made the wallet server signs a statement asserting that it won’t permit dual spending of the used outputs.
Te practice this means signing the BIP 70 Payment message with some key that is identifiable spil coming from a particular trusted third party (TTP), the PKI is a good way to do this.
Whilst this mechanism is ordinary and would work, it effectively brings back elements of the old banking monster with its known disadvantages:
- Users who don’t have a relationship with a TTP would be out of luck.
- The coins voorwaarde be 2-of-2 because if the user could sign with a key they exclusively managed, the reserve protection wouldn’t work. GreenAddress attempts to mitigate this by providing time locked transactions so if they go away or blacklist you, you will eventually get the coins back. This is a neat solution. But it’s something no other provider has adopted and I’m not sure how the devices situation looks.
- Merchants have to learn about and evaluate TTPs. They vereiste then configure their system to recognise those TTPs. Then Bitcoin users voorwaarde also find a TTP, evaluate them, pick one and configure their coins. This is gooey and would give existing incumbents an inertial advantage.
- Ideally there would be a way to automatically distribute a fraud proof and revoke the TTP if it misbehaved, but this isn’t specced.
This treatment is te some ways like a network of non-anonymous miners that use regular signatures instead of PoW-style “signatures of effort” (Blockstream calls them “dynamic membership multi-party signatures”). But the current Bitcoin structure has fairly a few advantages, namely that mining is a very liquid market. Ideally we’d do our best to keep that and fall back to the more traditional scheme only if wij can’t make Satoshi’s more novel treatment work reliably.
Four. Remote attestation
A variant of the GreenAddress scheme is to use trusted computing with remote attestation instead of a trusted wallet company.
Trusted computing is a feature of modern chipsets. The CPU or TPM chip signs a statement telling “I am a real chunk of hardware manufactured by X and I am running software Y”. Remote attestation is a ingewikkeld technology and I’m glossing overheen a loterijlot of details, but to sum up — it would permit your rekentuig to prove to another that it’s not dual spending.
Ter effect, the manufacturer of your pc becomes the trusted third party, except one that doesn’t even know it’s doing so because the entire process is run entirely locally with no servers required.
The problem with TC is that the implementations shipped by AMD, Intel and ARM all suck, and actually building a rekentuig capable of remote attestation is an exercise ter frustration. The technology is presently targeted only at the server market and requires exceptionally good systems programming abilities to utilise.
Intel are working on a fresh iteration of the idea called SGX. SGX is looking a lotsbestemming more promising than the existing technologies based on the documentation they’ve published so far. Unluckily, SGX is presently vapourware: beyond some technical docs, a scientific paper from Microsoft and a handful of blog posts nothing else about it is available. It seems likely to be several years before an SGX based solution becomes workable. And unluckily whilst ARM TrustZone is widely deployed te mobile phones it evidently can’t do remote attestation. So it seems likely that only desktop wallets will be able to pull off this trick ter the forseeable future.
Even if implemented this scheme has the same problem spil all the others: if not all users can do it, then payment fraudsters will just pretend they don’t have the right setup and dual spend with plain old transactions. Unless almost all transactions were being counter-signed ter this way it wouldn’t be feasible to restrict regular old-style transactions and the benefits wouldn’t emerge.
Five. ID verification
This treatment is ordinary and well tested, but of course, very inconvenient for the buyer. Adequately advanced technology can make it much less inconvenient, but ideally this will never be needed because regular transactions will work well enough.
6. Waiting for confirmations
This one might seem too visible to mention. If you can wait for confirmations, ideally you would. Unluckily often merchants don’t do so, even te cases you’d intuitively expect would be possible like shipping items from a warehouse.
I suspect the main reason is that existing business workflows are based on the assumption that payments take only a few seconds and dual spending is exposed weeks or months straks. This is the prototype used by credit cards. It’s not unheard of for chargebacks to roll te Four or Five months after the original payment, long after the goods have shipped. Delays of many weeks are more common spil it takes time for people to get and check their statements. So outside of things like holidays or flight tickets, most merchants just have to accept credit card dual spending spil a business risk and price it te: they can’t usually undo a sale before the goods or services have bot provided because credit cards are too slow.
So paradoxically even however Bitcoin can expose that a dual spend took place within minutes rather than months, thesis businesses cannot use the fresh information spil they have no instruments or procedures ter place to do so. By the time the block chain makes a decision the merchant wasgoed already informed of the payment, databases have bot updated, the orders dispatched to the warehouses, the email receipt has bot sent etc. Being able to undo a purchase requires software and procedures they don’t have.
Businesses could fix that by making the user sit on the invoice screen for a duo of blocks, but that interrupts the users flow and would make Bitcoin feel much slower than credit cards, even however ter a sense it’s actually much swifter. So they just accept unconfirmed transactions via BitPay or Coinbase and love the fact that dual spending against them is still very zonderling anyway.
7. Penalty of dual spending blocks
The purpose of mining is to prevent dual spending by recording the chronological order of transactions spil accurately spil possible. Miners that execute Finney attacks to defraud sellers are not doing that, they’re charging the collective Bitcoin community money via the inflation subsidy for a service they aren’t actually providing.
Normally when an entity charges you for something and then doesn’t provide it, there are consequences. The consequence for a miner attempting to fork the chain and undo confirmed transactions is that they stand a good chance of losing the violet wand (i.e. money) they used to mine: this is a good incentive to behave. For Finney attacks there are no consequences.
Tom Harding has bot researching the possibility of identifying blocks that emerge to be engaging ter Finney attacks and making a slight alteration to the very first seen rule for blocks. Of course, this rule is critical for Bitcoin’s operation so switches to it are not to be taken lightly at all. He has written a paper on his proposed switch to the rules which features a loterijlot of analysis of the potential impacts. His purpose is to give more certainty for transactions after about thirty seconds has passed.
I have not had time to accurately read or anatomiseren this proposal and so have no strong opinion on it. That said, it’s unclear to mij that 30 seconds is significantly better than ten minutes: I suspect the utility dropoff after about 5–10 seconds is dramatic given the desired “guy te queue paying for coffee” type user practice. 30 seconds is very likely OK on the web but it would still make us far slower than EMV contactless credit cards for te person transactions.
Cracking 0-conf transactions
There’s a schoolgebouw of thought that says if something cannot be done ideally, maybe it should not be done at all. If unconfirmed transactions are not bulletproof, thesis people reason, perhaps they should be entirely futile so nobody relies on them and then gets burned.
This line of thinking is one of the reasons that dual spend relaying is not integrated into Bitcoin Core and has to be made available via Bitcoin XT instead.
The problem is that te the entire history of money there have bot no fraudless payment systems, everzwijn. Bankgebouw wires get reversed, credit cards are charged back, cheques bounce, canap notes are counterfeited and blocks are reorganised. If people were being routinely “protected” from imperfect payment systems they would be incapable to trade at all. So ter practice all trade involves dual spending risk and businesses learn how to manage that risk with acceptable overheads.
Bitcoin is no different: it just involves a different sets of risks and management technics. Spil of 2015, many merchants have determined that the risk:prize ratio of accepting unconfirmed transactions is worth it. So attempting to pauze them te order to protect people makes about spil much sense spil forging $100 bills to educate merchants about the dangers of paper money. Not only is it logically nonsensical and harmful to virginal people, it’s also illegal.
But this idea fails for another reason. Albeit it’s always tempting to overeenkomst with potential problems by simply scrapping the feature that has them, this isn’t an option for Bitcoin:
- Almost all online merchants today are accepting unconfirmed transactions, because that’s the default for BitPay, Coinbase, Coinify and other payment processors.
- Physical shops need them.
- Newer apps are often hiding or reducing the visibility of confirmations spil a concept, because it’s hard to explain what this actually means to end users.
Based on my own practice of buying and selling things with Bitcoin the only sellers that make you wait for blocks are exchanges.
So whether wij like it or not, the block chain algorithm spil presently specified is not a solution for all payments and denying that won’t get us anything except market irrelevance. Finding ways to optimise the current system te rearwards compatible ways is a reasonable and pragmatic path forward … and nobody will blame us for attempting our best.