Economists never bothered to ask, "What is double-spending in banking?" before e-money emerged. Since traditional financial institutions kept ledgers of physical commodities and currencies, they never had to worry about clients spending the same money twice. In contrast, hackers can duplicate virtual currencies and spend them in multiple places.
Although double-spending is a significant risk for digital money, many protocols make this threat unlikely. Cryptocurrencies don’t have a central bookkeeper, but there are tools to reduce the double-spending risk. Anyone interested in why Bitcoin has value must understand what double-spending is.
What is double-spending?
Double-spending means using the same money to make two transactions simultaneously. Theoretically, double-spending has always been around in finance. However, it wasn't a significant issue before the rise in digitization and fintech apps.
Although people could counterfeit cash and precious metals, there's no way to pass off the same physical currency twice simultaneously. However, anyone can copy and paste digital files and send them to multiple addresses. It’s also possible for hackers to corrupt a digital cash system and alter ledger values. For these reasons, double-spending has always been a central concern on e-money platforms.
Why is double-spending a problem for crypto?
If cryptocurrencies couldn't eliminate the risk of double-spending, digital assets would have no value. Whenever someone uses the same digital coin twice, it invalidates a blockchain's integrity because people can create money from nothing. Crypto users need to rest assured that their blockchain is incorruptible and that every asset is spent only once.
Double-spending is especially concerning for cryptocurrencies due to their decentralized structure––no central authorities record crypto transactions and issue approval stamps. Blockchains need to achieve consensus on where every coin on the network is without a centralized ledger.
There are also concerns over double-spending on DeFi (decentralized finance) applications. Decentralized crypto exchanges (DEXs) don't have centralized market makers or exchange bookkeepers. Instead, they run on automated smart contracts with user funds in liquidity pools. While this system facilitates peer-to-peer crypto swaps, it also raises the risk of double-spending if the protocol's algorithm gets corrupted.
How does double-spending work?
Double spenders always try to trick a blockchain or e-money platform into using one currency for multiple transactions. However, there are a few potential attacks specific to double-spending in cryptocurrency:
- 51% attacks: A 51% attack happens when one entity controls more than 50% of a blockchain's nodes. Once someone holds most of a blockchain's staking pool or hash power, they can manipulate prior transactions and reward themselves with crypto.
- Finney attacks: To perform a Finney attack, a crypto miner would need to create a malicious code block that sends crypto between two wallet addresses. The miner would then broadcast this fake transaction to the blockchain and hope the network validates it.
- Race attacks: Race attacks use speed to outwit a blockchain's verification process. A double-spender submits two transactions on a blockchain together, hoping they both appear in the final ledger.
How does Bitcoin prevent double-spending?
While double-spend attacks are possible on Bitcoin (BTC), they’re less likely––thanks to BTC's design. Bitcoin's founder Satoshi Nakamoto used the proof-of-work (PoW) consensus mechanism to incentivize good behavior on the network. That’s how Bitcoin solves double-spending. In a PoW network, BTC validators (or miners) need to use computing power to solve advanced algorithmic puzzles. Only miners that correctly solve these computations can contribute a new "block" of transactions to the blockchain.
Besides the computational power needed to mine blocks, the Bitcoin network requires six confirmations from other nodes before posting a transaction. During this validation process, every BTC transaction goes into an "unconfirmed pool" known as the "mempool." Transactions will sit in the mempool until there's sufficient agreement among nodes to confirm the transaction.
Bitcoin's network will always default to the transaction with the most confirmations on the blockchain. Even if someone were to try and spend twice on the Bitcoin blockchain, it's unlikely the entire network would approve this transaction more than six times.
Also, everyone on the Bitcoin network must download the public ledger of BTC transactions that goes back to the first block in 2009. This transparent record shows all the transfers on Bitcoin's blockchain, further decreasing the risk of a double-spend attack.
The only way to effectively double-spend on Bitcoin would be to take over 51% of the hash power. However, due to Bitcoin's size, it would cost far more energy and mining equipment than any potential BTC profit.
How to prevent double-spend attacks
Bitcoin was the first crypto to prove it's possible to create a decentralized payment network resistant to double-spend attacks. Since Bitcoin's founding, more blockchains have developed new protocols that build on Nakamoto's innovation. While every blockchain eliminates the risk of a double-spend attack differently, all networks take the following measures:
- Consensus algorithms: Remember, Bitcoin uses PoW that requires nodes to "prove" they're using energy to validate transactions. However, blockchains can use dozens of other consensus protocols. For instance, proof-of-stake (PoS) allows validators to lock crypto on the blockchain to validate transactions. These consensus mechanisms provide clear rules on how a blockchain functions, thus decreasing the risk of malicious behavior.
- Timestamps: Once a block enters the blockchain, it has a precise timestamp. These easily verifiable times help network participants confirm and review past and present transactions.
- Multiple confirmations: Most blockchains don't rely on one confirmation before posting a new block. For instance, a Bitcoin transaction isn't valid until it passes six screenings. With each additional verification, it becomes increasingly unlikely a double-spend attack happened on the main blockchain.
- Open-source ledger: Everyone who becomes a validator on a decentralized blockchain needs to download the entire transaction history for their respective crypto. This data is publicly available and tracks every on-chain transaction. The open-source ledger for coins such as Bitcoin and Ethereum also provides greater trust and transparency in network activity.
What's the difference between a double-spend attack and a chain reorganization?
In early 2021, there was significant concern that hackers triggered a double-spend attack on the Bitcoin blockchain. According to initial news reports, two miners created a block simultaneously, resulting in two versions of BTC's transaction history. While these two blocks both recorded different transactions for 0.00062063 BTC at block 666,833, only one version of this transaction data appeared on the final blockchain.
These seemingly contradictory blocks appeared concurrently, but only one version posted on the blockchain after the six succeeding confirmations. The invalid transaction became an "orphan chain," which was also void on Bitcoin's official ledger.
These "chain reorganizations" are built into Bitcoin's protocol, thanks to the six-confirmation standard. Even if two miners create a block at the same time, the network will only choose one version of transaction history to avoid posting a double-spend.
Examples of double-spending attacks
While large coins such as Bitcoin and Ethereum haven't experienced double-spend attacks, there are a few documented cases on smaller blockchains. Since these altcoins have fewer validators, they’re easier to corrupt with false transaction data.
- Ethereum Classic 51% attacks: In 2020, Ethereum Classic (ETC) suffered multiple 51% attacks, most of which involved double-spending. In one attack, hackers reorganized more than 4,000 blocks to reward themselves roughly $5.6 million in ETC.
- Bitcoin Gold double-spend attacks: In early 2020, the Bitcoin Gold (BTG) blockchain reported a significant 51% attack that lasted one day. Once the hackers broke into Bitcoin Gold's chain, they launched a double-spend attack by reorganizing 10 blocks. It's estimated that the hackers stole $70,000 in BTG coins.
Double-spend attacks could also happen on centralized digital payment platforms, including fintech apps and bank websites. Although these e-money portals use third parties to verify transactions, they’re vulnerable to hacks. Plus, since these sites rely on centralized data storage, they each have single points of failure. Popular apps such as Venmo and payment rails like SWIFT have all suffered hacks and exploits in the past.
Bitcoin was the first decentralized digital currency to solve the double-spend problem. While double-spend attacks are possible in crypto, they're unlikely on major blockchains. As networks such as Bitcoin and Ethereum grow more decentralized, the risk of a double-spend attack is even less likely.
At Worldcoin, we aim to teach everyone about the limitless potential of blockchain technology. That's why we're putting a share of our crypto in everyone’s hands for free. We’re also airdropping DAI stablecoins to anyone who downloads our app. Subscribe to our YouTube channel to learn more.