Peter Todd's recent 0-confirm double spends

[Peter R]

Peter Todd's post on r/Bitcoin has been up-voted near the top, but I haven't seen it mentioned here.  I am adding this thread so that we can discuss:

http://www.reddit.com/r/Bitcoin/comments/239bj1/doublespending_unconfirmed_transactions_is_a_lot/

He successfully double spent a few 0-confirm transactions by taking advantage of the fact that not all miners have the exact same mempool policies.  In one case, he used the fact that certain miners are not adding the new V0.9 lower-fee 0.01mBTC/kb transactions to their mem-pools, and in another case he used the fact that certain miners block transactions to specific addresses (e.g., on-chain gambling).  

This is "business as usual" in my mind, as merchants (or payment providers) accepting 0-confirm transactions must understand the expected loss % and the best-practices methods to mitigate the risk of fraud.  

What I don't think was clear from Peter Todd's post was:

1.  His method only succeeds with some probability P, where P is small.  Due to the network's change in the TX fee structure for V0.9, P is suddenly larger than it was prior to V0.9.  But as the network converges from this change over the coming months, I expect P to decline again.  

2.  A merchant's listening node can estimate P.  If the listening node sees that the transaction only propagated to an estimated 60% of the hash-power for some reason, this immediately looks fishy.  The merchant can wait for 1 confirm in these rare cases (which also incentivizes honest users to update their wallets to avoid this situation happening by accident).

As bitcoin evolves, we will compile statistics on the prevalence of zero-confirm fraud, and we will establish best-practices to guard against it.  Merchants will then balance that expected losses from accepting 0-confirm transactions (which I expect to be less than Visa in most use cases), with the loss of business from not accepting them.  For example, if R is the risk that a given person attempts to double spend, then the expected losses, L, are L = P x R.  If P = 10% and R = 2%, then you expect losses of 0.2%.  If your customers are less trustworthy, perhaps R = 20%, in which case your expected losses increase to 2%.  You as a merchant can now use this information to make your decision.  Does the benefit of accepting zero-confirm transactions, given the risks, outweigh the loss of business by not accepting them?  What value limit should you enforce?  Does L% cut too far into your margins (e.g., a grocery store), or is it largely irrelevant (e.g., a fine dining restaurant)?  

A more difficult form of zero-confirm fraud to fight against would be miners that offer out-of-band double-spending services, as we discussed here:  https://bitcointalk.org/index.php?topic=502571.0

To new readers, when we say "successfully double spend" we don't mean that coins were spent twice and that suddenly the network has more coins that it did before.  What we mean is that the second transaction broadcast to the network got mined instead of the first.  It can be used as a method to perpetrate fraud by tricking someone into thinking they got paid when 5 - 20 min later they find out that they didn't.  It is sort of like purposely writing a bad cheque, but a bad cheque bounces 100% of the time and you don't find out for a week.  A double-spent 0-confirm transaction "bounces" with probability P.  In other words, zero-confirm transactions are much safer than personal cheques.

[1714157046]

1714157046

[1714157046]

1714157046

[1714157046]

1714157046

[1714157046]

1714157046

[1714157046]

1714157046

[franky1]

there are no bitcoin double spends.

there are only merchants accepting 'cheques that bounce' (best laymans analogy i can think of in a few sconds)

a double spend is turning a single unit. into 2 units. but that never happens in bitcoin. its the same as writing 2 cheques.. both for $100 where you know you only have $100 in the account. the cheques do not make $200 materialize in the world. one gets accepted and the other doesnt. leaving the bounced cheque recipient at a loss =theft/fraud.

double spending is about creating more value/units/banknotes.

no new bitcoins are produced by sending multiple copies of a Vin to different Vouts

[Peter R]

@ franky1

I do appreciate your point, but I believe it is too late to re-define the term "double spend" in the bitcoin community.  No coins are magically created during a "successful double spend," but that's not what we mean.  I think the definition I gave in the OP (and the one implied by Peter Todd in his post) is generally accepted:

To new readers, when we say "successfully double spend" we don't mean that coins were spent twice and that suddenly the network has more coins that it did before.  What we mean is that the second transaction broadcast to the network got mined instead of the first.  It can be used as a method to perpetrate fraud by tricking someone into thinking they got paid when 5 - 20 min later they find out that they didn't.  It is sort of like purposely writing a bad cheque, but a bad cheque bounces 100% of the time and you don't find out for a week.  A double-spent 0-confirm transaction "bounces" with probability P.  In other words, zero-confirm transactions are much safer than personal cheques.

Another example of confusing semantics is the bitcoin community's use of word "taint."  New user's ascribe negative connotations to the word taint, before they learn that it is just the word used to describe the % of funds that can be traced back to various addresses.    

[cysive]

Peter Todd is the one redefining double-spend; not the Bitcoin community.

Double spend has had one meaning since the beginning of Bitcoin, and Peter Todd's is not it.

[acoindr]

I think this is a great heads up by Peter Todd. Whether or not it can be called a double spend I think is debatable. It depends more on us and how effective our education is.

To be clear, and core devs have reiterated similar (in light of the MtGox malleability issue), it is never a good idea to use information from unconfirmed transactions.

One shouldn't trust any info from unconfirmed transactions because in a decentralized trust-less system confirmations are the only thing you can trust.

Now, there is consideration for low transaction value, since at worst only a few dollars of value are lost, but that's a judgement call. An example is buying a cup of coffee. The helpful information Peter has provided allows pay recipients to fine tune judgement about likelihood of fraud. Previously it was known double spends in the unconfirmed transaction realm are certainly possible, but the difficulty was considered high enough to somewhat discourage use. Peter shows the difficulty bar to be much lower, which is something to consider.

However, I agree with the top comment at reddit:

0 confirmations to me are a bit like print fake dollars. With the right effort, you can print some $1 or $10 bills that can fool most people if you make a quick transaction in a store, but they'll notice afterwards, it's detectable, traceable, if you do it a couple times they'll know it's you. A bit similar to ordering coffee and then running off. If 0 conf double spends happen when you buy some coffee in a store, you're gonna get issues just like with fake money or running without paying. It's just not something people tend to do even if they can.

I also think Peter is right that alternate payment transfer types will make this much less of an issue in the future.

[Peter R]

Peter Todd is the one redefining double-spend; not the Bitcoin community.

Double spend has had one meaning since the beginning of Bitcoin, and Peter Todd's is not it.

I can see how it could be considered illogical but I'm more concerned with what people actually mean than I am with semantics.  When I hear people talk about "successfully double spending," it seems to me they are most often implying this definition:

...when we say "successfully double spend" we don't mean that coins were spent twice and that suddenly the network has more coins that it did before.  What we mean is that the second transaction broadcast to the network got mined instead of the first.  It can be used as a method to perpetrate fraud by tricking someone into thinking they got paid when 5 - 20 min later they find out that they didn't.  It is sort of like purposely writing a bad cheque, but a bad cheque bounces 100% of the time and you don't find out for a week.  A double-spent 0-confirm transaction "bounces" with probability P.  In other words, zero-confirm transactions are much safer than personal cheques.

I've posted a poll at the top of this thread to get better clarity on what someone is most likely to mean when they use the term "successful double spending."

[kgo]

A double-spend is just what it says.  When you manage to spend the same coin twice.  I send a coin to amagi metals for a bar of gold.  Send the same coin to agora commodities for a bar of gold.  They both send me the gold.  Then amagi doesn't get their coins because of the double spend.  If amagi catches the double spend attempt and cancels the order before shipping gold, then it wasn't a successful double-spend.  It hasn't been spent twice, where one spend was fraudulent.

[Peter R]

...it is never a good idea to use information from unconfirmed transactions.

I've also heard it is never a good idea to say never.  

There are no absolute rules for when it is a good idea to accept 0, 1, 2,…, N confirmed transactions.  It all depends on your definition of "a good idea."  What is nice about bitcoin is that everyone is free to choose the security level they feel is most appropriate for them.  

Over time, we will compile statistics on the loss % due to 0-confirm transactions in various circumstances, as well as establish best-practices to guide users who may consider accepting them.  But we will compile similar statistics for 1-confirm and 2-confirm transactions too because they can also be double-spent.  

[Peter R]

A double-spend is just what it says.  When you manage to spend the same coin twice.  I send a coin to amagi metals for a bar of gold.  Send the same coin to agora commodities for a bar of gold.  They both send me the gold.  Then amagi doesn't get their coins because of the double spend.  If amagi catches the double spend attempt and cancels the order before shipping gold, then it wasn't a successful double-spend.  It hasn't been spent twice, where one spend was fraudulent.

Hmm, that's actually a better definition than the one I used, and I think I'll adopt it moving forward.  According to your definition then it also means that Peter Todd didn't actually double spend because both TX variants were sent to addresses that he controlled lol.  

EDIT: Kgo's definition added to the poll (after 3 votes had already been cast).  

[acoindr]

...it is never a good idea to use information from unconfirmed transactions.

I've also heard it is never a good idea to say never.  

I obviously contradicted my own statement by describing an exception with low value transactions. The problem is information dissemination tends to become diluted as it spreads to larger groups of people. For that reason I'd rather the advisory went out as 'never' than anything else because following that won't get people into trouble.

There are no absolute rules for when it is a good idea to accept 0, 1, 2,…, N confirmed transactions.  

I disagree. I don't think there is ever a good case for believing a high value transaction with 0 confirmations is valid. To put it bluntly, that's actually plain stupid.

It all depends on your definition of "a good idea."  What is nice about bitcoin is that everyone is free to choose the security level they feel is most appropriate for them.  

I disagree again. Most people in my experience don't like losing their money.

Over time, we will compile statistics on the loss % due to 0-confirm transactions in various circumstances, as well as establish best-practices to guide users who may consider accepting them.  But we will compile similar statistics for 1-confirm and 2-confirm transactions too because they can also be double-spent.  

The difference in likelihood of a double spend occurring with zero, 1 or 2 confirmations is like comparing apples and oranges. None of those situations is like the other.

To be clear, people should never use information from unconfirmed transactions. If you abide by that simple guideline you will probably never go wrong. With today's hash rates even a single confirmation provides good indication the transaction is valid and final. However, the official recommendation is always to wait for at least 6 confirmations before considering a transaction valid and final. More confirmations provide ever more assurance, but 6 is regarded to be quite safe for all cases. Note there are theoretical attacks which can put 6 confirmations in the realm of question, but these are theoretical not necessarily practical, and that possibility diminishes as Bitcoin gains ever wider adoption and hash power.

[Peter R]

There are no absolute rules for when it is a good idea to accept 0, 1, 2,…, N confirmed transactions.  It all depends on your definition of "a good idea."  What is nice about bitcoin is that everyone is free to choose the security level they feel is most appropriate for them.

I disagree. I don't think there is ever a good case for believing a high value transaction with 0 confirmations is valid. To put it bluntly, that's actually plain stupid.

What if the you're accepting a 0-confirm transaction for $25,000 from your mom?  I'd sign over that car she's buying from me before the transaction confirms.  It's a specific case, I know, but I think it illustrates my point: the required security level is case specific and up for the person accepting the transaction to decide.   I think a better 'rule of thumb' is that one should wait for more confirmations as the risk increases.  

I believe that as we move forward with bitcoin, we will find that zero-confirm transactions are "secure enough" in more cases than we currently expect.  And I also expect that in other cases we will want to wait for perhaps 144 confirmations (24 hours).  For example, if I was a gold broker, I would not physically release 20 kg of gold during a network hard fork event (like we had in March 2013) until I was sure that the network had truly settled on a fork and the payment for the 20 kg of gold was included.  

But I hardly think these debates matter--what matters is that people have a way to protect themselves.  The network will evolve to have certain properties.  People are free to make the decisions they feel are best for them given these properties.    

[acoindr]

There are no absolute rules for when it is a good idea to accept 0, 1, 2,…, N confirmed transactions.  It all depends on your definition of "a good idea."  What is nice about bitcoin is that everyone is free to choose the security level they feel is most appropriate for them.

I disagree. I don't think there is ever a good case for believing a high value transaction with 0 confirmations is valid. To put it bluntly, that's actually plain stupid.

What if the you're accepting a 0-confirm transaction for $25,000 from your mom?  I'd sign over that car she's buying from me before the transaction confirms.  It's a specific case, I know, but I think it illustrates my point: the required security level is case specific and up for the person accepting the transaction to decide.   I think a better 'rule of thumb' is that one should wait for more confirmations as the risk increases.  

I disagree. You're talking about a very specific case, "Peter R's mom". It appears you have a nice trustworthy relationship with your family/mom. That's not always the case. When it comes to large sums of money often business rules take priority. If you're talking about a personal special case then Bitcoin plays little role to begin with. I might have a warmer relationship with my mom because I'd sign over the car title before I even saw the transaction. Transaction details become irrelevant.

However, for the large majority of transactions people make transaction details are relevant. For that they should clearly understand 0 confirmation transactions themselves are inherently untrustworthy. That's the simple truth. As long as people base their actions on that factual knowledge there shouldn't be a problem.

I believe that as we move forward with bitcoin, we will find that zero-confirm transactions are "secure enough" in more cases than we currently expect.  

The only ones I'd expect are transactions of low value, unless of course a familiar relationship between the parties exists.

And I also expect that in other cases we will want to wait for perhaps 144 confirmations (24 hours).  For example, if I was a gold broker, I would not physically release 20 kg of gold during a network hard fork event (like we had in March 2013) until I was sure that the network had truly settled on a fork and the payment for the 20 kg of gold was included.  

Such cases are increasingly unlikely as Bitcoin adoption grows and major code changes (and opportunity for bugs) become fewer, but I agree about waiting for unexpected network events to settle.

But I hardly think these debates matter--what matters is that people have a way to protect themselves.  The network will evolve to have certain properties.  People are free to make the decision they feel are best for them given these properties.    

I think this topic and Peter Todd's contribution do matter. If we want people to adopt Bitcoin for common usage we need to tell them how to use it in a safe manner. That involves technical considerations they will likely have no clue about. It's therefore the job of people who do know to inform them appropriately. The network already has certain properties, many of which won't change. One is the fact that 0 confirmation transactions are inherently untrustworthy from a network standpoint. Unless you fundamentally change how Bitcoin works that will remain a fact.

[Peter R]

There are no absolute rules for when it is a good idea to accept 0, 1, 2,…, N confirmed transactions.  It all depends on your definition of "a good idea."  What is nice about bitcoin is that everyone is free to choose the security level they feel is most appropriate for them.

I disagree. I don't think there is ever a good case for believing a high value transaction with 0 confirmations is valid. To put it bluntly, that's actually plain stupid.

What if the you're accepting a 0-confirm transaction for $25,000 from your mom?  I'd sign over that car she's buying from me before the transaction confirms.  It's a specific case, I know, but I think it illustrates my point: the required security level is case specific and up for the person accepting the transaction to decide.   I think a better 'rule of thumb' is that one should wait for more confirmations as the risk increases.  

I disagree. You're talking about a very specific case, "Peter R's mom". It appears you have a nice trustworthy relationship with your family/mom. That's not always the case. When it comes to large sums of money often business rules take priority. If you're talking about a personal special case then Bitcoin plays little role to begin with. I might have a warmer relationship with my mom because I'd sign over the car title before I even saw the transaction. Transaction details become irrelevant.

I'm not sure what you are disagreeing with, Acoindr.  The example I gave was a specific case, and the number of confirmations one should require is case specific.  It seems that you are in agreement on this point.  

A double spend attempt on a zero-confirm transaction succeeds with probability P.  A payment processor who conducts network research and who employs a well-connected listening node can estimate what P is.  If R is the risk that a given person attempts to double spend, then the expected losses, L, are L = P x R.  If P = 10% and R = 2%, then you expect losses of 0.2%.  If your customers are less trustworthy, perhaps R = 20%, in which case your expected losses increase to 2%.  You as a merchant can now use this information to make your decision.  Does the benefit of accepting zero-confirm transactions, given the risks, outweigh the loss of business by not accepting them?  What value limit should you enforce?  Does L% cut too far into your margins (e.g., a grocery store), or is it largely irrelevant (e.g., a fine dining restaurant)?    

I agree it is important to educate people about the risks of 0, 1, 2, …, N confirm transactions (it would also be good to compile empirical statistics for P and R in various industries and network conditions).  One of the goals of this thread was to do exactly that, as was Peter Todd's Reddit post.

[acoindr]

There are no absolute rules for when it is a good idea to accept 0, 1, 2,…, N confirmed transactions.  It all depends on your definition of "a good idea."  What is nice about bitcoin is that everyone is free to choose the security level they feel is most appropriate for them.

I disagree. I don't think there is ever a good case for believing a high value transaction with 0 confirmations is valid. To put it bluntly, that's actually plain stupid.

What if the you're accepting a 0-confirm transaction for $25,000 from your mom?  I'd sign over that car she's buying from me before the transaction confirms.  It's a specific case, I know, but I think it illustrates my point: the required security level is case specific and up for the person accepting the transaction to decide.   I think a better 'rule of thumb' is that one should wait for more confirmations as the risk increases.  

I disagree. You're talking about a very specific case, "Peter R's mom". It appears you have a nice trustworthy relationship with your family/mom. That's not always the case. When it comes to large sums of money often business rules take priority. If you're talking about a personal special case then Bitcoin plays little role to begin with. I might have a warmer relationship with my mom because I'd sign over the car title before I even saw the transaction. Transaction details become irrelevant.

I'm not sure what you are disagreeing with, Acoindr.  The example I gave was a specific case, and the number of confirmations one should require is case specific.  It seems that you are in agreement on this point.  

A double spend attempt on a zero-confirm transaction succeeds with probability P.  A payment processor who conducts network research and who employs a well-connected listening node can estimate what P is.  If R is the risk that a given person attempts to double spend, then the expected losses, L, are L = P x R.  If P = 10% and R = 2%, then you expect losses of 0.2%.  If your customers are less trustworthy, perhaps R = 20%, in which case your expected losses increase to 2%.  You as a merchant can now use this information to make your decision.  Does the benefit of accepting zero-confirm transactions, given the risks, outweigh the loss of business by not accepting them?  What value limit should you enforce?  Does L% cut too far into your margins (e.g., a grocery store), or is it largely irrelevant (e.g., a fine dining restaurant)?    

I agree it is important to educate people about the risks of 0, 1, 2, …, N confirm transactions (it would also be good to compile empirical statistics for P and R in various industries and network conditions).  One of the goals of this thread was to do exactly that, as was Peter Todd's Reddit post.

The problem I have with what you're saying is, as I said above, as information disseminates it often becomes diluted. For example, long before MtGox exploded I vehemently warned people not to store coins longer term on ANY online service. I did so repeatedly. Long time forum users probably have seen this. Yet I read at falkvinge.net Robert Falkvinge lost over 100K at MtGox precisely because he thought they were a safe place to store coins. He wasn't alone.

I worry that "sometimes trusting zero confirmations" becomes "zero confirmations are fine" as information spreads.  If you begin explaining to most users they need to calculate P over R multiplied by X to decide whether they should accept certain transactions they're going to look back with a blank stare. People are simple. Cash is simple. Transactions are usually simple. That's the model Bitcoin is trying to fit in. For that it makes sense to inform people of simple hard and fast rules they can use to not get into trouble. If people want to customize acceptance polices on their own of course that's fine. However, in general people should be advised as follows:

more confirmations = always better
six confirmations = minimum to consider transaction final, use this as a standard
less than six confirmations = use at your own risk
zero confirmations = inherently untrustworthy*

*the difference between zero confirmations and 1 confirmation is essentially classifying an attack as theoretical only (1 confirmation) to quite possible and practical (0 confirmation)

[bountygiver]

or we just need someone to make a formula for the risk of double spent/forks for each layers of confirmation, and determine the risks to make a reference guide on Y confirmation are recommended if you sent X BTC

[jubalix]

This is clear  miss information, you can't double spend something that has 0 confirms.

Rather you have elected to act on zero confirmation.

Re: Peter Todd's recent 0-confirm double spends