Is FullRBF allowing double spend?

[EL MOHA]

We all know that this is not theoretically about the vending machine but about a potential real following practical case:

User Joe finds the private key of puzzle xx and empties the puzzle's account by performing a transaction to his own wallet (say for example with 30sat/vb). He now has to wait until at least one confirmation takes place before the coins arrive on his wallet. Now, dozens (maybe thousands) of pre-programmed bots are listening 24/7 on the Bitcoin network, waiting for just such a moment. The bots are triggered by the outgoing transaction of puzzle xx where coins are being spent , the pubkey of the transaction is revealed and is immediately chased through the prepared cracking machine to calculate the private key via Kangaroo. If the privkey was quickly and successfully found by user Mallory while the transaction of the actually successful puzzle hunter (=Joe) has not yet received a confirmation in the network, Mallory could generate a new transcation with RBF and enter 100sat/vb. The chances that the coins will reach Mallory's wallet first are high.

What Joe can do about it? Well, what do you think

With joe still having the private keys to that wallet then JOE could still get access to the new transaction by Mallory to his Wallet and as such if the RBFed transaction by Mallory is to get a single confirmation then JOE can also do another RBF by using a fee higher than that of Mallory (100sats/vbyte).

The funny thing again will now be that Mallory will notice it also and it could be a battle of RBF unit one of them gets his to have a single confirmation

[1715525996]

1715525996

[1715525996]

1715525996

[albert0bsd]

What Joe can do about it? Well, what do you think

User Joe have only two options:

- Contact some miner like Viabtc or any other and ask them to mine a private transaction, without broadcasting it before the block is mined. (Hopefully the miner doesn't know about the puzzle), you can agree with them to give 5% or some other fixed amount, directly to their wallets if they mine the block.

- Joe may also have an automated bot ready to listen to new Transactions looking for a FullRBF of your original transaction, in case that some one arrives, you need to replace it again, but that may be a Lost-lost situation, because it may end with all the reward as fee.

Also not always the bigger bid transaction is mined, miners usually don't update their block header as soon a new TX arrive, even less if those replacement comes every 50 milliseconds

So my second options is not the best, i've already seem this behaivor with those leaked private keys, bots exhaust all the balance as fee, and they get only dust, but not always the last bid is mined.