Paranoid Merchants on double spending

0

How can merchants be alerted of Double-spending attacks? Let us take a hypothetical case where a merchant offer a BTC deposit wallet to his users, User deposits Bitcoins and it's credited to his account on 6 confirmations. Let's say, theoretically, the attack has been pulled off and he got his bitcoins back + the funds on the wallet remained as the database haven't been updated due to no alerts of any double spend attacks.

Question regarding this scenario:

  • How can merchant be alerted of any double-spend attacks ?
  • Procedures to consider in the time of the attack ? e.g Shutting down servers to avoid confusion and recheck balances to avoid dead ends on user withdrawals
  • How safe is it to run an out of the box Bitcoin Daemon?
  • Will Bitcoin XT be alerting on any double spend transactions that occurred no matter how the attack succeeded ?
  • Is it Okay to host a high bandwidth and Intensive website along with a bitcoin daemon?
  • If a double-spend attack is pulled off, how to manually verify transactions via the bitcoin daemon and how to know how much amount lost ? Will the saved transaction hash can be re-usable to obtain info about the transactions using gettransaction?
  • How Unlikely is it to pull of an attack to a website that credit users on 6 confirmations?

:::UPDATES:::

I've read most of the answers and seems nobody is able to answer this question:

  • If a double-spend attack is pulled off, how to manually verify transactions via the bitcoin daemon and how to know how much amount lost ? Will the saved transaction hash can be re-usable to obtain info about the transactions using gettransaction?

  • Will the attack be able to pull off after 48 hours?

Alessandro Genovese

Posted 2016-01-12T17:15:47.813

Reputation: 13

Question was closed 2016-01-13T16:48:02.140

Note about XT: don't confuse 0 confirmation doublespend relay (what XT does, and thereby opening the network to DDOS attack) with doublespending after 6 confirmations. XT doesn't do anything different there.Jannes 2016-01-13T09:44:53.020

Hi Alessandro, Welcome to Bitcoin.SE. In order to get good answers, please ask one specific question per post. You have asked a broad range of questions that should be separate posts. Please edit this question down to one topic and then flag for reopening. I suggest a split along this lines: 1. How can a merchant get alerted of doublespend attacks? 2. How likely is the success of a doublespend attack after six confirmations? 3. How does one safely run a Bitcoin Daemon? 4. How much bandwidth does the Bitcoin daemon consume? … Please make each its own post!Murch 2016-01-13T16:47:53.980

For a longer explanation please see How to deal with question posts containing several different questions?

Murch 2016-01-13T17:02:44.283

Answers

1

How can merchant be alerted of any double-spend attacks ?

Running their own daemon will achieve that.

Procedures to consider in the time of the attack ? e.g Shutting down servers to avoid confusion and recheck balances to avoid dead ends on user withdrawals

Any backend services run by a merchant need to be able to handle block chain reorganisations anyway! They happen normally, randomly, and without malice. Shutting down is obviously not an option for an event which happens more than once a day. Not handling this behaviour will open the merchant up to rampant theft.

How safe is it to run an out of the box Bitcoin Daemon?

Reasonably, the daemon is generally considered to be safe and is written in a language that is normally considered to be safe (C++). However, there have been potential code execution problems due to OpenSSL library and miniupnp. A good node would be at a minimum in a different user account, not not different hardware from production services.

Will Bitcoin XT be alerting on any double spend transactions that occurred no matter how the attack succeeded ?

Bitcoin XT is irrelevant. The Bitcoin Core software does not handle alerting you to this, however the best canonical chain changing makes it fairly obvious through the RPC interface.

Is it Okay to host a high bandwidth and Intensive website along with a bitcoin daemon?

No. Bitcoin Core is extremely intensive on CPU, IO and memory. It is an extremely harsh test of hardware and will frequently find underlying issues like disk and RAM failure better than any other test- at the cost of your stability. You don't want a vulnerable web server next to something storing money.

How Unlikely is it to pull of an attack to a website that credit users on 6 confirmations?

Perhaps unlikely.

Anonymous

Posted 2016-01-12T17:15:47.813

Reputation: 10 054

Please don’t answer question lists, instead flag them as "too broad" or "low-quality". They don’t work well on our platform and will probably be heavily edited or deleted. If you have put time into it already then, it makes us feel bad when we clean it up, because you’ve probably wasted most of your time.Murch 2016-01-13T16:57:38.783

1

How Unlikely is it to pull of an attack to a website that credit users on 6 confirmations?

I would say extremely unlikely as discussed here, here, here and here. Unless you are selling small islands on the website there would be no incentive to acquire the immense resources required for an attack.

karask

Posted 2016-01-12T17:15:47.813

Reputation: 2 089

Asked: 2016-01-12T17:15:47.813

Viewed: 142 times

Active: 2016-01-13T12:29:12.200