1
Say a malicious mobile bitcoin client is created, programmed to quickly send two or more double-send transactions whenever a payment is made.
Is this an attack vector we should be concerned of?
What could be done in order protect against such an attack?
2
What could be done in order protect against such an attack?
Wait for N confirmations before accepting a payment as successful.
What happens if I have an Android app that broadcasts two transactions, spending the same input, to a different set of nodes whenever I pay for coffee? Only one of them will be mined into one of the next blocks, but does it mean I have to wait for ~10 minutes at the coffee shop? – nivs – 2013-04-04T12:44:17.237
@nivs exactly. Of course, for very small amounts that isn't important. In case it will ever be, that is fixed using third party services, similar to how debit cards work. – o0'. – 2013-04-04T12:46:49.527
Using third party services (especially for processing small payments) breaks one of the most important benefits of bitcoin. – nivs – 2013-04-04T12:53:24.363
@nivs or you can wait 10 minutes, if you prefer. – o0'. – 2013-04-04T12:54:14.960
3@nivs With regards to the coffee shop situation, there still is some protection. I can look for that unconfirmed transaction. It isn't conclusive until its been mined and confirmed sufficiently, because a double spend could be hidingin an obscure part of the network and until the transaction is mined and confirmed it isn't 100% protected against that kind of deliberate double spend. But there are some risks with fiat currency as well (counterfeit, for example) and a vendor like a coffee shop will typically absorb those small risk in favor of customer convenience. – David Ogren – 2013-04-04T13:06:50.410
1The coffee shop is also at risk that you'll run off without paying! In the future, escrow services like nivs mentions will exist but very few places will use them, because if the transaction is big enough, you can wait 60 minutes, and if it's small, you'll trust the customer not to run away, same as today. – Eyal – 2013-04-08T16:50:31.480
-3
If you try to spend the same coins twice, proper clients won't accept the block as valid. Read rules 9 and 14 here:
https://en.bitcoin.it/wiki/Protocol_rules#.22tx.22_messages
Double-spend could occur if the transaction history forks, but forks don't usually last very long. Having 6 confirmations after the transaction should be sufficient.
I think the malicious attempts refers to 0/unconfirmed "race attack" and not any mining-related attack. – Stephen Gornick – 2013-04-08T06:27:09.407
"rouge"? Maybe you mean "rogue", but then it's not the correct word anyway. – o0'. – 2013-04-04T10:49:03.917
Thanks, I corrected to "rogue", and I think it means what I think it means - a dishonest, knavish person; scoundrel. – nivs – 2013-04-04T12:46:50.183
that's not what "rogue" mean in the context of Internet. You'd better use "fraudolent" or similar terms. "rogue" usually means a single cell or small group gone wild: related, but not exact. – o0'. – 2013-04-04T12:47:43.407
"A Cornell University commission said yesterday that a graduate student in computer science, working alone, created the rogue program that produced havoc in nationwide computer networks last November" (source)
– nivs – 2013-04-04T12:50:25.790exactly, that was a program roaming free about the Internet causing pain. It is a term suited to viruses and similar wandering things, not to tools like yours. – o0'. – 2013-04-04T12:52:50.673
1let's agree on malicious? ;) – nivs – 2013-04-04T12:54:30.897
1
I touched on this a little in my answer to Is there a risk of double-spending when making a face-to-face transaction?.
– Colin Dean – 2013-04-04T15:12:32.537@StephenGornick I added this question because I was interested in learning about what would happen if a mobile bitcoin client, specially crafted for performing double spends, was developed. – nivs – 2013-04-06T17:37:06.380