Cryptocurrency Double Spending

An introduction to cryptocurrency and a closer look at double spending, one of the many attacks affecting the security of some cryptocurrencies.

Cryptocurrency Double Spending

In recent years, cryptocurrency and bitcoin have become buzzwords and almost all of us have come across news, tweets, or hearsay related to cryptocurrency.  Many infosec professionals have concerns about the security of cryptocurrency and one of those concerns is called “double spending”, when a fraudulent user attempts to alter records and use their coin in more than one transaction.  

What is Cryptocurrency?

Cryptocurrency is a digital or virtual currency alternative to the regular fiat currency which most developed nations use or commodity-backed currency.  Although, technically speaking banks have modernized, and most transactions are made over the Internet (i.e. debit or credit cards, stocks, etc.) rather than using physical currency (i.e. paper or coins), cryptocurrency is completely different form of digital currency that uses a blockchain platform (peer-to-peer network) as an exchange medium that is entirely separate and unaffected by the state-backed fiat or commodity-back currencies.

Crypto Currency uses strong cryptography and open source software to secure these financial exchanges, which makes it much harder to forge (i.e. no paper or coin).  Everything is stored on a computer rather than inside a bank, and is not based on an inflationary Debt-Based Monetary System, making it not tied to the value of a specific state and its assets/deficit.  

Bitcoin, for example, is open-sourced and there is no specific body that governs it. Transactions made with Bitcoin Coins (BTC or Bitcoins) are made using virtual currency in the form of these tokens.  Satoshi Nakamoto released Bitcoin software in 2009 and it has been one of the most successful and profitable cryptocurrencies.  

Recently, with several hacks and thefts from cryptocurrency exchanges and China banning trading in cryptocurrency it has had a substantial effect on the value.

Blockchain technology runs on the principals of cryptoeconomics” and according to Ethereum developer Vlad Zamfir,

“Cryptoeconomics the formal discipline that studies protocols that govern the production, distribution, and consumption of goods and services in a decentralized digital economy. Cryptoeconomics is a practical science that focuses on the design and characterization of these protocols.”  

A “block” in terms of a block chain, refers to a file of permanently recorded data.  Like a stock transaction ledger on an exchange, transactions are chronicled onto these files and are added to these blocks.  Users can view transactions in quantity, however, any information about a buyer or seller is protected.  Bitcoin, for example, uses high-level AES encryption that prevents any changes to the ledger or denies any outside sources from accessing the ledger [1].  Once users agree to an update, the system will approve the transaction.  What the software is actually doing is quite complex.  Each transaction has an owner, a coin and the person receiving the digital currency.  

These transactions are formed into a block and added to the end of the blockchain so that a coin owner cannot use the same coin more than once, and if they try than the first transaction is processed only.   Processing these transactions is very resource intensive.  The software that miners place onto their machines perform these transactions using the resources of that machine.  After processing these blocks of transactions, the owner is awarded a piece of a coin (currently for correctly mining a Bitcoin, the owner is awarded 12.5 bitcoins).  The fraction uses a formula based off of the number of total coins available and creates new coins.  The competition is fierce, and it is very difficult to be the first to complete a block and claim the award.

Due to the anonymity associated with cryptocurrency, it has become a preferred method of currency for criminals and other malicious users due to its ability to undermine legal controls, making it extremely unpopular with governments and law enforcements [2].  However, recognizing that primary technologies (like blockchain) are popular and successful, many companies are looking at the logistics of adding it next-generation applications such as smart trading, Internet of Things (IoT), vehicular networks, health-care data management, and smart cities [2].

To keep cryptocurrency safe, many people use cryptocurrency wallets.  There are many choices, like hardware or software based, but either way it is most important to research the wallet company to ensure they have a positive record of accomplishment.  Like many banks, cryptocurrency wallet companies are enticing targets to hackers who want to steal cryptocurrency.  There are a few free options, but some charge you for the first purchase, and others charge per transaction.  The wallet will store your public and private keys so that the user can send or receive cryptocurrency from the wallet.  Some wallets have phone applications (which adds risk) that make it easier to manage cryptocurrency as well [4].

Cryptocurrency itself is often referred to as money but this can be confusing to some.  Similar to stocks, the value of a single coin can go up or down based upon the confidence in the currency.  They are just as risky of an investment as stocks, but the cryptographic technology that the coins are built upon makes them more private and more secure.  The ledgers are not hidden, and it would be very difficult to fake transactions.  The communities that have grown around these products are supportive and invested in the product.  Coins are even becoming widely accepted as a means of payment in many brick and mortar stores now [5] and cryptocurrency is becoming easier to use, with wallet applications putting cryptocurrency just a finger swipe away.

Bitcoin’s popularity and success have made it an alluring target.  Some attacks against cryptocurrency that are frequently seen in the wild include double spending, netsplit, transaction malleability, network attacks, and attacks targeting mining [2].

So What Is Double Spending?

Double Spending is when an individual changes records in the ledger and spends a bitcoin balance more once in one transaction [1].  This is accomplished by trying to convince other users of a alternative history by winning the mining competition against users who are honest and follow the rules [3].  Through a block chain, the transaction is only verified and protected through a confirmation process.  It is at this point that the transaction becomes irreversible and posted publicly.  

Bitcoin will reject the transactions if two spend the same input in the same block.  If this occurs, it would be treated like accounting fraud [1].  Although possible, a study published by the Bank of Canada (BOC) found that double spending is an “unrealistic” outcome due to three elements that blockchain security is based on:  consensus protocol, confirmation lags, and reward scheme.  In a decentralized setting, miners (or validators) mine using the most common consensus protocol, proof-of-work (POW).  The algorithm consists of five major rules:

The algorithm imposes the following major rules: (i) input and output values are rational, (ii) transactions only spend unspent outputs, (iii) all inputs being spent have valid signatures, (iv) no coinbase2 transaction outputs were spent within 100 blocks of their creation, and (v) no transaction spend inputs with a locktime before the block in which they are confirmed” [2].

Generally, a blockchain based system such as Bitcoin is considered as secure and robust as its consensus model. It needs no authentication to join the network and subsequently makes mining extremely scalable, however, it makes it vulnerable to “51% attacks.”  In a “51% attack” a network of miners controls a majority of the cryptocurrency mining hardware, greater than 50%.  

They could theoretically halt the processing of select transactions of users or reverse transactions which would allow double spending by the original owner of a coin.  They would only be able to reverse transactions that occurred when they controlled the network, and they would not be able to create new coins from nothing.  This attack has been successfully executed on Bitcoin Gold, Krypton and Shift coins.  

Secondly, confirmation lag helps prevent users from double spending by preventing them from altering the history of the transaction and allowing the seller to view the recorded multiple confirmations in the blockchain before delivery of goods.  This occurs when several new blocks are stacked onto the block that contains the original transaction.  Double spending would require the fraudulent user to replace all the original block and all subsequent blocks that contain the transaction.  

Thirdly, “the right to update a block is proportional to the fraction of computational power owned by a miner [3].  Mining is very costly and therefore rewards are given to incentive validators.  These rewards are given by seiniorage  (via cryptocurrency or tokens) or via fees.  Increasing rewards will increase resources that are burned making it harder for users to double spend [3].  

All of this is related to the so-called “51% attack” problem.  If a malicious miner controls more than 51 percent of computational power, confirmation lags (in theory) lose their ability to curtail double-spending, by creating “an arrival rate that is larger than those of the other honest miners combined” thereby creating longer chains and the ability to double spend.  

However, mining as mentioned above requires vast amounts of resources and would require an individual or entity with many assets and who is risk neutral.  This combination tends to be unrealistic and the users would simply not be able to muster enough economic assets to conduct double spending [3].

The awesome image used to head this article is called 'ICO Design' and it was created by Andrew Sereda.

CASH PRIZE ARTICLE - This article won a $500 cash prize in our cash writers contest, thank you so much to our generous and anonymous sponsor!


[1]             S. Ross,     "Investopedia," n.d.. [Online]. Available:     [Accessed 02 10 2018].                  

[2]             M. Conti, K. E.     Sandeep, C. Lal and S. Ruj, "A Survey on Security and Privacy Issues     of Bitcoin," IEEE Communications Surveys & Tutorials, PP(99), 2017.                      

[3]             . J. Chiu and T. V.     Koeppl , "Incentive Compatibility on the Blockchain," Bank of     Canada, 2018.                  

[4]             Block Geeks,     "Cryptocurrency Wallet Guide: A Step-By-Step Tutorial," n.d..     [Online]. Available: [Accessed 03 10     2018].                  

[5]             E. Moreau, "15     Major Retailers and Services That Accept Bitcoin," 02 10 2018.     [Online]. Available:     [Accessed 03 10 2018].                  

[6]             Investopedia,     "Fiat Money," n.d.. [Online]. Available: [Accessed 31 10 2018].                

[7]             InvestorWords,     "commodity-backed currency," n.d.. [Online]. Available:     [Accessed 03 10 2018].                  

[8]             Matrix Wissen,     "Summary on how money and the monetary system work (english),"     n.d.. [Online]. Available:     [Accessed 03 10 2018].                  

[9]             K. Rapoza,     "Cryptocurrency Exchanges Officially Dead In China," 02 11 2017.     [Online]. Available:     [Accessed 03 10 2018].                  

[10]             Block Geeks,     "What is Cryptoeconomics? The Ultimate Beginners Guide," n.d..     [Online]. Available: [Accessed 03 10     2018].                  [11]             A. Greenberg,     "Crypto Currency," 20 04 2011. [Online]. Available:     [Accessed 03 10 2018].