Topic: Don't accept 0 confirmation tx - page 2. (Read 662 times)

I remembered that it will really depend on how much is the value of the transaction you are expecting since the number of confirmations is link to how much money is the scammer willing to spend to reverse the transaction. I forgot where I have read it but I think it is in stackexchange where they have tried to link how secure the number of confirmations are depending on how much are you expecting to receive.

LN is still very much in development, and using it remains a risk. I wouldn't expect many merchants to start using it yet. Give it time.

If you choose to accept zero confirmation transactions, then sure, you are placing full trust in the other party not to double spend the transaction, but bitcoin is designed specifically not to require trust. Every transaction you receive and every block which is mined can and should be verified by your own full node. This requires no trust in any third parties and allows you to independently check that you actual have received the coins you think you have.

Bitcoin transactions works on trust so before you send your coins to anyone, and before you receive it to someone you already did diligent research  to the one you are receiving coins and sending coins, and OP is absolutely right never accept transaction with 0 confirmation, you still don't own the coin, if it is still showing zero coin because it can be manipulated to over ride it.

Well, if the crypto wants widespread adoption then it has to be used for daily transactions. I'm aware of LN but that thing is hardly implemented on sites I frequent on, let alone IRL.

I could always opt for cards, cash or e-Wallet but then more options are always better, you know.

transaction malleability isn't really possible on bitcoin because almost all the nodes are running bitcoin core and core nodes reject any non-standard transaction which includes the malleated transactions. some of the rules started from 0.6.0 and all the rest has been in effect ever since 0.9.0 and 0.10.0

Except for Bitcoin core GUI (Bitcoin-qt),
it will gray out the right-click menu option: "Increase transaction fee" of an RBF parent transaction once any of the outputs was/were spent.
There are still workarounds though but it will not be an easy task.

Another way that a person can be caught out is when the -zapwallettxes is used to cancel an unconfirmed TX already in play by the sender who then sends a second TX (usually with a higher TX fee paid) that overtakes the first spend and is confirmed quickly.

As everyone else has already pointed out - wait for a TX to be confirmed!

It is also far easier, and requires far less technical knowledge, to reverse a transaction with a credit card than a non-RBF bitcoin transaction. A simple phone call and saying "I didn't make this transaction, my card must have been lost/stolen/cloned/hacked/whatever" is all it takes. Stores can accept a little bit of credit card fraud for the convenience of allowing customers to pay by credit card.

Transaction malleability also makes it unsafe to accept any transaction which has an unconfirmed parent regardless of RBF, unless all the parents are SegWit transactions, since SegWit fixed the transaction malleability bug.

In addition to what stated by bob123, not only RBF-enabled transactions shouldn't be accepted, but also you shouldn't accept transactions that have an unconfirmed parent transaction with a RBF flag.
A transaction that has a RBF-enabled parent is even more risky than an RBF-enabled transaction.

For abusing a RBF transaction, it is needed to change the outputs as well (I don't know any wallet that allow this).
For abusing a transaction that has a RBF parent, the only thing needed is to bump the fee of the parent transaction. (It is allowed in all wallets supporting RBF such as Electrum)

Just don't use it to buy a cup of coffee then. Why would you need main chain security when you can simply use your card or second layer solution as mentioned above?

There are multiple ways to circumvent that.
You could either only allow 0-conf transactions if they are send without the RBF flag which makes it much harder (not impossible) to double spend a transaction. That's definitely fine for low value (coffee) transactions.
Another option would be to use a 2nd layer (e.g. lightning network). And the 3rd option would be to simply accept the risk. I mean.. it's just a coffee. Who is gonna steal a coffee. And even if there is someone who does exactly that, you might have some cameras to prohibit him entering the building again.
Losing one out of a few hundred coffees to a double spend isn't too much and definitely manageable.

Fancy having to wait 10 mins after ordering in BTC for a cup of coffee while the rest wait in line, feels long man.

I think this is the common problem with us OP of the link above getting too much confidence because the mode of payment is on BTC and I think he thing once you already send the funds you are now safe. This is the common mistake right now because the scammer tricked him with the use of the double-spend.

I think they don't have communication right now of the scammer feels sad to him because all of the hard work becomes a scam.


Also, I always visited the mempool every time to make transactions of the miners see good right now before making any transactions. The good thing and lesson this too to other members always wait for the confirmation before making a deal.

Thanks for the reminder. Some people do neither know nor pay attention on difference between Unconfirmed and Confirmed deposits. Some platforms show Unconfirmed transactions in account deposits and newbies can be trapped.

Binance is different, at least it only show deposits if the minimum confirmations are met. Unconfirmed transactions won't be shown in Deposit history and Account balance of course.

Withdrawal: I don't remember that Binance only shows txhash of withdrawal after the transaction gets enough confirmations or at least 1. The txhash link is delayed for a while (always) but I know platforms always do patch payment so it takes a while to process customers' withdrawal request. Someone please confirm it. 

---

Personally, when I need to make transaction follow-up, I'd like to do it with block explorer and with Tor browser.

Connect wallets too often with Internet and nodes is not good, if I don't need to make any transaction. Let's consider with 2 situations:

• Incoming transactions (I plan to use it instantly when I receive it): two options: block explorer + Tor browser; with real wallet or account. It is less harm to use the first option.
• Sendout transactions: I always check it with block explorer + Tor browser. There is no need to connect my wallet to follow-up send-out transactions.

the number of confirmations on a transaction you decide is "safe" depends on a couple of factors. it can never be a fixed value. and you should never just chose a random number but instead learn what it really means and when/how can a transaction be reversed or has the risk of it.

1) zero confirmation has never been safe and will never be safe. period.

2) type of client you use (in simple terms the way you check how many confirmation the transaction has) plays a key role. a full verification node that is capable of actually fully verifying everything can be trusted a lot more than a SPV client because it can detect chain reorgs whereas the SPV client has no safe way of doing that for sure. so 3 confirmation for a full node user and 6 to 10 for SPV users could be safer.

3) network state is also an important factor to consider. 99% of the times there is nothing going on in bitcoin world. all miners and all nodes are in complete agreement and they are all following the same rules. in 1% of the times (maybe less) we have "updates" aka forks. for instance during 2017 where there was BIP148 split-risk, the BCash miner attack risk, during both hard and soft forks,... there was a chance of chain splits and reorgs hence a much higher number of confirmation were required. it can be anything north of 30. (example)

4) and finally the amount you receive. this doesn't concern regular users since it mostly about cost of 51% attack but if you were receiving millions of dollars worth of bitcoin, you'd want a lot more  confirmation on it than just 1.

Sadly, not everyone who uses bitcoin knows how it works. I know people who make dozens of transactions daily but they have no clue what confirmation means.

If you use a non-custodial wallet which accept spending unconfirmed balance then you don't have to wait for the transaction to confirm. Just create a CPFP transaction and make sure you use enough fees to cover for both transactions.

Replace by fee transactions can be abused. Because once you bump the fee the first transaction disappear and it is replaced by a new one. But I don't think child pay for parent method can be abused unless I am missing something.
Using CPFP method, you can only accelerate a transaction and it's impossible to reverse the transaction, remove it, change outputs, etc.

To be sure at least 1, 3 and there's even 6 confirmations that I've seen just to be sure. I feel bad for the guy on the other as he's been scammed and it was actually the intention of the guy that he dealt with.

Not only added but still check if it's confirmed. There are wallets that makes us see that there's an amount that got in and sent even it isn't yet confirmed.

Normally, a hacker can use replace by fee or child pay for parent to divert the transactions of no confirmation from the recipient back into their wallet. That is why it is not good to accept zero confirmed bitcoin transaction. But, if a miner has picked the transaction already and confirmed ones (1 confirmation), it will be difficult or not possible to reverse such transaction back. But, no matter how low a transaction amount is, accepting zero confirmed transaction can later lead to the recipient being scammed by the sender.

For me, 1 confirmation is good on my side when transacting low amount of bitcoin, but for high amount of bitcoin, I will prefer 3 to 6 confirmations. But, I do not think transactions that have 1 confirmation already can be reversed but transaction with 3 to 6 confirmations is more secure.

This doesn't always work. Because there is no guarantee that the new transaction will be accepted by nodes unless you are very very lucky.
Even you try to broadcast a new transaction spending same inputs with a much higher fee, there's a high probability that nodes reject the transaction and don't propagate it.
The scammer in question was very lucky or managed to make a double spend in a way I'm not aware of.
As far as I know, for having a successful double spend, it's not enough to make a new transaction with a higher fee. The transaction will be rejected by majority of nodes even if the first transaction hasn't been confirmed yet and the fee paid for the second transaction is much higher.