Topic: Don't accept 0 confirmation tx (Read 662 times)

But someone is ignorant about the crypto payments they should get the knowledge first before receiving the funds, maybe he lost the money but it is a good lesson and will keep him aware of this forever and also he might teach other people about which mistakes should be avoided to save ourselves from scams.

This also happened to me in the past. I agreed to sell an altcoin to a stranger in telegram. I was agreed because The guy wanted to pay BTC to me fast. And I will pay him later. That time I follow him as clever because without any reason no stranger can agree to pay fast without debating a ward. He sent me Bitcoin to my address and ask for the altcoin from me. I said to him to wait for at least one confirmation. But the guy blaming again and again that this is not like a business, he have to sell the altcoin, the market going down bla bla bla, I was strong since I have already got the bitcoin to my wallet , and saying him I can not send it before any confirmation. one, two, six hours even 1 days gone but the tnx is pending. after 1 more day maybe the tnx gone from tnx history.

It can give so much time to make a transaction again to cancel the previous transaction because the btc nodes confirm the latest transaction usually in 10 minutes and that will give ample time for the scammer to make a new transactions and to cancel the previous one.

As what had been mention by other users that the first transaction being made was being rejected. And remove from the network. Scammers really are brilliant in taking advantage of this kind of processmof bitcoin transaction. So we must all be careful instead not getting trick or outsmart by the scammers.

it is a tough call that someone will accept BTC without even knowing how the network is functioning, but you should never blame the victim

someone tried to allow BTC payments, and after scam like this one, he will probably give up on BTC payment, which is not a good thing for a mass adoption, and one should always show empathy to the victim, and not blame one to have not being too serious to read all the small letters included

Based on that story OP is a seller and he accepts Cryptocurrency for payment to his product, he is a newbie seller and naive, he should know how transaction works, he should have wait for the right number of confirmation before he send the product, every coin has a required number of transactions and he should be aware of that.

again you can't just give raw numbers based on a single factor while there are multiple important ones to consider. these numbers you posted here are for the case when the user is running a full verification node and the network is healthy (there is no forks planed, etc.) read my comment in first page for details: https://bitcointalksearch.org/topic/m.55311829

Technically, it is. Occasionally the network experiences what is called a stale block. This is when two blocks are mined in very close succession. The first block isn't finished being broadcast round the network when the second block is also broadcast round the network. Some nodes accept the first block, and some accept the second. The conflict is only resolved when the next block is mined, and whichever block it was built on top of becomes the accepted block, with the other one being rejected and becoming a state block.

Now, usually any transactions which were included in stale block would also be included in either its replacement or the next block, and so wouldn't be reversed, but it is possible for a transaction not to be included and therefore go from 1 confirmation back to 0.

Although the transaction is reversed (going from 1 confirmation back to 0), it is not cancelled. The transaction will still exist in the mempool to be picked up by some future block, unless someone successfully double spends or replaces it.

Hmm, since it's also a forum, you can't always trust a post from a random user.

Or maybe it's for a gambling/exchange that accepts 0-confirmation deposits that has some safeguarding against double-spend attempts like
not accepting RBF txns, should have optimal fee and no withdrawals until the deposit is confirmed.

Care to link the thread where it was posted?

As a newbie I am very happy to have lessons like this because these are going to help in future as reading here many scams and cheats happening with different peoples here in crypto world but this surely going to help many newbies because minimum 1 to 3 confirmations are ok for any payment but never go with 1 confirmation as this can give you shock and you can lost your hard earned funds thanks @RapTarX.

Technically, it is not possible to reverse a transaction which has been confirmed and included into the valid chain asides with an attack on the network.

Putting it into perspective; an attack on the network means an entity controls majority of the hashrate or more than anyone else, creating a monopoly on the network. This is very expensive and can not be realistically maintained for a long period of time.
51% is used to indicate one who controls majority of the network, this is the range where it becomes possible to manipulate the network and reverse already confirmed transactions, it is still very difficult to actually implement from here on. One who controls less percentages than that (<51%) can still try to manipulate the network but it is much less probable and still expensive, this is why there is an advisable range for transactions to be considered irreversible;

• 1 confirmation would be okay for low transactions as it would not be worth it for someone to try and reverse.
• For extremely large transactions, like $1 million and above, it is possible and profitable for someone who controls majority of the hashrate for a little while to manipulate the network and invalidate, so it is advisable to wait at least 6 confirmations.
• For intermediate amounts, between both extremes, 3 confirmations and above should suffice.

The deeper a block is in the chain the more secure it is, reason why it is advised to wait for more conformations when dealing with much larger amounts.

Is it possible to cancel a transaction which got one confirmation? Its not really possible from what I need because once the transactions included in the blocks then there is no way of reversing it other than 51% attack so we can trust 1 confirmation is enough for any transaction to get accepted or correct me if I am wrong here.

Yeah I have found several threads from stackexchange saying that 6 confirmations is the rule of thumb when it comes to how many confirmations needed in order for us to say that the transaction is secure and somehow irreversible. But what I can't manage to see again is their price to confirmation model they have done in that forum. It sorta goes like this.

0-1 Confirmations - up to 10$
3 Confirmations - 100$
6 Confirmations - 10,000$

The numbers above are made up but these is how they made the model explaining why these prices of transactions are safe depending on the number of confirmations.

There are multiple attacks which do double-spend a transaction with 1 confirmation.
Most of them either require a collusion with a miner or to sacrifice a block reward.

While it is technically possible, it is highly unlikely, not guaranteed to work out and too costly to perform.




Always at least 1 confirmation.
If the amount is extremely high (in your opinion), wait for 3-6 confirmations.

By connecting 6confirmations and double-spend, I'd say that it isn't what you've heard years ago.
But double-spending is an old term and it's even in the Whitepaper.

Double-spending can only be done with unconfirmed transactions.

Those additional required confirmations are for assurance that your confirmed transaction will be harder to manipulate by a miner who will do a "51% attack".
The deeper the block where the transaction is in the blockhchain, the harder it is to tamper with the transactions in it.
So it's recommended to wait for 6 confirmations for high-value transactions and 3-5 for medium risk, but you actually only need 1 to consider it as "paid".

How long has this been going on for?


So this is exactly the double spend scam i heard about from years ago?


So say someone send you btc and you send them money.  You need to make sure it has at least how many confirmations before you send them the money or give them cash?  Someone said if its less than a thousand dolllars, you can do x confirmations, if its smaller than a hundred dollars, x confirmations... but if its huge amount... always 6 confirmations?  So if someone send you 5000 dollars worth of btc, how many confirmations you need before you give them cash or online payment?

That basically is a RBF. That's how one would implement a RBF with core and the appropriate flag being set.



Actually, they don't.
That's the whole point of bitcoin. If it would require trust, it would have failed on what it was meant to achieve. A trustless, decentralized and uncensorable payment network/protocol.

Wrong usage can - under given circumstances - require trust.

It is entirely variable, and depends on the person receiving, their risk model, and how much bitcoin is being transferred. If I'm receiving money from a friend or relative I trust, then I'm going to be happy with zero confirmations for relatively large amounts. Conversely, if I'm receiving money from a complete stranger, then I'm going to wait for a couple of confirmations for even small amounts. A large business may accept zero confirmations for transactions less than 5 dollars, because the small amount of fraud they would experience is more than offset by the speed of being able to serve more customers. Conversely, someone for whom 5 dollars represents an entire day's wage is going to wait for several confirmations.

6 confirmations was picked as a completely arbitrary number.

Irrelevant when we are talking about Bitcoin, not Ethereum.

Good advice,
0 confirmation transaction can easily be canceled using only metamask.
A good example of this fraud is sending funds with 1 gwei gas fee. The tx is visible, but will be pending until ragnarok.

I already seen this kind of scam in social media platform they are looking for trade from other crypto currency  they are telling that they  will send first by using that tricks . Other will believe because there are incoming unconfirmed transaction that they can see in thier wallet  and that bogus traders will say many things and accuse you of being a scammer .he will tell you that you are a fake seller if you don't send the one he want to trade after having fake transaction .

I heard about this kind of situation where people fell victims to these strategies. I won't really consider the deal that has been done before I see some confirmation in the transactions because the unconfirmed transaction can also be unsuccessful at some point. One confirmation is enough though cause you can really sure that the funds will be going to your wallet after a few minutes.

I remembered that it will really depend on how much is the value of the transaction you are expecting since the number of confirmations is link to how much money is the scammer willing to spend to reverse the transaction. I forgot where I have read it but I think it is in stackexchange where they have tried to link how secure the number of confirmations are depending on how much are you expecting to receive.

LN is still very much in development, and using it remains a risk. I wouldn't expect many merchants to start using it yet. Give it time.

If you choose to accept zero confirmation transactions, then sure, you are placing full trust in the other party not to double spend the transaction, but bitcoin is designed specifically not to require trust. Every transaction you receive and every block which is mined can and should be verified by your own full node. This requires no trust in any third parties and allows you to independently check that you actual have received the coins you think you have.

Bitcoin transactions works on trust so before you send your coins to anyone, and before you receive it to someone you already did diligent research  to the one you are receiving coins and sending coins, and OP is absolutely right never accept transaction with 0 confirmation, you still don't own the coin, if it is still showing zero coin because it can be manipulated to over ride it.

Well, if the crypto wants widespread adoption then it has to be used for daily transactions. I'm aware of LN but that thing is hardly implemented on sites I frequent on, let alone IRL.

I could always opt for cards, cash or e-Wallet but then more options are always better, you know.

transaction malleability isn't really possible on bitcoin because almost all the nodes are running bitcoin core and core nodes reject any non-standard transaction which includes the malleated transactions. some of the rules started from 0.6.0 and all the rest has been in effect ever since 0.9.0 and 0.10.0

Except for Bitcoin core GUI (Bitcoin-qt),
it will gray out the right-click menu option: "Increase transaction fee" of an RBF parent transaction once any of the outputs was/were spent.
There are still workarounds though but it will not be an easy task.

Another way that a person can be caught out is when the -zapwallettxes is used to cancel an unconfirmed TX already in play by the sender who then sends a second TX (usually with a higher TX fee paid) that overtakes the first spend and is confirmed quickly.

As everyone else has already pointed out - wait for a TX to be confirmed!

It is also far easier, and requires far less technical knowledge, to reverse a transaction with a credit card than a non-RBF bitcoin transaction. A simple phone call and saying "I didn't make this transaction, my card must have been lost/stolen/cloned/hacked/whatever" is all it takes. Stores can accept a little bit of credit card fraud for the convenience of allowing customers to pay by credit card.

Transaction malleability also makes it unsafe to accept any transaction which has an unconfirmed parent regardless of RBF, unless all the parents are SegWit transactions, since SegWit fixed the transaction malleability bug.

In addition to what stated by bob123, not only RBF-enabled transactions shouldn't be accepted, but also you shouldn't accept transactions that have an unconfirmed parent transaction with a RBF flag.
A transaction that has a RBF-enabled parent is even more risky than an RBF-enabled transaction.

For abusing a RBF transaction, it is needed to change the outputs as well (I don't know any wallet that allow this).
For abusing a transaction that has a RBF parent, the only thing needed is to bump the fee of the parent transaction. (It is allowed in all wallets supporting RBF such as Electrum)

Just don't use it to buy a cup of coffee then. Why would you need main chain security when you can simply use your card or second layer solution as mentioned above?

There are multiple ways to circumvent that.
You could either only allow 0-conf transactions if they are send without the RBF flag which makes it much harder (not impossible) to double spend a transaction. That's definitely fine for low value (coffee) transactions.
Another option would be to use a 2nd layer (e.g. lightning network). And the 3rd option would be to simply accept the risk. I mean.. it's just a coffee. Who is gonna steal a coffee. And even if there is someone who does exactly that, you might have some cameras to prohibit him entering the building again.
Losing one out of a few hundred coffees to a double spend isn't too much and definitely manageable.

Fancy having to wait 10 mins after ordering in BTC for a cup of coffee while the rest wait in line, feels long man.

I think this is the common problem with us OP of the link above getting too much confidence because the mode of payment is on BTC and I think he thing once you already send the funds you are now safe. This is the common mistake right now because the scammer tricked him with the use of the double-spend.

I think they don't have communication right now of the scammer feels sad to him because all of the hard work becomes a scam.


Also, I always visited the mempool every time to make transactions of the miners see good right now before making any transactions. The good thing and lesson this too to other members always wait for the confirmation before making a deal.

Thanks for the reminder. Some people do neither know nor pay attention on difference between Unconfirmed and Confirmed deposits. Some platforms show Unconfirmed transactions in account deposits and newbies can be trapped.

Binance is different, at least it only show deposits if the minimum confirmations are met. Unconfirmed transactions won't be shown in Deposit history and Account balance of course.

Withdrawal: I don't remember that Binance only shows txhash of withdrawal after the transaction gets enough confirmations or at least 1. The txhash link is delayed for a while (always) but I know platforms always do patch payment so it takes a while to process customers' withdrawal request. Someone please confirm it. 

---

Personally, when I need to make transaction follow-up, I'd like to do it with block explorer and with Tor browser.

Connect wallets too often with Internet and nodes is not good, if I don't need to make any transaction. Let's consider with 2 situations:

• Incoming transactions (I plan to use it instantly when I receive it): two options: block explorer + Tor browser; with real wallet or account. It is less harm to use the first option.
• Sendout transactions: I always check it with block explorer + Tor browser. There is no need to connect my wallet to follow-up send-out transactions.

the number of confirmations on a transaction you decide is "safe" depends on a couple of factors. it can never be a fixed value. and you should never just chose a random number but instead learn what it really means and when/how can a transaction be reversed or has the risk of it.

1) zero confirmation has never been safe and will never be safe. period.

2) type of client you use (in simple terms the way you check how many confirmation the transaction has) plays a key role. a full verification node that is capable of actually fully verifying everything can be trusted a lot more than a SPV client because it can detect chain reorgs whereas the SPV client has no safe way of doing that for sure. so 3 confirmation for a full node user and 6 to 10 for SPV users could be safer.

3) network state is also an important factor to consider. 99% of the times there is nothing going on in bitcoin world. all miners and all nodes are in complete agreement and they are all following the same rules. in 1% of the times (maybe less) we have "updates" aka forks. for instance during 2017 where there was BIP148 split-risk, the BCash miner attack risk, during both hard and soft forks,... there was a chance of chain splits and reorgs hence a much higher number of confirmation were required. it can be anything north of 30. (example)

4) and finally the amount you receive. this doesn't concern regular users since it mostly about cost of 51% attack but if you were receiving millions of dollars worth of bitcoin, you'd want a lot more  confirmation on it than just 1.

Sadly, not everyone who uses bitcoin knows how it works. I know people who make dozens of transactions daily but they have no clue what confirmation means.

If you use a non-custodial wallet which accept spending unconfirmed balance then you don't have to wait for the transaction to confirm. Just create a CPFP transaction and make sure you use enough fees to cover for both transactions.

Replace by fee transactions can be abused. Because once you bump the fee the first transaction disappear and it is replaced by a new one. But I don't think child pay for parent method can be abused unless I am missing something.
Using CPFP method, you can only accelerate a transaction and it's impossible to reverse the transaction, remove it, change outputs, etc.

To be sure at least 1, 3 and there's even 6 confirmations that I've seen just to be sure. I feel bad for the guy on the other as he's been scammed and it was actually the intention of the guy that he dealt with.

Not only added but still check if it's confirmed. There are wallets that makes us see that there's an amount that got in and sent even it isn't yet confirmed.

Normally, a hacker can use replace by fee or child pay for parent to divert the transactions of no confirmation from the recipient back into their wallet. That is why it is not good to accept zero confirmed bitcoin transaction. But, if a miner has picked the transaction already and confirmed ones (1 confirmation), it will be difficult or not possible to reverse such transaction back. But, no matter how low a transaction amount is, accepting zero confirmed transaction can later lead to the recipient being scammed by the sender.

For me, 1 confirmation is good on my side when transacting low amount of bitcoin, but for high amount of bitcoin, I will prefer 3 to 6 confirmations. But, I do not think transactions that have 1 confirmation already can be reversed but transaction with 3 to 6 confirmations is more secure.

This doesn't always work. Because there is no guarantee that the new transaction will be accepted by nodes unless you are very very lucky.
Even you try to broadcast a new transaction spending same inputs with a much higher fee, there's a high probability that nodes reject the transaction and don't propagate it.
The scammer in question was very lucky or managed to make a double spend in a way I'm not aware of.
As far as I know, for having a successful double spend, it's not enough to make a new transaction with a higher fee. The transaction will be rejected by majority of nodes even if the first transaction hasn't been confirmed yet and the fee paid for the second transaction is much higher.

Imagine, you made a tx with lower fee. In recent times, lower fee tx requires more time to get confirmed. One of my tx with 2 sats per byte isn't confirmed yet. Nevertheless, since you used lower fee in the tx, the tx won't get confirmed. With the tx id, you were able to attract the mind of the seller (receiver) that you sent the tx. But since the tx isn't confirmed yet, if you create another tx with higher fee, miners will include the higher fee one in blocks. Therefore, the previous tx will no longer valid as that input has already been spent.

Yes, I have read it and understand what the OP went through. To be honest I had never heard of a scam like this before and it was new to me. BTW you are a little faster than me to start thread, but good because the community will gain knowledge and warning.
I never knew before that the first transaction could still be transferred or canceled just because the sender made a second transaction with a higher fee. But that person's case has made me realize that unconfirmed transaction are anything but secure.

This is a great tip and something that should apply to every cryptocurrency!
Bare in mind that some cryptos have a much, much faster blocktime and that period could be even longer.

This reminds those Bitcoin enthusiasts to know how Bitcoin works properly before accepting Bitcoin as a payment. Yes, Bitcoin is irreversible once it is confirmed but it could be tricked by the double-spending method of scamming people if there's no at least 1 confirmation. I even not feel safe with one confirmation confirmed. For the sake of safety and security per Bitcoin transaction, at least 3-5 confirmation confirmed before accepting as a valid amount transfer to your wallet or even much better just wait for the minimum 6 confirmations.


source:

The rejected transaction was pulled by the network and mark as rejected. And that is could be you of you will not wait for even 3-5 confirmations to be processed.

A lot of users of Bitcoin are unaware of what double spend is and wallets like electrum adds the unconfirmed transactions to their address as soon as it is sent, making it easier for them to be tricked that they have already received the funds in there wallet.

The 1 confirmation rule is sufficient for smaller transactions; below ~$1,000. If however a transaction involves a significant amount ~ $100,00 to $1,000,000 6 confirmations would be advisable, for it to be considered irreversible, although in reality what it means is that, the transaction would be too expensive to invalidate and the scammer would be spending more than the amount involved to attempt such an attack on the network.

This is called "double spend transaction". It is one of the way to scam people. We need to be more careful not to rush into dealing with strangers.  I always wait for the asset to be added to my wallet during this type of transaction.

I feel comfortable with 3 confirmations. Although I am so erratic at the moment, that it will probably be a lot more by the time I can check.

It is very easy scam to be realized and I don't know why there are people who are scammed by this. I am sorry for the loss of that person but still don't understand why.

If a person actually uses an exchange, a casino, requirement on confirmations is a thing to know of. From 1 to 3 confirmations will be required. It is applied commonly to avoid double spend attacks.

I am sorry if a person is scammed by this for the first bitcoin transaction ever made. If it is not a first bitcoin transaction, I am sorry for the very careless acceptance.

With small fund, wait for 1 confirmation. With big fund, wait for up to 3 confirmations to make sure that transaction is irreversible. The most annoying issue is wait for first transaction. You don't know how long you will have to wait to see the first confirmation. Fortunately, after the first confirmation, it is comfortable to wait for next 20 minutes (longer or shorter a little) to get 2 more confirmations.

https://en.wikipedia.org/wiki/Double-spending
https://en.bitcoin.it/wiki/Irreversible_Transactions
https://academy.binance.com/en/articles/double-spending-explained

Check this thread- https://bitcointalksearch.org/topic/how-is-this-possible-a-recent-transaction-suddenly-becomes-invalid-5279758
OP has been scammed because they accepted tx without a single confirmation. It's possible to manipulate a tx in such cases where scammer will send you the fund and make sure they have received what they have paid for and later they will create another tx with higher fee with the same input. The later tx will get confirmed and yours one will be invalid.
Therefore, don't accept zero confirmation tx. Wait for at least 1 confirmation.