Topic: Double Spending for BTC businesses - Best practice Solutions ? - page 2. (Read 1452 times)

Cheers Jonald;

- No checking software available?

- Wonder how Coinbase instantly validates?

- Don't really want to create a bias implementing "Limits" / We want to be just as rapid for larger volume transactions. 

No.  If it could then we wouldn't need confirmations, blocks, mining, and the massive expenditure of hardware and energy that goes along with it.   "Mining" is forcing a consensus on the network as to the ordering of transactions.  You "may" be able to accept 0-confirm txs with no or an acceptable rate of fraud but everything will depend on what you are selling, how much a theft is worth, if it is repeatable, how convertable would it be for a thief, how traceable, etc.

Nobody can say "in 100% of scenarios you must use X confirmations".  Well they can say it but they would be wrong.

To give you an example at one time Tangible Cryptography sold mobile phone reloads for Bitcoins.  For phone codes (which could be used to recharge any phone) we required 1 confirmation (sometimes 2 if we experienced a large amount of volume).  For direct reloads (where the user supplies a phone number and the time/value is directly added to their account) we didn't require any confirmations*.  Since the purchase was linked to a phone account the risk of a double spend was reduced and the repeatability of the attack was also reduced.  For BitSimple (a direct broker/dealer in Bitcoins) we require 3 confirmations as some of the withdraw methods as irreversible.

It all comes down to risk management.



*It is important to understand how you can detect double spends on the network using multiple nodes (listening nodes).  This doesn't guarantee a double spend (the thief could have a secret deal with one or more miners) but it does ensure you will not lose a "race" which ensures honest miners won't be working against you simply because they encountered the double spend first.  You should not accept 0-confirm transactions unless you understand the risks involved.  This means understanding how tx are relayed, what can prevent tx from being relayed, how an attacker could work directly with a miner, how a "Finney Attack" works and why it can't be detected. 

Nice One D&T!

Our model is based on rapid service to our end users, so efficient validation is a must!

We may write some Permissions/Limits for larger transactions.

BIP70 is talking about:


(This is not the same as a double spend.)

How would 0 confirmations negate the double spending problem?  
Its just the opposite -- the more confirmations you have, the
harder it is to double spend.  

The only way I can see around that is using a trusted third party
like Coinbase that can provide instant confirmation.

However, in most point-of-sale applications, you wouldn't need
confirmations, because most people aren't going to double spend.

Just like you could write a bad check, or shoplift, you can try
to cheat the system (but most people don't for fear of going to jail).

In a more expensive transaction, you wait for confirmations just
like you would wait for a check to clear.

If your sale is worth less than the current block reward current thinking is that it would not be worth the effort to maliciously double spend. An accidental double spend is another matter though, although you’d have to be bloody quick!

I've read up on this today for another project, ill see if I can dig it up for you.

I see, thanks mate - wondering if Double Spending problem can be negated with 0 Confirmations?

No BIP 70 doesn't solve the problem of double spending.  That is the point of confirmations.   How many confirmations you should wait for will depend on exactly what you are selling, what it is worth, how likely someone is to try and steal it.

Even 1 confirmation will require significant computing power at significant cost to reverse.  If that is sufficient for your service will depend on what the service is and how valuable a reversal would be.   Is 1-confirm sufficient for selling a digital game service which you can revoke later if needed? Yes and 0 confirms is probably good enough as well.   Is 1-confirm sufficient for a service that converts BTC to USD and instantly sends it to any bank in the world? No, not even close.

Hi,

From what I know on this (very little) by the first confirm the opportunity for double spending has already passed.

What's the fastest/secure/best practice for new BTC enterprises?

Hi,

I am currently developing a BTC online service which ideally will trigger our implementation upon receiving 0-1st Confirmation.

Interviewed several software engineers this week, one engineer brought up a point regarding Double Spending - Is there a secure way to validate a BTC transfer without waiting for xConfirmations?

Eg. Does using the BIP 70 protocol solve this?

Any suggestions from the Bitcointalk Braintrust would be greatly appreciated.

RH






https://bitcointalksearch.org/topic/confirmations-double-spending-solutions-622376 Sorry if I've posted in wrong section.