Topic: Doubt about double spending (Read 441 times)

Maybe that's why. If casinos charge a sufficiently high withdrawal fee, then it incentivizes people not withdraw smaller amounts, but rather to leave them on the platform until they have a larger amount to withdraw. Any coins which are already on a platform are far easier to impulsively gamble with, and therefore generate more profit for the casino. This will be especially true if someone is now aiming for some target number to make their withdrawal amount sufficiently large enough to justify the withdrawal fee.

The biggest issue with LN and gambling that I see right now is that the amounts that can be transacted aren't huge. Many channels just don't yet have the capacity to allow for $1,000 deposits or larger, even though payments can and are split up and sent via multiple routes. I already had issues sending funds from one wallet to another that were much smaller.
The casino could solve this though by creating a very well connected node that has big channels towards especially wallet App providers like Breez, BlueWallet and similar, which is what most newcomers usually use.

This is the risk assessment that I talked about, although it is best if businesses run their own node and implement their own assessment system rather than relying on a third party.

I'm very surprised that the gambling sites haven't yet widely implemented Lightning Network. It solves the two problems that are being talked about here.
- The casino doesn't have to worry about double spends anymore
- They can credit user's account right away without having to wait for confirmation, do risk assessment, etc.
- The user doesn't have to wait for confirmation and can gamble faster (better for the casino if they do it fast and lose more money)
- The user also doesn't have to leave their coins with a third party (their account balance) they can only deposit what they want to gamble and withdraw any extra funds right away with very low fee. All with "lightning" speed.

That is correct, but having any identity is better than relying on addresses that can be generated on the fly with no links to anyone whatsoever. It provides a reasonable deterrence against fraud.
The double spend prediction can determine the ease of double spending, as those are the factors that determines if miners are likely to confirm the transaction or not. It doesn't provide an absolute prevention of double spends, as there are many other possible ways to execute one without triggering the heuristics. They are practically useless if the adversary is well-versed in the subject and have a reasonable amount of resources; for example as blockcypher cannot possibly predict the preference of miners, it doesn't provide an accurate depiction of the types of transactions that miners would prefer.

Another scenario I can imagine would be if the mempool surges suddenly, which has actually happened ever so often, certain transactions can get evicted and it makes double spending them quite trivial. Sure, it is something that we've relied on in the past but it doesn't really apply anymore. Casinos or merchants are less willing to suffer losses due to the occasional double spending, especially with something like LN in play. The problem with this is that, we have to assume that the transaction doesn't have opt-in RBF enabled, which isn't great for the user; their transaction can get stuck during bouts of high fees. I would rather users wait for a confirmation than having them to wait for days to get their transaction confirmed.

I agree with you but KYC can be bypassed with fake documents.. am trying to base those checks more on the casino scenario. In regards to addresses not linked to identity I think you misunderstood my point, Alice has an account at platform (A). Alice uses another address (B) with balance to deposit into the platform receive address (C) generated specifically for Alice’s account. Address (B) can be checked for double spend risk, some tx explorers provide that.

Here from Blockcypher website:

“ Zero Confirmations and Double Spending
To help you deal with zero confirmation (aka unconfirmed) transactions and the risk of double spending, we provide 2 additional transaction properties:

receive_count: the number of nodes in the bitcoin network we've received that transaction from so far, indicates how many nodes, at the minimum, accepted this transaction.
confidence: the percentage chance (between 0 and 1) that a transaction will make it into a block over time, which accounts for double-spend or transaction loss. Note that it doesn't indicate how fast the confirmation will happen.
preference: level of preference miners will have to include this transaction in their block, a high preference means the transaction is very likely to be confirmed in the next block, a low preference means it's likely to take several blocks (>6).
The confidence is calculated based on elapsed time as well as the receive count and is based on several public research results. As BlockCypher pools resources for many users, we're always connected to a statistically significant number of nodes on the network (and offer connections in return). While maintaining those connections, we can also assess whether a given node has received a particular transaction. By monitoring the propagation of transactions across the network, we can calculate its probability to be the "winning" transaction at any given point in time, if a double-spend was attempted.

In addition, 2 other properties indicate when a double-spend has been detected:

double_spend: a boolean indicating whether this transaction is a double spend.
double_spend_tx: the hash of the other transaction involved in the double spend attempt.”

Requiring a certain KYC level would probably be more ideal, if they are an exchange.
Addresses are not linked to identity and each address should ideally only be used once. Implementing a check on the addresses themselves wouldn't really be effective. Double spends are not recorded on the blockchain and many a times, they are a result of poor propagation, for which your nodes may or may not see the double spend at all.

Talking from developing an exchange side, 3 or greater is considered secure, but if the user did deposit previously on few occasions with no issues then that can be dropped to 2 confirmations and later after certain deposits number it can be dropped to 1 network confirmation. But with Casinos not sure what they have specified in their codes. Also adding to that in what am working on I have specified a double spend check as well on the address where the deposit is coming from, there are many checks you can put in code to make sure before crediting the users in DB but definitely at least 1 confirmation is required.

A bad 0 confirmations scenario is this:

Alice deposits 1 BTC into a casino, gets immediately credited for the balance in DB, plays some casino online games at that platform with Bob. Alice loses and bob wins. Platform never receives confirmation on Alice’s tx. The platform is forced now to pay Bob for the win from their own pocket instead of Alice’s funds. So I doubt Casino’s can maintain operation with that kind of strategy, sustainability is at risk here in this business model.

It only involves one person if one person is playing against himself, in the Casino, as far as I know, you are either playing against other gamblers or the dealer of the Casino, if you are playing against other people and the Casino is only collecting fees, then the Casino is responsible for guaranteeing payment to those who win. So if someone loses and double-spend that money, the Casino will have to cover that loss.

In the event of playing directly against the dealer, the Casino is actually the other person, the dealer is counting on the odds which favor them by a small percentage which depends on the exact game.

If 100 people play an online game on which the Casino has an edge of 1%, each with 1 BTC, on average 50.5 people will lose, 49.5 will win, the Casino will make 1 BTC, if a single person double-spends a losing game the odds shift against the Casino and they are guaranteed a loss, the loss will be in their trial balance, no matter how you look at it, it is a direct loss.



Only if the person did not play any games using that double-spent amount, the moment they do, they have already created an impact on the win/loss ratio of the Casino.

I don't think that example is actually a good one. Exchanges need at least 2 people in order to do trades, whereas this particular case we've been discussing (which now brings up the question of whether this should be continued in gambling discussion) only involves one person.

I may be wrong about this, but I still see making a double spending and not doing a deposit as the exact same thing. Does it affect the overall casino economy? Well, that's for sure; but not the point here...

Really? I don't know how Casinos actually work but losing profit is actually a loss, value isn't being created out of thin air.

Replace the Casino example with an exchange.

Bitcoin price = $1000

I deposit 1 BTC, the market crashes, and I sell it for 100 USD right before the market shoots back to $1000, I then go and double-pend that 1 BTC, the exchange will freeze that remaining $100 but that does not solve their problem, the person who bought my 1 BTC will want to withdraw it, in this case, the exchange lost 0.9BTC which they need to pay to whoever the person that bought my "imaginary" 1 BTC which was never actually confirmed in the exchange's wallet.

Also for a Casino, the double-spent amount is a loss they have to bear, the inner working of any casino or any organization for that matter does not matter, when someone double-spends something, someone else loses it, unless that someone lives in a vacuum.

Besides waiting for confirmations to assure that the casino's don't get burned by double spends, could actually be argued to be a good thing, because it somewhat protects against users falling prey to their gambling addictions due to grace period created by waiting for those confirmations, since most gamblers will act upon impulse, and end up spending more due to being in the heat of the moment.

At the moment, double spend attacks are somewhat rare due to the fact that most companies or people accepting Bitcoin regularly wait for the confirmations, however if this wasn't the case, and more people were willing to accept Bitcoin without waiting for confirmations, double spend attacks would become more frequent. I don't see a near future where users won't wait for confirmations.

Which casinos accept zero confirmation deposits today? I remember reading about a Russian scammer from several years ago that did a number of things to trick casinos into accepting his unconfirmed transaction, would make a single high probability bet, would see that his deposit transaction confirms if the bet wins, and double spends the deposit transaction if his bet loses. IIRC, at one point he used non-standard transactions that miners would not confirm by default but was able to get miners to confirm by his request, and at another point would use a chain of unconfirmed transactions, whose total fee was too low for miners to confirm under normal circumstances, but was able to get one to confirm his transactions upon his request.

Say, for example, a gambler deposits coin to a casino, places a bet that has a 95% chance of winning. If he wins, he receives 104.21% of his bet, allows his transaction to confirm, and withdraws his entire balance. He repeats this process an additional 18 times while placing the same bet amount each time. He has received a total of 79.99% of his bet amount from the casino, plus his original bet amount. On the 20th time the gambler does this procedure, the casino informs the gambler that he lost his bet, so the gambler double spends his deposit transaction. The casino has paid out ~80% of what the gambler bet on a bet that wins 95% of the time. The casino should have won the 20th bet but did not actually receive the coin from that bet. If the casino were to sum the 20 bets the player made, it expected to receive 20% of the player's bet amount, but instead paid out a total of 80% of the player's bet amount, while the player won the expected number of bets.

To put the above in more technical terms, when a casino sets the HE at, say 1%, it will set the odds and payout so that the EV of each bet a player makes is 1% of the bet amount. In order for each bet to have this EV value, each bet placed must involve value being transferred to the winning party according to the odds and payout multiplier.

The casino will lose money in the long term.
In any casino, some people win and some people lose. The casino get money from losers and give it to winners.
If a significant number of losers cheat the casino with double-spending, the money that casino must pay to winners will be bigger than the money they get from losers and the casino lose money.

Assuming all losers cheat the casino with invalidating their deposits, it would be like that all gamblers win money and there is no loser.

It will still not lose, since it'd be as if the double spent ones had never happened. They do stop winning, but never lose

Assume that 10 people have deposited bitcoin into a casino. All deposits have been credited before confirmation.
All 10 people start to gamble after their deposit were credited. 5 of them lose and 5 of them win.
The losers double-spend the UTXOs deposited into the casino. The winners wait for their transaction to be confirmed and withdraw all their balance.
This is how the casino lose money.

If the casino allows you to receive the virtual credits before your transaction becomes confirmed, it is possible to cheat the system and end up with more money than you had before.

If they sent you their virtual credits before you officially transacted with them, you could play bunch of games, double them and then withdraw your funds before the first transaction's confirmation. Once their withdrawal transaction had at least 1 confirmation, you could double spend the first one.

It's all about the casino's terms of use. It should not allow you to withdraw anything as long as there are unconfirmed transactions related with you.

I fail to see how the house edge get reduced, even if it was not the topic here.

HE is only a %, and no matter what happens only the casino can change it. If a user deposit gets credited with 0 confirmation, lost and then double spent; the casino has at most only lost virtual credit, and some electricity/resources. They will stop earning those $$ from the deposit, but they will not lose money

And if enough people do this to effectively lower the house edge, then the casino can just stop accepting zero confirmation deposits. The fact that a lot of casinos still accept zero confirmation deposits is evidence that very few people try to scam in this manner.

Thats fair enough.

I think you know it is trivial to change your IP address. Unless the casino is requiring KYC prior to playing, it is also trivial to create a new account. You can use a mixer to hide blockchain evidence you have played at the casino previously.

If a gambler is allowed to gamble their deposit, and their deposit never confirms, if the gambler had a net losing bet, the house edge will effectively have been lowered, possibly to something below zero. A negative house edge is going to result in the casino losing money over the long run.

A deposit not confirming that was allowed to be gambled, will pretty much always mean the customer took some action to intentionally prevent the deposit from confirming. This will pretty much always be because the customer's balance is less than the deposit amount (they lost money gambling). A customer will generally have no reason to prevent a deposit from confirming if he is a net winner in his wagers.

I don't know how the casinos work but when you make the deposit they update their database, the parties can accept payments that have zero confirmations (in the case of bitcoin) and then delay the withdrawals until they are sure the user made the deposit.

In Bitcoin, coin is either with the sender or the receiver, there are no third parties.

They can also grant this feature for VIP accounts or those that have completed certain conditions. In the end, if you trust the other party, waiting for confirmations is meaningless.


Note that the Bitcoin network is almost the only one that you can trust with one confirmation, some blockchains even need more than 16 confirmations for that.