Topic: How easy would it be to fake transactions? (Read 429 times)

Centralized exchanges do all kinds of illegal stuff with no oversight and very little in the way of repercussions. They definitely have a history of running fractional reserve systems and using users' funds for their own profits without the knowledge or consent of the users in question. For example: https://cointelegraph.com/news/two-chinese-exchanges-help-themselves-to-user-funds

It's all relative. One confirmation is plenty for small value transactions, since the cost of the attacks we have discussed above will be significantly more than what an attacker will gain by double spending such a transaction. Different numbers of confirmations are appropriate in different situations.

Interesting discussion and a great source of information for anyone who wants to learn different ways to cheat the system (aka other people, services, and merchants). Sticking to one of the oldest rules in the Bitcoin book still does wonders. Don't release goods before the transaction has received multiple confirmations. Since there is doubt that 1 confirmation is enough, wait for 2, 3, 6, etc.   

Without a doubt you can't trust the bank(s) but this really would be a one shot thing if they scammed.
They could bank "A" could fake something and show banks "B" "C" "D" and "E" that they don't really have.
But, after that they would not be trusted. Other banks would still be able to do business with them, but if they get scammed again well that would be on them.

It's never going to be a perfect system for everyone involved. Too many people on this planet with too many different views of money and what they want to do with it.
Looking at things a lot a different ways, even those that are "contrary to what BTC is" will only help to hash out other ideas.

-Dave

Yes, but the demand of those clients for new loans will affect you one way or another; it'll debase bitcoin's market value as it does with national, fiat currencies. I recently saw Coinbase for another time as a payment method, which is horrible. People still prefer handing out their coins to individuals.

I won't be impressed if I ever see a, say, Binance implement such system. Don't they already allow loaning? What's that WBTC you're talking about?

But, this is how the economy works. Money should circulate. When they convince their clients to use an IOU instead of bitcoin is when the real shit starts taking off. I don't cross my arms, but it's illegal to run such system if you haven't announced it at least; these exchanges definitely haven't. No? (reserve site:binance.com)

Of course. We seem to be conflating different kinds of attacks here. I initially spoke about Race attacks and Finney attacks, but we seem to have moved on to discussing chain reorganization and 51% attacks. All are quite different and have different costs, risks, and prevention strategies.

It doesn't even require some fake token or centralized scam chain, though. Any time you deposit your bitcoin to a third party, you run the risk that they are being lent out, invested, spent, etc., without your knowledge and the third party in question is running a fractional reserve system. Centralized exchanges have been caught doing this before, even without the token nonsense.

Wouldn't they need that 100BTC to create the channels? That means they don't have to prove ownership, just opening channels is all the proof needed.

That's not really how odds work. Sure you can lose with gambling, but say you go all-in at "double or nothing". The chance to win is slightly less than 50%. Let's say the chance of a successful double spend is slightly more than 50%. And let's round everything to 50% for convenience. That leaves:
50% chance you win with gambling, and get a 200% return.
25% chance you lose with gambling, succeed at double spending, and get a 100% return.
25% chance you lose with gambling, fail at double spending, and get nothing.
On average, you win 25% at each attempt.

Reorganising the Bitcoin blockchain is a whole different level than just doing a double spend.

Interesting thought. On a protocol level, I'd say Bitcoin is okay in this scenario. As a Bitcoin user, you can still get on-chain confirmations whether or not a banker tells his clients the sats in their bank account are real. Isn't that similar to what Binance is trying already, when they convinced people to accept 258,940.01 counterfeit Bitcoins?

If bitcoin became the standard for everyday transactions, but in a fractional reserve lending way, it'd have essentially failed as a project and I'd most probably stop using it. Remember;

What would be the point of bitcoin if the bankers could inflate it this way? None. Bitcoin distinguishes from the other electronic payment methods when it comes to trust. How would you convince a person to use it if you didn't add this feature as an argument?

Besides, who said the masses are ever going to use it? It sounds a sci-fi scenario to me.

Yeah. As stompix says, you don't want to use a scenario where if your attack fails you could lose all your money. Instead you want a scenario where if your attack fails, you are left with what you started with. A better approach would be to find a large enough exchange which requires 1-3 confirmations for a bitcoin deposit, and make a large deposit. While you are waiting for it confirm, you are secretly mining your own chain which includes a transaction which double spends that deposit back to your own address. As soon as you can, you immediately withdraw your coins, and then also mine the withdrawal transaction in to your own secret chain. Once you've done all this, and provided your chain is longer than the main chain, you broadcast the whole thing at once, forcing the network to move to a chain which double spends your deposit transaction but also accepts your withdrawal transaction. Congratulations, you've just doubled your bitcoin.

It is essentially a 51% attack but without 51% of the hashrate, so there is always the chance you will fail and you need large amounts of luck. It is also an incredibly costly attack and you would still need a huge amount of hash power to have a reasonable chance of pulling it off, as well as an exchange which would process such a large withdrawal immediately with no delay and no further checks.

In terms of using this attack to steal back the payment you made for some goods and services, then it is a complete non-starter for 99% of situations since a miner with such a huge amount of hash power would almost always make more money simply by mining honestly.

Drifting even more from the original post but makes you wonder if a 'proof of cold storage' protocol thing would be good.
Bank "A" signs something that says they have 100BTC
They can then open 10 x 10BTC lightning channels to 10 other financial institutions without having to expose that BTC to 'the real world' until it's time to close them.

Without a lot of programming & security I can see it being a nightmare for abuse. BUT I can also see it making the risk assessment that much easier. They don't have to worry as much about hacks if their money is sitting in a 3 of 5 multisig wallet and only gets touched / balanced at the end of the week (or whatever)

I'm sure there are a ton of reasons why it can't work but it's a thought.

-Dave

I meant a 100x increase in number of people and channels opened per person. Say a billion people who each make a few transactions per month.
I think custodial payments will be much more likely though, people are used to it on exchanges, and they're used to it from their bank. If my bank starts offering Bitcoin transactions that are accepted in all shops, I wouldn't mind trusting them for it, just like I now "trust" them (thanks tot he €100k government guarantee per account of course, without that I wouldn't trust a banker at all).
A much larger worry comes when they start their fractional reserve Bitcoin banking. One could argue would be fake transactions.

Bcash is a shitcoin not because it increased the block size but because it did it without any support and is essentially centralized. In fact most of the block size increase proposals were rejected because they were centralizing the system (eg. dynamic block size where miners decided its size, or a big block increase when we didn't need that much increase).

But we have already increased the bitcoin block size back in 2017 by a potential factor of 4 which in practice was a 1.5-1.7x increase. We've also followed that up with using the space more efficiently with the new change in 2021 which effectively increases capacity without increasing the block size.
These efforts are enough for the time being but eventually (maybe in a decade) there needs to be another significant change that would increase the size enough to satisfy the usage that includes second layer.

The later. I don't think the adoption is being affected by blockspace. There are dozens of more important reasons why it is slow such as the volatility, FUD, being a new and "scary" technology,...
Even your example of the high fees was only a short term problem that didn't last past early 2018.

You are overestimating the increase. Bitcoin network has been processing between 200k and 400k transactions per day. That means the capacity is currently at about 150 million transactions annually (only 100 million of it is was used in the past 365 days).
With more payment aggregation from big services and usage of new technologies (eg. using Taproot instead of legacy multisig) this can increase to 250 million. All with the current capacity without any protocol change.
To cover 100 million people opening and closing a couple of channels per year we won't need a 100x increase. Besides, with a hard fork the efficiency of the space that is being used will increase by a lot. With simple basic changes in such hard fork without changing the current potential 4 MB size we could increase it to 400 million tx/year.

Is the adoption slow because of the lack of blockspace, or is blockspace not a problem because of the slow adoption? At the end of 2017 when I paid $25 for a small transaction (one input and one output), Bitcoin was impossible to use for normal payments. At that point I didn't care how, as long as something would be done about it. Bigger blocks or LN, as a Bitcoin user I didn't care.
However, if we're talking about 100 million people who open and close several channels per year, and then imagine increasing 100 fold from there, we'll end up with GB blocks, and that's undesirable because it kills decentralization. As much as I'd like to see more blockspace for an increase in transaction numbers, it doesn't scale well to reach mass adoption.

But wasn't it in 2016-17 that there was already the blocksize war, resulting in the (unsuccessful) shitcoin cash hard fork? I think you don't have a new shitcoin cash in mind as a solution to the problem, and I would like to hear your idea.

I don't know if this is going a bit off topic in this thread but it is a thread I created, after all.

Well this is why I have talked about increasing the block size in the past. So far we are OK since the adoption is not that fast to get 100 million people into bitcoin in a year and those who are adopting bitcoin aren't all using it for payment. By the time we get to that situation (probably in another decade) we must have a hard fork.

And if you lose and you fail at invalidating the chain? 
Not only do you have a gambling situation on getting the blocks now you add more with the gambling itself, it would be better to try a trifecta at the Grand National, at least you risk 1$ and you might get well over 10k, and I still think the odds are better. Not even mentioning if the casino is 1xbit....

It's even easier: if a casino allows zero-confirmation deposits, you can simply go all in. If you win, you wait for confirmations and withdraw your funds. If you lose, you invalidate the deposit by double spending.

The main problem with this is that there is almost no business that would release your goods worth hundreds of thousands of dollars 30 minutes after the confirmation and have no way of tracking you back when they observe what happened. As DaveF mentioned, if you go buy a Lambo there is no way 30 minutes after the confirmation you've got your keys and you can afterward hide yourself and the car forever, casinos won't let you withdraw large sums after such a short time and so on, and speaking of Lambos, the block reward stands above 300k, just screwing your chances at one extra legit block negates the prices of almost all models of cars.

To do such a thing with a slim chance of keeping your identity hidden I see only a possibility that would make some sense, if you find an exchange with enough volume to matter and one that would let you use your funds after one confirmation and use a ton of BTC from multiple accounts to pump some shitcoin or to dump the price temporarily in one go, enough to cover some huge million bets put on some other platforms.
Furthermore, this attack would allow you to try it numerous times, since if you make the transaction invalid you just withdraw the money back to your wallets and try again next time, with the lambos you might end buying 10 000k of them before you manage to grab one for free.
But the consequences of this price manipulation went it comes to light might erase all your gains.


Or you make really good coffee  

I doubt it: LN still requires on-chain transactions for opening and closing channels, and that still depends on on-chain block space. It would be impossible for (say) 100 million people to each open a few LN channels next year. That leaves custodial (LN) wallets as a solution, and for small amounts I'm okay with that additional risk.

Let's just say that there is a good chance that the person paying for coffee with cash is handing you a fake bill than there is a chance of that kind of attack happening on bitcoin transaction.

The biggest problem for bitcoin as a currency is still its volatile price in my opinion, since it encourages "investment" rather than spending. Otherwise we have LN that solves the scalability well enough.

So it's not very likely that that kind of transaction would be made by someone who comes to my coffee shop to pay me for coffee, unless they're not sane or something like that.

These questions had come to my mind because of the issue of day to day payments and, although LN is better, I see that it would not be so difficult to accept small payments via blockchain, without waiting for confirmation or waiting for just one, because with cash and cards there is also the risk of being scammed and not for that reason coffee shops stop accepting them.

I guess a bigger problem for Bitcoin to be used for day-to-day payments would be scalability.

The problem with the above attack is that it's just not worth it.
It really would have to be an epic one and done kind of thing, since after that payment processors and the rest of the internet are gong to know that miner is doing something funky.
And what are they really going to get out of it.

It's the equivalent of doing a "Mission Impossible" getting into the server room to steal a bag of chocolate. And then never to be trusted again.

And if it's real durable goods, say you got your Lambo and got out of the dealership before they figured out what happened. You are going to do what when the lawyers show up at your house asking for money?

It's all theory, but no more theory then me getting onto the roof of a WalMart store so I can get into their IT room to install my own router so when I go back in and run my credit card to buy my PS5 it just gives and approval instead of really running my card. I would be better off just grabbing the Cisco 8300-2N2S-4T2X router out of the server room and running out the door with it.

-Dave

Yes, absolutely. As I said in my first reply, this attack would be even less likely than a Race attack, which is already going to be incredibly rare. It may have been a feasible attack when the block reward (plus fees) was worth only a handful of dollars, but now it is far more profitable for the miner to just mine honestly.

The caveat to this is if the miner has a significant proportion of the hashrate and has a non-negligible chance of being able to mine a longer chain than honest miners when they both start from a given point. I broadcast a transaction which pays the merchant, while at the same time mining in secret a different transaction which double spends those coins back to myself. Once I find a block, I continue to mine more blocks in secret which build on my dishonest block. After the main chain has (for example) 3 confirmations, and the merchant delivers my goods, I then release my dishonest chain which has 4 blocks, and everyone swaps to my longer chain, invalidating the initial transaction to the merchant.

That's a very risky game to play as a miner! Let's assume a mining reward of 6.5BTC (including transaction fees), and 10 minutes per block. That means that every second you wait before you broadcast it, you lose about $500 (I took some shortcuts in the math to make a point). Maybe it's better to say there's a 1% chance of losing $300,000 for every 6 seconds it takes before you broadcast the transaction.
So for a small amount, it's not worth it. And for any substantial amount, the receiver will wait for more than one confirmation, so this won't be a problem either.

Exactly. I create, sign, and mine the double spend transaction in secret and include it in my own block, while publicly broadcasting the other transaction which sends the coins to the merchant. Other nodes will only discover that the transaction in their mempool was a double spend after it is too late, when they receive and validate my block and see the competing transaction, which will immediately have 1 confirmation.

It's the first time I've heard of such attack.
That pre-mined block can't really increase the chance of the success of the attacker very much. Am I right?

Let's say I have control over addresses A and B and I am a miner.
I make a transaction from address A to address B in transaction A and include it in a block. I don't broadcast that block.
Now, I double-spend same UTXO(s) from address A to address C in transaction B and broadcast it.

Although the block including transaction A hasn't been broadcast yet, it's still very unlikely that the transaction B can enter the mempool of the node address C owner is connected to. Because the transaction B has been broadcast later than transaction A.


Edit:
I should keep the transaction A in my own mempool and don't broadcast that before broadcasting the block including that. Right?
In this way, other nodes won't flag transaction B as a double-spend attack and it can enter their mempool.

Years ago I saw a scam in which Blockchain.info's block explorer showed transactions as real, but they weren't in any other block explorers and they never confirmed. I don't know how it was done, and clearly it's one of the many bugs that site has, but it made it much easier to trick people.

Anyone who accepts zero-confirmation transactions should at least check if all inputs are confirmed.

From what I know, usually payment processors accept 0-confirmation transactions as done only if they don't have RBF flag on.
The problem I see is that a malicious customer may already send you unconfirmed input. And even if the fee in your direction is just fine, the unconfirmed parent has a very low fee and has a good chance to get double spent. And when the parent is double spent, the children will become invalid. Of course, the malicious customer has to find the right balance so he doesn't do CPFP by mistake, but that can be done. I think that I've seen that when the network was congested.

There is one widely used scheme but it's not using a fake transaction (can be used in that "every day spending" scenario).
It's done by utilizing "replace-by-fee" flag which makes a transaction replaceable as long as it's not included in the blockchain yet (0 confirmation).
However, such transactions can be easily identified so merchants that accept 0-confirmation txns (eg. some Casinos) don't grant the "instant deposit" benefit if it has an 'rbf' flag.

It goes like this: The transmitted "unconfirmed" rbf flagged transaction will be seen by most clients and the victim,
but when the scammer received what he paid for and wants to "cancel" it, he just have to send another transaction transaction that spends the same input(s) and replace the output with his own address. That essentially boots out the old transaction from most mempools.
Bitcoin Core with default setting are setup to replace the older transaction with rbf flag as long as the new transaction follow some specific rules.

BIP-0125: https://github.com/bitcoin/bips/blob/master/bip-0125.mediawiki#Implementation_Details

You cannot fake a transaction, because every node checks for it's validity. You cannot spend something that doesn't exist or if the signature isn't valid. The only exception being some sort of design flaw which inadvertently causes the node to pass some checks even if it is not supposed to. That would be incredibly rare to say the least, because it isn't that difficult to check for the few simple criteria.

Merchants calculate certain risks that they are able to bear. Be it through the percentage of revenue that they're making or frauds that would happen with other payment methods.
On top of that, merchants evaluates the risk of every transaction, how likely is it for someone to double spend the transactions and what they'll otherwise gain. If the risk is acceptable, then there is nothing wrong with accepting zero-conf transaction.

Of course, LN is practically instantaneous and many merchants have switched to that.

So it's about accepting zero-confirmation transactions.
This has always been a known risk, and there is no way you can completely and successfully prevent it 100% when accepting them and letting your client leave with the merchandise or releasing funds before at least one confirmation.

As for how likely it is, I doubt somebody would do this for a coffee and I doubt any of your regulars would do it, in this era every shop has cameras, the tx will be recorded you will know who tried to cheat you on it, you can ban him from the store and what have you lost...a coffee. What has he gained? One coffee! It would be ridiculous to even try this shit as the cost he will have to pay for the traction which renders the first null will probably be half of that or even more.

But accepting transactions worth thousands with a 1sat/b fee that is clearly marked as RBF from a stranger when the mempool is full is like holding a sign asking poeple to rob you.

Not very likely (assuming RBF is not enabled, of course).

Let's say I am a customer at your coffee shop. Such an attack is usually a Race attack, which would require me to broadcast a transaction paying for my coffee which you will see, while at the same time broadcasting a different transaction to the rest of the network which will double spend the coins which I am using to pay for my coffee back to myself. This requires me to have an intimate knowledge of how your bitcoin wallet is set up and which node or nodes you are connected to so I can broadcast the first transaction to nodes you are connected to so that is the one you will see, while the second transaction spreads through the rest of the network. Even then, there is also absolutely no guarantee this would work since both transactions are in the mempool and either could be confirmed. If your wallet is well connected, then almost certainly at least one of the nodes you are connected to will see both transactions and flag up that there is a double spend attempt happening.

There is also the even less likely Finney attack, where I am a miner and I have already mined but not broadcasted a block which includes a transaction sending some coins I control to another address I control. Instead of broadcasting this block, I instead go in to your coffee shop, buy a coffee, broadcast a transaction using those same coins to pay for my coffee, wait for you to hand over the coffee, and then broadcast my block which double spends those coins back to myself.

My technical knowledge is very basic but no, I wasn't thinking about that.

What I think is: suppose I have a coffee shop and I decide to accept bitcoin for coffee payments (let's leave aside LN), but I will accept the payment as good as soon as I see that the transaction is retransmitted to the blockchan. How likely is it that someone will slip me a transaction that won't be confirmed (and that doesn't have a very low fee, which I could check and reject the transaction based on that).

After seeing the answers that have been given to what the OP asks in this thread:

BTC as "every day" spending currency vs. 10 min Block Confirmation/Mining time

A couple of questions come to mind, which I thought it would be pertinent to ask in a separate thread.

The first one is how easy it is to create a fake transaction and transmit it to the whole blockchain without it being instantly detected as fake.

The second is: once we have a first confirmation of a transaction, how could it happen that the transaction is rejected by the rest of the miners? Would it mean that the first one is part of the scam if he validates that fake transaction or not necessarily? What would be the level of difficulty of doing this?

This comes to my mind because for day to day payments if the difficulty is high maybe some businesses could accept a transaction as soon as it is transmitted to the blockchain. There is a website where I have made several purchases and lately they show the payment as confirmed  as soon as they detect that the transaction is transmitted to the blockchain, without waiting for the first confirmation. Obviously they are small amounts but quite larger than the price of a coffee.