Topic: Is double spending easy to do? Burguer king accepting zero confirmation transact (Read 529 times)

It would only be worth replace scamming Burger King stores in that region if more people order from there on average (and only the BTC orders count) compared to other fast food chains.

Even then, it would also depend on how much of their revenue from orders are being stored in bitcoin in case the attackers specifically target Burger King's entire earnings and not just a few orders, and how much the orders cost. Attackers would not be willing to spend hundreds on hash power to mine as many blocks as there are confirmations just to steal the equivalent of $10 in BTC per order.


Instead of calling this particular attack a double spend or a 51% attack it ought to be called a diverted transaction attack. Double spending is what it was called in the 2008 white paper so that's what confused everyone. Virtually no article or website on the internet is calling this anything else besides double spending and that is part of the problem. The term is deceptive by nature.

I’m presenting a fact. These txs CAN be dropped if they get stuck for too long. This HAPPENED WITH ME. Nodes DO drop transactions. It is possible and this opens a window for users to “replace spam” the transaction and steal from Burker King’s processor. That’s the whole point of the discussion. People CAN steal BK and send the tx back to them.


Please quote me when I said you/we shouldn’t use 1 sat/byte transactions. I never did that.

The last major spam lasted days and even months w/ spam waves, not 2 days. This sounds like a very arbitrary number from you.

Good. You should as long as the mempool is empty and allows you that. Now, when you see a big congestion, you will see your tx won’t get confirmed in 24 hours. And this is a really big problem for BTC that WILL happen in the current state OR won’t let BTC go mainstream. Don’t go denial on that

You can keep pushing them, making them never really get dropped (dropped? Put it back). The whole point of the discussion is users seeing the BK tx getting dropped and not pushing it back, but spending somewhere else and stealing that.

The exchange Liquid does it as well. They credit their user's accounts for transactions with zero block confirmations. They claim that the deposits are credited within 10 seconds. If the mining fee is too low they require 1 confirmation. They are able to monitor the transactions as they propagate across the network and determine whether or not it will be confirmed successfully.

I guess it is not that uncommon.   
https://blog.liquid.com/fast-bitcoin-deposits-are-now-even-faster-on-liquid

anyone who has ever accepted 0-confirmation transactions have been doing a lot of risk assessment on those transactions then accepted them. it is not like they accept just about anything. RBF is one of the things that will be checked. basically they first connect to a large number of bitcoin nodes and whenever a transaction is received they check to see if it is propagated among all of those nodes and whether they have any conflicting tx (one way of double spending is race attack). then the fee comparison and how much lower or higher the fee is compared to high priority transactions. and more importantly checking the parent transactions (the inputs). the tx at hand may be paying a high fee but the input may not even be confirmed or have a high fee.
with this simple assessment the receiver could decide how much risk that transaction has and come up with a number using a simple formula automatically and when that number is lower than a threshold the system automatically accepts the payment.
there is a block explorer that does this too: https://dev.blockcypher.com/#confidence-factor

TryNinja, I get your point. Ok, You want to justify that we shouldn't use 1 sat byte fees, but we should use higher fees. I don't agree, but that's ok.

Your "possibilities" like a suddently BTC adoption that will make BTC become highly used by common people in a few hours, or that someone very rich like Jeff Besos is going to spam the network with 100sat/byte for months didn't convince me.

Those "peaks" of congestion are much more like an attack (when BCH was listed in coinbase for example and BCH were spamming the network) or very uncommon situations, and they don't last for more than like 2 days.

I will continue using 1 sat /byte fees as I always did, since 2017, and I am ok with that. I know someday one transaction my be dropped, although it is very unlikely and I have never seen it, and I have done at least 30 1sat/fee txs. (and if it get dropped, I will sent it again with 1 sat byte fee until accepted!)

---

This is certainly a very interesting case. So there are payment processors using 0 confirmation transactions.

I think that for small values there is certainly very few people who are willing to scam using this RBF process.
And it is possible to calculate a fee to compensate scammers: If 1% of all people do a successful double spend (RBF whatever the name) than you just charge 1% on fees. Burguer king is doing that somehow, but using 4% fees according to the journalist.


Translation: "Commission fee is a little more than 4% for all currencies with no exception..."

Yes... that’s the situation NOW. This in no way means 1 sat/byte transactions are drop-safe. What happens if suddenly someone starts spamming the mempool like they did some years ago? Or if China starts encouraging BTC usage and a big part of the population follows them? Possibilities.

You never saw a 1 sat/byte get dropped =/= no 1 sat/byte have ever been dropped. I have seen plenty and limiting facts to what you saw is wrong. Wasn’t you here when the mempool hit its ATH and you literally had 1-3 sat/byte stuck for days? You can’t deny that... it happened. It’s a fact.

I can literally spend million in 100+ sat/byte tx for weeks. Isn’t that possible and totally viable if I have the money to burn? How can you deny that and affirm 100 sat/byte tx will stop showing up? You don’t know that. And I personally had 1 sat/byte txs get stuck for days.

I had to research a little.. It was BitPay.
I've found some links somehow related to that too, but not 100% what I was expecting:
https://www.reddit.com/r/btc/comments/4p4ruo/bitpay_no_longer_accepting_zero_confirmations/
https://www.reddit.com/r/btc/comments/91rau3/0confirmation_payments_are_they_safe/e307f0m/
https://www.reddit.com/r/Bitcoin/comments/22pnwu/if_0confirm_transaction_are_not_safe_why_does/

Any attempt to double spend or replace scam would be attempted on something with far more value than it costs to attempt it with a chance of failure.

What that means is, no one is going to try it on Burger King for a single meal. If BK accepts coin for a party of 50 people, they'll ask you to pay before the party starts, which should give more than enough time for a confirmation on-chain.

Alternatively, BK can try also using LN. Those are all technicall zero confirmation but can't also easily attempt a double spend / replace tx.

please correct this lazy usage of the expression "double spending"


double spending is not possible in the Bitcoin protocol, you are referring to something else (abusing people who accept zero confirmation tx A by outspending the fees on tx A with tx B that includes the same inputs as tx A, but with a higher fee).

This technique should have a more appropriate name, "replace scam" or somesuch. If double spending was possible in Bitcoin, the outcome of this technique would be that both the sender and the receiver would  get the BTC from the outputs in tx A, and tx B would also be confirmed providing it was seen by the miner before tx A is mined. Also, the 21m supply limit would of course be circumventible, and rampant inflation would ensue

again, Bitcoin cannot be double spent

I expect that some were set up in the late 2017 to this kind of values and were never fixed.


About the 0-confirmation transaction, first thing I see is that the writer doesn't tell what wallet was he using. I've seen at least once a payment processor accepting 0-confirmation transactions, but only if those came for a certain custodian wallet.
If that's not the case, it may be that the payment processor took some risk simply to get onto this market and allow payments fast enough for a place like Burger King.

Isn't it pretty easy to figure out who the double spenders are if it's a meetup in a local pub? Also, what are generally the amounts concerned that make people (thieves) double spend in the pubs? If it concerns just a drink or two, then the double spenders must be pitiably cheap.

In current environment that's certainly viable. In fact, the block space used has actually gone down throughout the last months. In other words, it's going to get much easier for people to get their transaction confirmed with super low fees within an acceptable time frame.

Tether's move to other networks has freed up some block space and that translates into lower fees. Lightning gaining more use helps too.

However those 100 sat/byte tx will stop coming sooner or later, making room for 1 sat/byte tx. From my experience,  sooner than later.
I never saw a dropped Tx, I will take a look if I can find one.

I keep making 1 sat fee tx and they keep getting confirmed within a few hours. As I said, I made one last week during our price spikes. No issues ,8 hours to get 1 confirmation.

I think more people should do 1 sat/byte tx.
Most of those 100 sat/byte are probably done by exchanges and shitful wallets which don't let users control fees, artificially inflating fees to benefit miners... literally abusing newbies lack of knowledge.  But that's another discussion..

Only because the network isn’t extremely congested as TP said. The sad truth is that whenever we peak the mempool tx ATH, 1 sat/byte and even higher can be dropped and « refunded » to the origin wallet. Mainstream levels of usage would probably do that a lot.

This DID happen a lot since it’s how Bitcoin was made to work. If you have tons of 100 sat/byte+ tx, why would a miner pick your 1 sat/byte? If 100+ keep comming, they will keep getting priorized, never making room for your tx. Then, nodes will start to drop it.

That is the thing.  Nobody ever tried and I saw just speculations here.

I took a look on the web, I couldn't find any wallet which allow you to double spend.
I found a guide on electrum which allowed users to double spend  : but you need to recover your private key in a new wallet. Lots of work, a big guide. Take a look.

He is teaching how to make a RFB transaction (replace by fee)
https://steemit.com/bitcoin/@profitgenerator/tutorial-how-to-fix-unconfirmed-transactions


$1 is a lot. You can consolidate your inputs which have more than 0.30 for example.
If you use 1sat/byte fee your transaction will be very cheap, and it will get confirmed in a few hours .
I never a saw transactions being dropped, I believe this is much older than 2017 (probably a zero fee transaction,  which is not accepted anymore)

Since 2017 I am using 1sat/byte fee and I never saw more than 30hours to have a transaction confirmed. I made one transaction last week which took 8h to be confirmed.

For burguer king in this case it is very good for them because they are in Venezuela.  Their fiat is more volatile than bitcoin, so it is a win-win game for them.

Double spend isn't so hard, if you made a transaction with 1 sat fee it would take more time to get confirmation from blockchain. But if you want to double spent, you could make another transaction with high fees before got confirmation of your first transaction. I had not tried it but I believe some non-custodial wallet allow for double spent. Accept bitcoin with zero confirmation is high risky for receivers especially this kind of food store. After bought food from the shop buyer will left, so if that buyer try to double spent he could do it before get confirmation of previous transaction.

I have heard that issue on WixiPlay casino, and I believe some more casino even allow you playing with ZERO confirmation. But casino and shop is different. Casino could prevent your withdrawal if you double spent, but shop can't do anything after left buyer. This is back door for fraudsters, so at least one confirmation should require for such as food shop.

We have a regular Bitcoin meetup in one of our local pubs and they accept zero confirmations without any problems. The amount of payments they receive and the profits they make, cancel out the few double spends that occur, so it is not breaking the Bank for them to cut their losses on the odd double spend that might happen.  

The owner are also considering using the Lightning Network to get near instant transaction confirmations and this will avoid any problems with possible double spend issues. (The problem is the adoption of the Lightning Network is still very low and does not justify the move now.)

Any shop make provision for some losses, like theft or damages or spoiled products, so double spend issues could just be added. 

Don't forget the fact that it's a physical store with CCTV not available online, so no one in the right mind would double-spend a 5$ transaction just for a test.
Just try it an you'll find your face in a mugshot  

Their problem is the fee and purchase amount, did they have a minimum?
For the minimum allowed amount, if they are taking too much 1$ transactions, they will lose more bitcoins as a transaction fee for consolidating those satoshi.
It's better if they only accept Bitcoin for $5 and above transactions.
For the fee, there was a time that a 1sat/byte can take days to confirm or even drop after 2weeks,
that's a Dec 2017 thing, but still applicable today though.

I highly doubt that the 0.000001% of customers who use Bitcoin to buy a couple of hamburgers are going to exploit 0-conf in such a way that Burger King would go bankrupt

But there are lots of ways to make double-spending very uneconomical. Think about excluding certain transactions; only make transactions that are in the upper bound regarding fees p /vbyte qualify, etc.

See https://bitcointalksearch.org/topic/how-can-you-detect-a-risky-transaction-before-a-single-confirmation-5195367 if you're curious about more measures.

As The Pharmacist once said "the risk is on them" but due to a lot of false news posted by some article writers which reuter is even accused of, i wont believe in what was written in the article and the burger king does accept zero confirmation tx they also have some procedure they follow or they will be bankruptcy in no time.

If you do not accept RBF (Replace By Fee) transactions at the POS counter then double spending should not be a concern.
If- you do then it's a risk.
If you not at a retail / POS situation then it's no concern. If you order a laptop from me odds are I am going to have many confirmations before I get it in the hands of UPS  FedEx / whoever.

-Dave

Usually, websites that accepts bitcoin, wait for 3-6 confirmations. But Burguer king is accepting bitcoin with zero confirmation. I think they don't wait for confirmation because if they wait for a confirmation, it takes some time and it won't be convenient for customers. So, they have accepted the risk as they don't expect it to cause them a big loss. In other words, they have managed the risk. It's unlikely they don't know the risk. If some people try to cheat them, they won't continue to accept bitcoin or will wait for at least one confirmation in future.

About the possibility of double spending, I just know it's possible and that's not difficult. I haven't ever tried this.
Here is a guide on how to double spend bitcoin using Electrum. I don't know whether it really works or not.
How to double spend bitcoin using electrum

This doesn't happen any more.

I always use 1sat/byte fee (the minimum fee allowed) and I never saw any transaction go back. It will just take long confirmation times (never saw it takes more than 20hours  even when extremely congested.

Only one BurgerKing in Venezuela is accepting Bitcoin (as a test). Double spending is possible and not hard and they even mention using a RBF transaction to send the coins back to yourself. In all cases, the payment processor is accepting the risks and possibly countering the losses by putting some extra fees in it (the user from the tweet got charged way more than he should, but that was probably a mistake).

Maybe the win/loss ratio is good enough to let people not have to wait 10-30 minutes for a fast food mea.

Hi,

I don't think so, but we can at least say that it's less risky in-person..
Moreover it's more cumbersome to make a double spend that it's usually implied, and if people are going to Burger King because they don't want to bother cooking... There is a low probability they actually try to make a double spend for a 5 dollars worth transaction if it's not "for the fun" (not considering RBF though).

I've tried and succeeded on a low-hashrate shitcoin I created for a series of workshop I organised.

You need to target miners if you are trying to double spend a final transaction.
In the example I was talking about above I cheated because I was the owner of the only source of the hashrate so ... ^^

Not if the transaction is final, but they will accept a block containing the new one.

The block chain is shared across the nodes, everyone has the same. The mempool is not at all, so consensus decisions cannot be made out of it.
That said, that's already the behavior of bitcoin-core (for, once again, non final transactions). But another implementation allowing this wouldn't fail out of consensus.

At least as much as is mempool policy  

PS: If you're looking for a double spend on Bitcoin, iirc Peter Todd double spent some Reddit Gold some time ago. You could find some interesting stories.

It must be the payment processor that's allowing the zero-confirmation sale to proceed, so the risk is on them and I think it's crazy to do that.  If you sent bitcoin with a near-zero fee, there's a chance it could get sent back to the originating wallet if I'm not mistaken.  That happened to me at least once a couple of years ago when the network was extremely congested.

On the other hand, I don't see how paying for food at Burger King could work any other way.  It's not like they're going to make you sit there and wait for at least one confirmation before leaving the restaurant--hence the fundamental problem of paying for quick-service stuff with bitcoin.  Glad BK is accepting bitcoin (not in my country, though), but I hope they don't get ripped off in the process and thereby lose their enthusiasm for offering it as a payment method. 

If I've learned one thing in my time in crypto, it's that scammers are everywhere and if something can be abused, it will be.

I saw this article recently,  where the journalist shares his experience paying for a hamburger in burguer king and paying with bitcoin.

I found very interesting to see burguer king is accepting zero confirmation transactions.

https://es.cointelegraph.com/news/i-used-bitcoin-to-pay-for-a-burger-at-burger-king

I believe most of the people in the world are honest enough to not even try to double spend ( I may be naive,  but i prefer to live like this than to consider everyone is a thief)

Anyway, I was thinking how easy is it to do a double le spending in this case? Have anyone ever tried?
The transaction broadcast is almost instantaneous across all the network. Does broadcast time makes any difference? I believe most wallets won't let you double spend (never tried..)

My question is:
If you have a transaction which is already broadcasted across all full nodes mempool, if you send a other one with a higher fee, will nodes recognize it as a legit transaction?

If it is possible, isn't it a good idea to  create a BIP proposing to disallow to double spend of a transaction already in mempool? What would be the cons against that?

Newbie question  but I always thought zero confirmation transactions are interesting.