As there is no physical existence of money, it could be possible for a bad actor to duplicate a transaction when paying a merchant for the purchase of goods, while keeping the original coins at the same time.
Double-spending is one of the major concerns and vulnerabilities in the Blockchain; especially for the most popular cryptocurrency, Bitcoin. Bitcoin has been designed in such a way that, a double-spending attack would require immense computational power, yet with low probabilities of success. The ownership of Bitcoins is digitally verified, by recording all the transactions ever existed in the Blockchain.
In a centralized payment system (e.g., banks or Paypal,) a fraud can be reversed with human interference. With Bitcoin, every transaction is irreversible once recorded in the ledger, and all the Bitcoin transaction verification processes (mining, PoW, difficulty) are put in order to secure the network by such malicious activities while preserving its decentralized structure.
What are the types of double-spending attacks that can be performed?
A double-spending attack would mean that user A sends a payment to user B. As the information starts to be broadcasted in the network from node to node until it gets validated and recorded forever in the Blockchain’s history, user A performs another transaction of the same Bitcoins to another address that he owns. According to Bitcoin’s core rules, when two conflicting transactions occur, the Blockchain will only include the first to achieve the majority of the network’s consensus. The transaction that will be validated by 50 percent or more of the available nodes will be added in the Blockchain, a hard fork will be created, and the conflicting transaction will be rejected forever.
As miners are responsible for adding transactions in a block, it would be possible that a malicious miner could include a transaction where he sends money to himself (without broadcasting the transaction.) Then he could use the same coins for paying a merchant, and after the goods were sent, he would broadcast the pre-mined block and send the Bitcoins back to himself.
Vector 76 Attack
Also known as a “one-confirmation attack,” is a combination of the Race and Finney attack. It can be performed by a miner, that creates a transaction A but does not broadcast the block to the network. Instead, he waits until another block of the same height is created and then he creates a new transaction B of the same coins as in A and broadcasts it to well-connected nodes. Transaction B has higher probabilities to be included in the Blockchain than A, creating a hard-fork and eventually returning the coins to the attacker.
Brute Force Attack
It can be performed by attackers with computational power (hash frequency). The attacker sends a payment to a merchant, while at the same time he tries to create a hard-fork on the chain after the payment has reached the minimum number of the required confirmations. If the attack fails, however, the payment will go through to the merchant.
Owning more than half of the total network hashrate, would give 100% chances of success to tamper a transaction. As the majority’s consensus is required to confirm a transaction, it would be possible to spend the same Bitcoins twice, by creating a hard-fork, which includes the double-spend transaction. The 51% attack’s probability is high, and this is the reason why mining pools have a limit on the number of miners they can accept.