For years, people only used paper notes, checks, and online transfers for transactions. But the advent of digital currency and fintech apps unleashed alternative payment methods, making transferring online funds more efficient and convenient.
However, relying on these virtual networks for money transfers presents new security issues. Unlike paper money, hackers may be able to copy and paste virtual files and use the same “e-cash” in their account multiple times, referred to as the “double spending problem.” Arguably the most vulnerable platforms to suffer an double spending problem are decentralized cryptocurrency networks, as these don’t have any centralized institutions such as banks or governments approving online transfers.
Although double spending is a significant threat to digital assets, it’s less likely to impact cryptocurrencies with larger market caps, such as Bitcoin (BTC) and Ethereum (ETH). Learn more about what double spending is and how the technology behind cryptocurrencies can prevent these scary scenarios.
What Is the ‘Double Spending Problem’ in Digital Cash?
The double spending problem occurs when the same amount of currency is used to make more than one transaction. Before “e-cash” platforms emerged, double spending wasn’t a common concern in the financial world. That’s because using the same dollar to buy two items simultaneously is impossible. To double spending with a dollar bill, a thief would need to spend their money, immediately steal it back from a merchant, and use it again to buy something else.
This fraudulent activity became a greater issue as more banks and fintech companies offered online cash transfers. Although the money on digital platforms represents physical currency, hackers can copy and paste this virtual data and spend it multiple times. “E-cash” sites need ways to monitor and record digital transactions to prevent malicious actors from manipulating digital payment data.
To address the double spending problem, online bank portals and fintech apps like PayPal rely on centralized organizations to verify transactions. Like traditional banking, central authorities such as financial institutions, record every client’s “e-cash” transfer to ensure people don’t spend more than they actually have.
Conversely, cryptocurrencies use a decentralized community of computers called nodes to broadcast and verify transactions on peer-to-peer (P2P) payment networks. Since no centralized intermediaries confirm crypto transactions, these coins and tokens are more vulnerable to double spending attacks. There’s no way for an external third party to correct false crypto transaction data manually.
In the 2008 whitepaper “Bitcoin: A Peer-to-Peer Electronic Cash System,” the pseudonymous cryptographer Satoshi Nakamoto singled out the double spending problem as a significant hurdle to creating a trustworthy P2P payment system. Nakamoto also outlined blockchain technology to overcome double spending without deferring to centralized entities.
In Nakamoto’s blockchain system, computers compete to solve advanced algorithmic puzzles every 10 minutes to verify a new “block” of Bitcoin transactions. The computational power each PC uses to solve these puzzles serves as digital “proof” as it puts in the necessary “work” to post legitimate BTC transfers. Nakamoto called this method a proof-of-work (PoW) consensus algorithm. Nodes on the Bitcoin network also need to confirm each transfer at least six times before posting it on a public payment ledger with a transparent timestamp. Since Nakamoto launched the Bitcoin protocol in 2009, there have been no reports of double spending BTC, and all other cryptocurrencies use blockchain technology to secure their networks.
What Is a Double Spending Attack?
Below are a few examples of how hackers can use double spending to engage in fraudulent activity:
51% attacks: These attacks occur when one entity controls more than 51% of a blockchain’s nodes. For example, on a PoW blockchain such as Bitcoin, a successful 51% attacker must take over more than 50% of Bitcoin’s computing power. In this case, the attackers could rewrite Bitcoin transaction data’s blocks to reward BTC to themselves or spend coins more than once.
Race attack: A race attack attempts to confuse a blockchain’s nodes by quickly sending the same crypto to different wallet addresses. First, the attacker could send their crypto to one wallet, then send it to another they can access.
Finney attack: Named after the early Bitcoin adopter Hal Finney, a Finney attack happens when a node operator creates a block with a crypto transfer and uses the identical wallet listed in this block to send the same crypto amount to a different address. As the attacker submits the second cryptocurrency transaction on the blockchain, they broadcast the false data block to confuse the network and spend their crypto twice.
How Does Proof-of-Work Prevent Double Spending?
Cryptocurrencies with a PoW algorithm require node operators called miners to complete complex math equations every few minutes to get the chance to post new transactions. Since these puzzles require so much computational power, hackers would need to spend billions of dollars on energy, equipment, and maintenance to take over 51% of a large network such as Bitcoin. The cost to launch a 51% attack often outweighs the potential ill-gotten profits, especially as blockchains grow larger and more decentralized, typically resulting in fewer scams.
On top of the computational power necessary to participate in PoW networks, the transactions on blockchains––such as Bitcoin, Litecoin, and Dogecoin––are transparent on public payment ledgers. Anyone can digitally review the transaction history of PoW cryptocurrencies going back to their first data block. Each transaction on PoW chains has identifiable markers, such as timestamps and transaction IDs. Plus, these blockchains won’t post a transaction on the main chain until enough nodes agree on the transaction history using the cryptocurrency’s consensus protocol. For example, Bitcoin transactions don’t post until there are at least six confirmations on the blockchain.
How Does Proof-of-Stake Prevent Double Spending?
Like PoW, proof-of-stake (PoS) is a consensus mechanism some cryptocurrencies use to prevent double spending attacks. Instead of using computing power, a PoS network makes validators lock or stake a set amount of coins on the blockchain to get the opportunity to verify transactions and earn crypto rewards. For example, validators on the Ethereum (ETH) blockchain need to stake 32 ETH to verify and broadcast ETH transactions.
Since everyone in a PoS blockchain has a stake in their blockchain (i.e., their locked crypto deposit), it reduces the odds of misbehavior. Also, most PoS blockchains use slashing to disincentivize bad behavior. If most validators detect a malicious transaction from one node, the blockchain automatically wipes out or slashes the misbehaving node operator’s staked crypto. The slashing deterrent, coupled with the potential for crypto staking rewards, makes double spending scamming less attractive to hackers on PoS chains.
Also, similar to PoW chains, it’s usually cost-prohibitive for traders to launch a 51% attack on PoS chains. Although PoS validators don’t need to operate large computers or pay as much for energy, they have to stake a substantial crypto amount to join the network. Blockchains, such as Ethereum, have billions of dollars worth of crypto staked on their chains, meaning a 51% attacker would need to commit billions in taking over 50% of the network. As blockchains grow larger and more decentralized, the threat of double spending from a 51% attack declines.
Examples of the Double Spending Problem
Although double spending has yet to affect large blockchains such as Bitcoin and Ethereum, there are a few instances of these attacks in crypto’s history. Hackers that have successfully double spent crypto have most often uses a 51% attack on a smaller blockchain to duplicate large amounts of the chain’s cryptocurrency.
For example, the Ethereum Classic (ETC) PoW blockchain suffered multiple 51% attacks in 2020. Ethereum Classic is related to the more popular Ethereum blockchain, but it’s a separate network with fewer validator nodes. In 2016, the Ethereum community split into two blockchains to address a controversial issue known as the decentralized autonomous organization (DAO) hack that drained millions from an early investment fund on the Ethereum blockchain. The new Ethereum chain restored these funds to people in the DAO, while the Ethereum Classic chain preserved the original transaction data. Since ETC has fewer nodes than Ethereum, it was easier for hackers to temporarily overtake the network’s hashpower in 2020 and create more than 800,000 ETC coins, worth roughly $5.6 million.
Vertcoin (VTC) is another smaller PoW crypto that suffered a few 51% attacks and subsequent double spend events. In 2019, hackers took over 51% of Vertcoin’s network and manipulated batches of transaction data to reward themselves $100,000 worth in VTC.
Although double spending is possible on P2P cryptocurrencies, larger chains are more immune to these threats. The decentralization, robust development community, and scale of established cryptocurrencies––such as Bitcoin and Ethereum––make it less cost-effective for hackers to consider attempting a double spend attack, such as a 51% takeover.
Find More Quality Crypto Education on dYdX’s Blog
If you want to learn more about how crypto works, head over to the dYdX Academy. We have dozens of beginner-friendly guides on crypto-related topics, including non-fungible tokens (NFTs), crypto wallets, and popular trading strategies such as HODL.
Start trading on dYdX today!
The content of this article (the “Article”) is provided for general informational purposes only. Reference to any specific strategy, technique, product, service, or entity does not constitute an endorsement or recommendation by dYdX Trading Inc., or any affiliate, agent, or representative thereof (“dYdX”). Use of strategies, techniques, products or services referenced in this Article may involve material risks, including the risk of financial losses arising from the volatility, operational loss, or nonconsensual liquidation of digital assets. The content of this Article does not constitute, and should not be considered, construed, or relied upon as, financial advice, legal advice, tax advice, investment advice, or advice of any other nature; and the content of this Article is not an offer, solicitation or call to action to make any investment, or purchase any crypto asset, of any kind. dYdX makes no representation, assurance or guarantee as to the accuracy, completeness, timeliness, suitability, or validity of any information in this Article or any third-party website that may be linked to it. You are solely responsible for conducting independent research, performing due diligence, and/or seeking advice from a professional advisor prior to taking any financial, tax, legal, or investment action.
Any applicable sponsorship in connection with this Article will be disclosed, and any reference to a sponsor in this Article is for disclosure purposes, or informational in nature, and in any event is not a call to action to make an investment, acquire a service or product, or purchase crypto assets. This Article does not offer the purchase or sale of any financial instruments or related services.
By accessing this Article and taking any action in connection with the information contained in this Article, you agree that dYdX is not responsible, directly or indirectly, for any errors, omissions, or delays related to this Article, or any damage, injury, or loss incurred in connection with use of or reliance on the content of this Article, including any specific strategy, technique, product, service, or entity that may be referenced in the Article.