Full blocks make double spending attacks much easier!

[rogerver]

Today I received the following email from an experienced Bitcoin casino operator explaining how blocks being full makes it much easier for fraudsters to attack their services with double spends.


.....................
................
.............
...


This seems to me like one more reason to support bigger blocks to help do away with this attack vector.
If you aren't already, please upgrade to Bitcoin Classic today.

https://twitter.com/rogerkver/status/716626402385072128

[sgornick]

Any business built upon a money-losing concept will eventually have to change or perish.

Zeroconf transaction are not safe -- regardless of how close to full blocks are.

Satoshi Dice was among the first gambling methods that saw the level of fraud due to zeroconf increase, forcing them to massively change their approach.

These casinos that credit the gambler's account instantly for a bitcoin transaction (for use in wagering) obviously haven't through it through. The winners will let their bitcoin transaction confirm. The losers who are willing to cheat will double spend their deposit before it confirms.

It's a failed approach. Yes, blocks being full simplifies the job somewhat for the cheaters. Regardless, the casinos (and payment processors, and merchants, etc.) and that still do zeroconf will have to fix their broken system, or they'll lose.

[FUBAR-BDHR]

I understand how this makes double spending easier (and so does RBF) but I fail to see how this really is a problem for something like online gambling. If they take proper precautions the worst that should be able to happen is someone gambles, wins, and can't withdraw because their deposit didn't confirm. If they are letting people withdraw winnings without checking for double spends first then they have a design issue not a bitcoin one. Now services that you get immediately (music, vod, cam sites, game downloads, etc) it is an issue for.

[rogerver]

The point is that even though bitcoin transactions aren't completely safe until they have been included in several blocks, the community should strive to make zero confirmation transactions as safe as possible. Having the blocks be completely full makes double spending attacks much easier.
Just this weekend, I paid $1000 worth of Bitcoin from one of the most popular iPhone wallet apps. It calculated the fee poorly, and my transaction was unconfirmed for about 36 hours. That is a huge window for some one to be able to decide to double spend. It's so long that it even makes doing e-commerce with Bitcoin dangerous. The person I sent the payment to isn't a Bitcoin expert and was annoyed that the transaction was unconfirmed for so long, and his wallet wouldn't let him make use of the unconfirmed funds. He asked me to use Paypal with him the next time. The problems caused by full blocks greatly damage the user experience of Bitcoin, and are driving new users to use something other than Bitcoin. This is a true shame, and for no good reason.
https://twitter.com/rogerkver/status/716812734612910080

[dangh]

I'm not supporting small blocks and killing 0-conf (as I own bitcoin business which relying on 0-conf and would benefit from bigger blocks), but again, problem is not in full blocks, that $1,000 probably would confirmed in a few minutes, if you use properly designed wallet software, which is rare in Bitcoin world today, and user experiences damaged by incompetent wallet developers.

[rogerver]

I'm not supporting small blocks and killing 0-conf (as I own bitcoin business which relying on 0-conf and would benefit from bigger blocks), but again, problem is not in full blocks, that $1,000 probably would confirmed in a few minutes, if you use properly designed wallet software, which is rare in Bitcoin world today, and user experiences damaged by incompetent wallet developers.

Perhaps the wallets are designed properly, and it is the improperly designed block size limit imposed by incompetent developers that's damaging the user experience.

[dangh]

I'm not supporting small blocks and killing 0-conf (as I own bitcoin business which relying on 0-conf and would benefit from bigger blocks), but again, problem is not in full blocks, that $1,000 probably would confirmed in a few minutes, if you use properly designed wallet software, which is rare in Bitcoin world today, and user experiences damaged by incompetent wallet developers.

Perhaps the wallets are designed properly, and it is the improperly designed block size limit imposed by incompetent developers that's damaging the user experience.

Agree, they are incompetent too but in fact, by properly designed payment system at our gambling website were processed 7,000 deposits and withdrawals.

After I read your post, decided to look at double-spend statistics, so, 20 double-spend attempts were detected this year and another 10 low fee transactions which never confirmed and were reversed without double-spending. Non of this 30 transactions hit users' balance because of proper risk management.

In the 6 month of our operations we had only one complaint about delayed confirmation after withdrawal, which was a bug in our system and we fixed it quickly.

So UX is a key for us, and we are doing our best even in this extreme conditions of full blocks, same should be done by wallet developers and other casino operators until situation resolved.

[dooglus]

I fail to see how this really is a problem for something like online gambling. If they take proper precautions the worst that should be able to happen is someone gambles, wins, and can't withdraw because their deposit didn't confirm.

You misunderstand the attack. They deposit, the casino foolishly credits their account immediately, without waiting for a confirmation, they play, and if they lose then and only then do they double-spend.

So only their losing bets are double-spent. Their winning bets are left to confirm as normal so they can withdraw.

From OP (paraphrased):

> We are looking at ways to detect double-spends, but no such tech exists today

Yes it does - it is called the Bitcoin Blockchain. It detects and prevents double-spends, and is what sets Bitcoin apart from the systems that came before it. Accepting unconfirmed transactions is just asking for trouble.

[rogerver]

Is this the same world famous Dooglus from Just Dice, and now Clams?
If so, it is an honor to have you here!