A double spend happens when a certain amount of cryptocurrency, be it Bitcoin or otherwise, is used to make multiple purchases.
A double spend can play out in two different ways.
A double spend is a relatively rare occurrence, at least on secure chains like Bitcoin, and it can be almost fully mitigated by requiring multiple confirmations for a transaction.
Nonetheless, it’s still a concern, and merchants especially should be aware of this cryptocurrency vulnerability.
On Bitcoin, a new block is mined once every ten minutes. Typically most merchants and exchanges require anywhere from two to six confirmations before crediting funds to an account.
The reason is simple: the more confirmations a transaction has the less likely it is to be a double spend. By the time six confirmations are reached it’s all but a guarantee that a transaction is authentic.
Forcing Bitcoin to revert a transaction after six confirmations would require a nearly impossible amount of ASIC miners and control over the network.
Zero confirmations are a different story. With a zero-confirmation, a merchant accepts a transaction before it has any confirmation at all.
In this case, no expensive hardware would be needed to trick the network, an attacker could do it with just code. So why would a merchant accept a zero-confirmation transaction? Speed.
Bitcoin is notoriously slow and more or less unusable as a medium of exchange. Who will buy their coffee with Bitcoin if they have to wait sixty minutes for the transaction to clear? By accepting zero-confirmation transactions a purchaser might only need to wait five or ten seconds, however long it takes for the transaction to be picked up by a miner.
Miners will only mine blocks with valid transactions in them. Thus, a miner won’t approve a block that has a double spend in it. Rather, they’ll only approve one of those transactions. Here is a hypothetical example of how that could work.
A nefarious character could go into a coffee shop and use Bitcoin to pay. It would look like the Bitcoin is being sent to the coffeeshop and will confirm soon, but what the owner won’t realize is that the thief also sent another transaction using the same Bitcoin to a wallet that he controls.
In order to comply with the rules of Bitcoin, the miner will only include one transaction in the upcoming block.
So long as that transaction is the one that sends the funds back to the thief’s wallet, then the transaction to the coffee shop will be invalidated. To the coffee shop owner, it will look like the transaction simply never happened.
Is this a large concern?
Probably not. A coffee shop or bakery may choose to accept zero-confirmation transactions as they figure the reward outweighs the risk, just as shops don’t test every dollar they take in even if some of them may be counterfeit. Also, the larger the purchase the more confirmations the seller can require.
If someone is buying a car with Bitcoin, for example, waiting an hour should be no problem. Buying a house? Even waiting a few hours is still faster than a bank transfer or cashing a check and waiting for it to clear.
A double spend is a particular type of fraudulent transaction where someone creates two transactions using the same Bitcoin. Since only one of those transactions can ever become valid, the hacker can force the funds to return to a wallet that they control while the merchant gets nothing.
A double spend is primarily a problem for zero-confirmation transactions as well as transactions taking place on insecure blockchains. By the time a Bitcoin transaction has six or eight confirmations the likelihood of it being a double spend is infinitesimally low.
Merchants that choose to accept zero-confirmation transactions should be aware of the risk of double-spend and believe that the reward of a fast transaction is greater than the risk of losing funds once in a while to double spend.