Josh Ellithorpe
I like terminal prompts.
Josh Ellithorpe - October 16th, 2018
Zero-conf is simply trusting that a transaction submitted into the mempool as valid and accepting those transactions before they are in a block, or in other words, trusting transactions broadcast to a node before proof of work is done.
Since zero-conf lives outside of consensus rules, there are many precautions that must be taken by businesses to accept them to prevent fraud.
In a word, speed. Users want to send a transaction and get an instant approval that it reached the recipient. There are many cases where users do not want to wait for confirmations. For instance:
While not part of the consensus rules, most nodes today will accept the first valid transaction it sees spending UTXOs as the valid transaction and disregard future conflicting transactions.
Some nodes like BU/XT will also relay double spend transactions, but this is not a majority of the network, and they will not keep a copy of the second transaction in the mempool.
Exchanges when Bitcoin first came out used to accept zero-conf transactions. Later, arguments were made that zero-conf transactions were not safe and could be exploited.
This caused exchanges to be careful, and require numerous confirmations before they would consider a deposit as valid. Currently the most common number of confirmations is 6 in order to provide better security than zero-conf and avoid reorg attacks.
These are by far the easiest to mitigate against. First, the attacker needs to know which nodes are being used to validate the transaction has made it to the mempool. Exchanges generally do not advertise this information.
Merely having nodes all over the world and checking multiple geographic locations can mitigate against this attack. If you confirm that all your geographically distributed nodes have the recently broadcast transaction then you can accept the transaction within seconds.
If you see a conflicting transaction, you can reimburse your customer via a chained transaction on the one they sent, and ban the user.
These are a bit tricker. If a miner accepts a higher fee transaction as valid and replaces it in the mempool, that can happen any time before a block is created. This gives the attacker an opportunity to defraud the receiver anytime before the next block is found. Therefore, just checking multiple nodes is not good enough.
That being said, most miners realize that doing this reduces confidence in the network, and could hurt the overall value of the chain they are mining. For small transactions it just isn't worth it. However, exchange transactions are generally not small, so this attack vector could still be relevant.
There are a few ways to help mitigate these issues.
These are generally much lower risk. While someone can plant a low fee transaction below the propagation threshold, the nodes can still be queried for their current transactions.
Therefore for this to be feasible, the attacker would need to plant these in numerous locations to have enough hash power to actually have a reasonable chance of defrauding the exchange.
Much like the fast respend attack, the exchange would query as many nodes (theirs and others) as possible to guarantee that a majority of the network indeed has the valid transaction. Ideally pools would include a full node that could be queried!
However, even with these protections zero-conf is not fully secure. Since exchanges already account for fraud, they key is to mitigate the risk enough to still be profitable.
Double spend proofs allow for the receiver to be notified when a double spend has happened, but doesn't give the nodes an opportunity to fall for a miner bribe.
Unfortunately if a double spend relay has a higher fee, this can actually increase the likelihood a miner will see and accept the bribe transaction which is the hardest double spend type to mitigate. We should not make it easier to bribe miners, and instead should only provide a proof that the double spend occurred.
Exchanges do not require 100% certainty when it comes to transactions. All exchanges have a built in fraud level they can accept since they also accept fiat transactions which can and do get reversed. Therefore, mitigating the concern and keeping double spends at a very low probability is their main concern.
The best way to do this, is to implement a temporary hold on funds once a sale or exchange to another crypto currency has been done.
Allow the user to deposit with zero conf, make a trade to fiat or crypto, but hold the fiat or crypto until confirmations occur on the original deposit. This gives the end user the experience they want and avoids the fraud cases.
Let's make BCH the most secure zero-conf on the planet!
By Josh Ellithorpe