If a service accepts 0-confirmation deposits and they let users withdraw their Bitcoin Cash, then that service is at high risk for exploitation. Below describes how this attack works.
User deposits X amount of tokens into service using 0-confirmation. User attempts to mine a double spend transaction before their broadcasted transaction confirms. If the attack fails, they withdraw their Bitcoin Cash from the service and repeat the attack until they succeed.
There’s three variables to pay attention to in this attack.
- The amount of tokens the malicious user is depositing.
- The amount of hash power they are mining the double spend transaction with.
- The amount of time it takes for the attack to succeed.
It is in the best interests of the malicious user to maximize the amount of tokens they are depositing to the service and to exploit it to its maximum potential. There is no risk of loss to the malicious User. If the attack fails, they withdraw their Bitcoin Cash and try again.
It is important to know that their is no minimum requirement of hashing power to perform this attack. Anyone with any amount of hash power can perform this attack.
The amount of time it takes for the attack to succeed depends mostly on the amount of hash power that is mining the double spend transaction. For example, if the malicious User is only mining with 0.1% of the total hash power. That is 1 / 1000 of the total hash power. If they repeated this attack every single block on the service, they would statistically on average double spend the service in about one week.
Also it is important to know that this attack costs little to nothing for the attacker. When they successfully mine a block with their double spend transaction they also keep the block reward, as the network will accept their block that includes the double spend transaction.
First we need to understand that there are many services in the crypto space that let users deposit and withdraw their Bitcoin Cash. Exchanges are probably the first to come to mind, but there are others like read.cash, noise.cash, tipping bots, blockchain.poker, etc. The deposit and withdraw feature is a very popular way that users interact with services in the crypto space, it is useful and convenient, and I see many more services in the future having this feature. However… They will not be able to adopt 0-confirmation deposits in the current state, as they would put themselves at high risk for exploitation. Even double spend proofs do not fix this problem.
There are ways for services to mitigate this attack, but it requires them to be very proactive and build advanced tools to let them detect suspicious user behavior. It would cost each service a lot of time & money to mitigate this risk of attack on their own, and they would still be at risk even after building these tools for themselves.
First, we should make everyone aware in the space about this problem, send them to this thread to take a look at the problem and get a productive discussion going. We should warn any service that lets users deposit and withdraw to not adopt 0-confirmation, until we find a solution, or at minimum to proceed with great caution.
Second, we should gather the smart technical minded people in the Bitcoin Cash community and come up with creative solutions.
Third, we should discuss each proposed solution and weigh the pros and cons.
Fourth, decide on a final solution, reach consensus, build it, test it, and push it out.