See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/351136583

Revisiting Double-Spending Attacks on the Bitcoin Blockchain: New Findings

Conference Paper · June 2021

DOI: 10.1109/IWQOS52092.2021.9521306

CITATIONS READS
0 573

5 authors, including:

Jian Zheng Huawei Huang

Sun Yat-Sen University Sun Yat-Sen University
2 PUBLICATIONS   0 CITATIONS    86 PUBLICATIONS   2,187 CITATIONS   

SEE PROFILE SEE PROFILE

Canlin Li Zibin Zheng

Sun Yat-Sen University Sun Yat-Sen University
1 PUBLICATION   0 CITATIONS    386 PUBLICATIONS   17,256 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Big Data for Emergency Management (BDEM) View project

Blockchain View project

All content following this page was uploaded by Huawei Huang on 13 May 2021.

The user has requested enhancement of the downloaded file.

 Revisiting Double-Spending Attacks on the Bitcoin Blockchain: New Findings

Jian Zheng∗ , Huawei Huang∗ , Canlin Li∗ , Zibin Zheng∗ Song Guo†
∗ School
of Computer Science and Engineering, Sun Yat-Sen University, Guangzhou, China
† Department of Computing, The Hong Kong Polytechnic University, Hong Kong. song.guo@polyu.edu.hk

Corresponding author: Huawei Huang, huanghw28@mail.sysu.edu.cn

Abstract—Bitcoin is currently the cryptocurrency with the : Block mined by an honest miner
largest market share. Many previous studies have explored : Block mined by the attacker 5 Release all blocks
the security of Bitcoin from the perspective of blockchain 2 Forking attack
mining. Especially on the double-spending attacks (DSA),
some state-of-the-art studies have proposed various analytical
models, aiming to understand the insights behind the double- 1 Target TX is released 3 Pack the target TX 4 Confirmation position
spending attacks. However, we believe that advanced versions
of DSA can be developed to create new threats for the Bitcoin Figure 1. Illustration of a double-spending attack.
ecosystem. To this end, this paper mainly presents a new type of most of the mining power is centralized in a small number of
double-spending attack named Adaptive DSA in the context of mining pools. Such centralization brings a high vulnerability
the Bitcoin blockchain, and discloses the associated insights. In of suffering from mining attacks. Furthermore, in Bitcoin
our analytical model, the double-spending attack is converted market, the number of large-amount transactions is increas-
into a Markov Decision Process. We then exploit the Stochastic ing when the number of exchanges grows. The aggregated
Dynamic Programming (SDP) approach to obtain the optimal money in exchanges draws great attention from cryptocur-
attack strategies towards Adaptive DSA. Through the proposed rency hackers. Once the double-spending attack occurs in
analytical model and the disclosed insights behind Adaptive an exchange, e.g., the Mt. Gox attack [7], the Bitcoin
DSA, we aim to alert the Bitcoin ecosystem that the threat of market will experience a drastic fluctuation. Therefore, the
double-spending attacks is still at a dangerous level. security of the Bitcoin blockchain has raised great attention,
especially in the context of the real double-spending attacks
Index Terms—Bitcoin Blockchain, Double-Spending Attack aforementioned.
Literature Review. The double-spending attack is a
1. Introduction classic problem in blockchains. A number of previous
works have explored the double-spending attacks on Bitcoin
blockchain. Nakamoto [1] raised the problem of double-
Following the drastically increasing market price of spending attacks for the first time in the Bitcoin system.
Bitcoin [1] in the past few months, the cryptocurrencies Pinzon et al. [8] proposed two new double-spending attacks:
continually attract ever-growing interests from all over the race attack and fanny attack. The race attack achieves attack-
world. However, cryptocurrencies, e.g., Bitcoin, face the ing by controlling miner fees. The fanny attack chooses to
inherent threat of Double-Spending Attacks (DSA). For control block broadcast time to achieve attacking. Liao et al.
example, the Bitcoin Gold (BTG) [2] was stolen more than [9] found that a small number of attackers can increase the
388200 BTG coins by double-spending attacks on May probability of a 51% double-spending attack by connecting
2018, and suffered from a loss of about 18.6 million dollars. rational nodes. Biais et al. [10] proved that it is profitable
On January 2019, the Ethereum Classical [3] blockchain has to try a 51% double-spending attack when the transaction
occurred the roll-back anomaly, which was very possibly price meets certain conditions, but such an attack requires a
attacked by double-spending attacks. This anomaly led to a large amount of hashpower and money. Gervais et al. [11]
loss of around 1.1 million dollars. Recently on December proposed a simple double-spending attack strategy model
2020, the famous cryptocurrency Aeternity [4] also was based on Markov Decision Processes (MDP) and revealed
attacked by the double-spending attack, resulting in a huge the effectiveness of the double-spending attack strategy.
loss of approximately 39 million Aeternity coins.
Through reviewing those representative analytical mod-
Since Bitcoin has become the top market-share cryp- els proposed in the past few years, we have the following
tocurrency [5], [6], many organizations have invested a large findings.
amount of money as the strategic digital assets. In reality,
Bitcoin miners prefer to join in a mining pool because of • Many existing attack policies [12], [13] aim at their
brutal competition of Proof-of-Work (PoW) based mining success probabilities. However, a high success attack
among miners. The mining-pool phenomenon leads to that probability does not mean a high return of reward.

978-0-7381-3207-5/21/$31.00 © 2021 IEEE

 • Several papers [1], [14] did not consider the strict Table 1. S YMBOLS AND N OTATIONS
limitation of the duration of attacks. Instead, they
b the amount of stolen money via double-spending
only calculated the average profit of double-spending the target transaction (TX)
attacks. However, in practice, the budget of the p the proportion of the total hashpower controlled by
attacker is limited, making the average cost of an the attacker
attack cannot be too high. q the proportion of the total hashpower controlled by
honest miners, p + q = 1
Motivation. Inspired by those facts aforementioned, in d the average reward for mining a new block
this paper we revisit the double-spending attacks towards the z (∈ N+ ) (N+ denotes positive integers) the number of
Bitcoin blockchain, by disclosing several insights through a blocks between a target TX and its confirmation
tricky attack strategy. Note that, we are not aiming to launch position
i (∈ N ) the # of blocks generated by the attacker
new types of double-spending attacks. What we study in
j (∈ N ) the # of blocks generated by honest miners
this paper is trying to alert the cryptocurrency blockchain cost the average cost of the attacker in the process of
using the following new findings: The DSA attackers can generating a new block in the blockchain system
launch the attacks even though when their mining power is si,j the state that the attacker has generated i blocks
far less than 51% of the entire Bitcoin blockchain. Using our and honest miners have generated j blocks
theoretical framework, both the users of Bitcoin blockchain di,j the decision the attacker makes in state si,j
and the developers of a new blockchain can estimate how Pi,j the probability of state si,j arrival in each attack
Ri,j the attacker’s reward when he stops at state si,j
well their blockchain to defend the double-spending attacks. Jn (i, j) the revenue expectation of state si,j , n = i + j
T (si,j , di,j ) the state transition probability distribution in state
Contributions. si,j with decision di,j
• Firstly, Based on Naive DSA, we propose a new type g(si,j , di,j ) the benefit function of state si,j with decision di,j
s0i,j a special state indicating the attacker releases all
of double-spending attack, i.e., Adaptive DSA. We the sub-chain and begins to mine on the longest
then exploit the SDP-based theoretical framework to chain
generate the profit-maximized attack strategy under
Adaptive DSA.
• Secondly, we believe that our proposed analytical attacker and all the other honest miners. Let p and q
model can stimulate researchers and engineers to (p + q = 1) represent the hashpower proportions of the
propose new blockchain designs that are able to attacker and the honest miners, respectively. We consider a
defend new advanced double-spending attacks. fine-grained timeslot for our analytical framework, in which
The remaining of this paper is organized as follows. at most only a single new block can be generated within a
Section 2 introduces the preliminaries of the paper. Section 3 timeslot. The duration of the attack is very short, therefore
analyzes the new type of double-spending attacks. Section 4 we assume that the mining difficulty keeps unchanged.
shows the simulation results of our analytical model. Section The honest miner always follows the policy of longest
5 concludes this paper. chain first by default. If two forks with the equal length
exist, honest miners will choose the one containing more
historical blocks generated by themselves. According to the
2. Preliminaries and Assumptions length of the fork controlled by the attacker, the results of
In this section, we introduce the simplest double- forking attack include fail, match, and success when
spending attack (named Naive DSA) and the basic prelim- the fork is shorter, equal to, and longer comparing with the
inaries of the paper, which is the same with that of other main chain, respectively.
studies.
As shown in Fig. 1, if a transaction recorded in a block 3. Adaptive Double-Spending Attack
and receives confirmation from a specific number of new
blocks (represented by z(∈ N+ ), which is normally 6 for In this section, we describe the proposed new type of
Bitcoin), it will be viewed as confirmed by the blockchain. double-spending attack, i.e., the Adaptive Double-Spending
When an attacker intends to tamper this confirmed trans- Attack (shorten as Adaptive DSA). Typically, we calculate
action, he must launch a forking attack by creating a new the optimal attack decisions and the theoretical boundary of
branch of blocks, which is required longer than the main the expected reward by launching the Adaptive DSA.
chain. Once such forking attack succeeds, we say that the
attacker has launched a double-spending attack, through 3.1. System Model of Adaptive DSA
which the attacker can steal the money residing in the target
transaction. The reward of mining a new block is denoted The strategy of Naive DSA can make the success prob-
by d, which includes two aspects: the coinbase reward ability maximized, when the main chain has generated z
plus the transaction fees. The stolen monetary coins of a blocks with respect to the target transaction. However, in
double-spending attack is represented by b. some special situations, taking Fig. 2 for an example, most
We assume that there are only two types of miners of the hashpower is controlled by the honest miners, such
existing in the blockchain network, i.e., the double-spending that the number of blocks created by the attacker will be
 : The attacker is mining : Honest miners are mining i=3 i=1 i=2
i=1

j=2 j=2 j=2

Case-1 Case-2 Case-3
j=5
Figure 3. Three possible cases of the decision under Adaptive DSA di,j =
Figure 2. An unfavourable situation to the double-spending attacker. 0: quit attacking.

too few. Under such the unfavourable situation, the success p, q: the probabilities of state
transition
probability of the attacker is very low. To prevent a large loss
q
si , j +1
brought by the failed double-spending attacks, the attacker
is suggested giving up the attack when the situation is
p si +1, j
unfavourable. Therefore, we are motivated to propose the si , j
Adaptive DSA. In the following, we analyze the Adaptive
DSA by particularly evaluating those unfavourable situations Figure 4. The decision of Adaptive DSA di,j = 1: keep attacking. A
illustrated in Fig. 2. decision di,j =1 also triggers state transition: si,j → si+1,j or si,j+1 .
To calculate the reward under the Adaptive DSA, we
let cost denote the cost that the attacker spends during the
process of any new block is generated. To achieve a DSA, 3.2.2. Attack-Decision Matrix. We then let di,j = 0/1
the attacker has to keep generating new blocks in his fork. denote the attack decision of the attacker while the attack is
Thus, cost includes not only the maintaining fee to run in a specific decision point si,j . In the attack-decision matrix
the mining machines, but also the opportunistic loss if the {di,j }, every element di,j values 0 or 1. The definition of
attacker were using his hashpower to mine blocks just as the binary decision is as follows.
an honest miner. Once the attacker succeeds, its reward is
calculated as the mining reward minus to the maintaining 
fee. Thus, we have cost = p · d, p > 0. 1,
 if i = j = 0;
To the main chain, when the number of confirmation di,j = 0, if i = z or j = z;

0 or 1,
blocks reaches z in a faster speed than the attacker’s fork, otherwise.
the target transaction is viewed as confirmed deeply. The
attacker has to quit the current attack, and prepare for the
When di,j = 0, the attacker releases the fork, resulting
next. That is, when j > z , the attacker stops mining in
in 3 possible cases shown in Fig. 3. Case-1: if i > j , the
its fork. On the other side, once the attacker generates the
attacker dominates the block mining during the attack, and
(z + 1)-th block before the main chain outputs the z -th
receives the block-mining reward immediately. Furthermore,
block, the double-spending attack succeeds. To maximize
if i > j & j ≥ z , the attacker succeeds the double-spending
the profit of the attack, the attacker may also keep mining
attack. Case-2: if i < j , the attacker receives nothing. Case-
more blocks in his fork, before the main chain discovers its
3: if i = j , the attacker will follow the fork mined by
z -th confirmation block. Therefore, when i ≥ z & i > j , the
himself.
attacker will keep attacking in his fork. Except the two cases
described above, the attacker cannot make a determined The decision di,j = 1 indicates that the attacker still
decision when 0 ≤ i, j ≤ z − 1. The goal of this section keeps attacking in the fork chain until the next decision
is trying to find an optimal attack-decision matrix such that point shows up. As shown in Fig. 4, the current decision
the profit of Adaptive DSA can be maximized. point si,j (0 ≤ i, j ≤ z − 1, i, j ∈ N ) will be transferred to
either state si+1,j or state si,j+1 , 0 ≤ i, j ≤ z − 1.
3.2. Terminologies
3.2.3. Occurrence-Probability Matrix. In the occurrence-
3.2.1. Decision Point. Normally, an honest miner would not probability matrix, represented by {Pi,j }, each element Pi,j
change the chain it follows, either after the main chain or describes the probability of achieving a decision point si,j
a fork. Only when a new block is generated, the miner has during an attack under a given decision matrix {di,j }. In
to decide whether to change the fork it follows currently particular, s0,0 is always the starting point of any attack.
or not. Therefore, we define the instant when a new block Thus, P0,0 = 1. As described in section 3.2.2, si,j stems
is generated as a decision point, which is denoted by si,j , from si−1,j with probability p if di−1,j = 1, or si,j−1
(i ∈ N , j ∈ N ). Here i and j represent the numbers of with probability q if di,j−1 = 1. Note that, if j = 0 or
the attacker’s blocks in the fork chain and the confirmation i = z , si,j can only stem from si−1,j with probability p.
blocks in the main chain, respectively. When reaching a Similarly, if i = 0 or j = z , si,j can only stem from si,j−1
decision point, the attacker has to decide whether to continue with probability q . Therefore, we can define the occurrence-
attacking or quit. probability matrix {Pi,j } as follows.
 3.4.1. SDP-based Formulation. In the context of a
 decision-making problem, the key elements of the SDP
1, if i = j = 0;
model are described as follows.



i−1,j · p · Pi−1,j , if j = 0 or i = z;
d
Pi,j = Stages: In a z × z decision matrix, each sub-diagonal

d i,j−1 · q · Pi,j−1 , if i = 0 or j = z; represents a stage. We mark the sub-diagonal as 0, 1, 2, · · · ,

d
i−1,j · p · Pi−1,j + di,j−1 · q · Pi,j−1 , otherwise. 2z -1 from the upper left to the lower right, and the whole
(1) system has a total of 2z stages.
States: The set of states in stage n is denoted as S[n] =
3.3. Profit-Maximization Problem {si,j |i + j = n} ∪ {s0i,j |i + j = n − 1}, when n > 0.
Especially, if n = 0, S[n] = {si,j |i + j = n}. In addition,
Given an attack-decision matrix {di,j }, we can derive s0i,j is a special state indicating that the attacker releases all
the occurrence probability matrix {Pi,j } according to the the sub-chain and begins to mine on the longest chain.
stochastic state transition. Next, the expected reward can Decisions: We use di,j to denote the decision variable at
be also calculated. Let Ri,j denote the expected reward si,j , di,j ∈ Ui,j , where Ui,j denotes the set of all decisions.
when the attacker stops attacking at a decision point si,j , Transition probability: The transition-probability func-
i.e., di,j turns to 0 at si,j . When stopping attacking at si,j , tion T (si,j , di,j ) returns the probability that the current state
the attacker will release the blocks mined in his fork, and si,j transfers to the next state by executing the decision
participate in the regular mining just as an honest miner di,j . In SDP framework, we can only get the probability
following the main chain. Thus, Ri,j is calculated by the distribution of the next state instead of accurate states.
coinbase reward minus the mining cost: Referring to section 3.2, the transition-probability function
is written as:
Ri,j = 
 p, if si,j → si+1,j , di,j = 1;

−(i + j) · cost, if i < j;
 T (si,j , di,j ) = q, if si,j → si,j+1 , di,j = 1;
i · d − (i + j) · cost, if z > i > j;


 1, if s → s0 , d = 0;
 (4)
 i,j i,j i,j
p · i · d − (i + j) · cost, if z > i = j;


(2) 0 ≤ i, j ≤ z − 1, i, j ∈ N.
p[b + d(z + 1) − (i + j + 1) · cost] + q · Ri,j+1 ,
Reward function: The reward function g(si,j , di,j ) re-

 if i = z, j ≤ z − 2;





 p[b + d(z + 1) − (i + j + 1) · cost]+ turns the reward when executing a decision di,j at the current
 state si,j . The reward function is defined as:
q[p(b + z · d) − 2z · cost], if i = z, j = z − 1.

(
With f ({di,j }) denoting the expected reward function 0, if di,j = 0;
g(si,j , di,j ) =
under a decision matrix {di,j }, the goal is to strive for the −cost, if di,j = 1; (5)
optimal attack-decision matrix such that the expected re- 0 ≤ i, j ≤ z − 1, i, j ∈ N.
ward is maximized. We then present the profit-maximization
problem as follows. 3.4.2. Optimal Decision-Making. When the decision ma-
z X
X z trix {di,j } is fixed, the profit of the attacker can be derived.
max f ({di,j }) = (1 − di,j ) · Pi,j · Ri,j Let Jn (si,j ) denote the profit matrix, where n = i+j . Recall
i=0 j=0 that, our objective is to maximize the expected profit by
(3) deciding the optimal decision matrix. According to Bellman
s.t. Eq. (1) and Eq. (2).
optimality theorem [15], the objective function is expressed
Variables : di,j ∈ {0, 1}, 0 ≤ i, j ≤ z, i, j ∈ N. as:
Solving the problem (3) is infeasible when z is large,
since the problem complexity increases exponentially fol- Jn (si,j ) = max{g(si,j , di,j ) + E[Jn+1 |si,j , di,j ]}
di,j
lowing z . Therefore, we need to design a complexity-
efficient approach to solve this problem. = max{g(si,j , di,j ) + T (si,j , di,j ) · Jn+1 (S[n + 1])}
di,j (6)
= max{Jn+1 (s0i,j ), −cost + p · Jn+1 (si+1,j )
3.4. Problem-Solving based on Stochastic Dynamic
+ q · Jn+1 (si,j+1 )}, 0 ≤ i, j ≤ z − 1, i, j ∈ N.
Programming (SDP)
where s0i,j in fact indicates the special state occurring
In fact, the optimization problem (3) can be viewed as a in the stage S[n + 1]. In addition, we should define the
two-dimensional multi-stage Stochastic Dynamic Program- boundary condition of Jn (si,j ). For the right boundary (i.e.,
ming (SDP) problem [15]. At the decision point si,j , we 0 ≤ i ≤ z − 1, j = z ), the attacker is failed and gains
only need to consider the current state as well as the future nothing. Thus, Ji,j = 0 (0 ≤ i ≤ z − 1, j = z). For the
expected reward, regardless what decisions have been made lower boundary (i.e., 0 ≤ j ≤ z − 1, i = z ), the target
and how to get to that state. In other words, the problem (3) transaction has not been confirmed and the attacker should
has the Markovian property. keep mining until j = z . The attack is successful if i = z +
 Algorithm 1: SDP for Adaptive DSA

Input : b, p, d, z, cost.
Output: decision matrix {di,j }, expected reward.


5HZDUG%7&
1 Initialize boundary conditions according to Eq. (7),
Eq. (8), and set d0,0 = 1.
2 for i = z − 1 to 0 do 
3 for j = z − 1 to 0 do
E 
4 Search solutions according to Eq. (6).  E 
E 
5 Return {di,j }, J0 (s0,0 ). E 
        
z
1, 0 ≤ j < z . Therefore, the expected reward at sz+1,j (0 ≤
j < z) can be calculated easily. The system may transit to
Figure 5. The attacker’s expected reward v.s. varying z , while p = 0.3,
state sz,z , resulting in the special state match. State sz,z and d = 6.25.
may transit to sz+1,z with a probability p. Thus, the expected
reward at sz,z is p(b + z · d).
To stop the attack, the attacker will release all the sub- E 
chain and the reward is determined by i and j . If i > j , the  E 
E 
attacker gains i · d. If i < j , the attacker gains nothing. If

5HZDUG%7&
i = j , the attacker gains the expected reward i · p · d. As 
described, we construct the boundary condition of Adaptive
DSA as Eq. (7) and Eq. (8). 

0, if 0 ≤ i ≤ z − 1, j = z;




p · [b + (z + 1) · d] + q · J
z,j+1 − cost,
Jn (si,j ) =
 if i = z, 0 ≤ j ≤ z − 1;


p · [b + z · d], if i = z, j = z.        
7KHSURSRUWLRQRIWKHKDVKSRZHUFRQWUROOHGE\WKHDWWDFNHU
 (7) UHSUHVHQWHGE\p

 0, if 0 ≤ i < j ≤ z − 1;
Jn+1 (s0i,j ) = i · d, if 0 ≤ j < i ≤ z − 1; (8) Figure 6. The attacker’s expected reward v.s. varying p, while z = 7, and
 d = 6.25
p · i · d, if 0 ≤ i = j ≤ z − 1.

According to Eq. (6), Eq. (7) and Eq. (8), we can solve whose decision points are all set to 1. For Adaptive DSA,
the problem (3) using the backward recursion [15]. The the expected reward is equal to J0 (s0,0 ).
pseudo code for the problem-solving under Adaptive DSA The minimum money in the target transaction (TX):
is shown in Algorithm 1. The minimum amount of stolen money contained in the
target transaction.
4. Performance Evaluation
4.2. Evaluation Results
In this section, we first implement a discrete-time frame-
work to simulate a Bitcoin blockchain. We then conduct 4.2.1. Impact of The Number of Confirmation Blocks.
numerical simulations to disclose the insights of the pro- Fig. 5 shows the impact of z on the expected reward of
posed analytical model for the new type of double-spending the attacker. We can observe that the expected reward of
attacks. the attacker decreases exponentially with the increasing z .
Once the expected reward is greater than zero, the attacker
4.1. Metrics is likely to launch the attack and gain the attack reward.
For a transaction valued 100 BTC coins (i.e., b = 100),
The expected reward of the attacker: The expected the merchant should wait at least 4 blocks for the secure
reward of the attacker during the entire double-spending confirmation according to Naive DSA. However, if a trans-
attack is used as an index to evaluate the effectiveness action valued 1000 BTC coins (i.e., b = 1000), the merchant
of a specific double-spending attack strategy. The unit of must wait more than 10 confirmation blocks to defend the
expected reward is measured in the number of BTC coins. Adaptive DSA. This result shows that the honest BTC users
Recall that, Naive DSA is in fact the Adaptive DSA when may overestimate the safety for a given transaction if they
all attack-decision points are valued 1. Thus, The expected only defend against the Naive DSA strategy. Instead, the
reward of Naive DSA is equal to that of Adaptive DSA security level of BTC blockchain should be upgraded to
 0LQLPXPPRQH\LQWKHWDUJHW7; as expected. The proposed analytical model can stimulate
 G  both researchers and engineers to evaluate the threat of the
G 
 G  new type of double-spending attacks, and then develop the
 corresponding defence strategies.
 6. Acknowledgement

This work described in this paper was supported by the

Key-Area Research and Development Program of Guang-
 dong Province (No.2019B020214006), the National Natural
 Science Foundation of China (No.62032025, No.61902445),
      and the Guangdong Basic and Applied Basic Research
7KHSURSRUWLRQRIWKHKDVKSRZHUFRQWUROOHGE\WKHDWWDFNHU
UHSUHVHQWHGE\p Foundation (No.2019A1515011798).

Figure 7. The minimum money contained in the target transaction (i.e., the References
attack-threshold of Adaptive DSA) v.s. varying p, while z = 7.
[1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,”
Manubot, Tech. Rep., 2019.
defend against the Adaptive DSA, which can alert the payee [2] Bianews. Liao xiang’s response to btg’s shuanghua attack:
a safe number of confirmation blocks. upgrading the mining algorithm is being implemented to
completely eliminate 51% attacks technically. [Online]. Available:
https://www.sohu.com/a/232781696 115060
4.2.2. Impact of Hashpower Controlled by The Attacker. [3] P. strange Jun. Etc was attacked by 51% and stolen about $1.1 million.
When the attacker’s hashpower is fixed and other parameters [Online]. Available: https://cloud.tencent.com/developer/news/383561
remain unchanged, the minimum money contained in the [4] TechFlow. Aeternity is attacked by 51%. how can ae
target transaction that can make the expected reward positive defend against crisis in advance? [Online]. Available:
is named the attack threshold of the double-spending attack https://www.sohu.com/na/437657586 120697730
under a given hashpower p. In this group of simulations, we [5] J. Wu, J. Liu, W. Chen, H. Huang, Z. Zheng, and Y. Zhang, “De-
tecting mixing services via mining bitcoin transaction network with
evaluate the relationship between such the attack threshold hybrid motifs,” IEEE Transactions on Systems, Man, and Cybernetics:
and the proportion of attacker’s hashpower p, under Adap- Systems, 2021.
tive DSA strategy. [6] H. Huang, W. Kong, S. Zhou, Z. Zheng, and S. Guo, “A survey of
Fig. 6 shows that the attacker will not launch a double- state-of-the-art on blockchains: Theories, modelings, and tools,” ACM
spending attack on any arbitrary transaction. Only when the Computing Surveys (CSUR), vol. 54, no. 2, pp. 1–42, 2021.
expected reward is high can the attacker have the motivation [7] W. Chen, J. Wu, Z. Zheng, C. Chen, and Y. Zhou, “Market ma-
to launch a double-spending attack. When the attacker has nipulation of bitcoin: Evidence from mining the mt. gox transaction
network,” in IEEE Conference on Computer Communications (INFO-
a certain fixed hashpower, the transaction with a higher COM), 2019, pp. 964–972.
transaction amount is more vulnerable to suffering from a [8] C. Pinzón and C. Rocha, “Double-spend attack models with time
double-spending attack. advantange for bitcoin,” Electronic Notes in Theoretical Computer
Then, Fig. 7 presents the minimum amount of stolen Science, vol. 329, pp. 79–103, 2016.
money required to launch a profitable double-spending at- [9] K. Liao and J. Katz, “Incentivizing double-spend collusion in bitcoin,”
tack versus different values of p. We observe that when in Financial Cryptography Bitcoin Workshop, 2017.
fixing z = 7, a smaller d makes the attack threshold lower. [10] B. Biais, C. Bisiere, M. Bouvard, and C. Casamatta, “The blockchain
As the attacker’s hashpower p increases, the attack threshold folk theorem,” The Review of Financial Studies, vol. 32, no. 5, pp.
1662–1715, 2019.
decreases quickly.
[11] A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf,
and S. Capkun, “On the security and performance of proof of work
5. Conclusion blockchains,” in Proceedings of the 2016 ACM SIGSAC conference
on computer and communications security, 2016, pp. 3–16.
Based on the Naive DSA, we proposed a new advanced [12] G. Ramezan, C. Leung, and Z. J. Wang, “A strong adaptive, strategic
double-spending attack on blockchains,” in IEEE International Con-
version of DSA model, i.e., the Adaptive DSA. Based ference on Internet of Things (iThings) and IEEE Green Computing
on the Stochastic Dynamic Programming framework, we and Communications (GreenCom) and IEEE Cyber, Physical and
developed rigorous analysis for such Adaptive DSA. To Social Computing (CPSCom) and IEEE Smart Data (SmartData),
pursue the maximized profit of the attacker, we then devised 2018.
the SDP-based algorithm to calculate the decision matrix [13] C. Grunspan and R. Pérez-Marco, “On profitability of nakamoto
double spend,” arXiv preprint arXiv:1912.06412, 2019.
for the attack strategy. Through numerical simulations, we
[14] K. Nayak, S. Kumar, A. Miller, and E. Shi, “Stubborn mining:
studied the correlations between different parameters and Generalizing selfish mining and combining with an eclipse attack,”
the expected reward of the attacker. Several insights behind in IEEE European Symposium on Security and Privacy (EuroS&P),
those double-spending attack strategies have been revealed. 2016, pp. 305–320.
We think our study in this paper can alert the Bitcoin users [15] S. M. Ross, Introduction to stochastic dynamic programming. Aca-
that the security level of Bitcoin blockchain is not that high demic press, 2014.

View publication stats