Race Attack
A race attack is a malicious practice that involves someone accepting payment for an unconfirmed transaction, leading to double-spending.
What Is a Race Attack?
A race attack is a blockchain security vulnerability that involves creating two transactions using the same funds simultaneously. It’s an attempt to spend the same cryptocurrency multiple times before the network can confirm the transactions, which can result in double-spending.
Generally, race attacks are a type of double-spending attack and are more prevalent in proof-of-work (PoW) networks.
How Does It Work?
In this attack, the attacker initiates two conflicting transactions, intending to spend the same currency twice. To explain, the hacker sends one transaction to their wallet address and the other to a merchant or service provider. Both of these transactions are broadcast to the entire network simultaneously.
The attacker typically exploits the network’s propagation delays and inconsistencies in transaction processing across different nodes. To put it differently, the perpetrator capitalizes on the time delay of blockchain transaction confirmation to ensure that the transaction sent to their wallet is confirmed first.
At the same time, the merchant may see their own transaction first and believe they’ll get paid. The merchant may mistakenly accept the unconfirmed transaction and fulfill the attacker’s order, thereby benefitting the hacker. This is because the rest of the network notices the double-spend first and effectively invalidates the transaction to the merchant, resulting in a loss for the merchant. However, the second transaction – sending the same coins to the attacker’s wallet – is confirmed.
What Characterizes This Attack?
In summary, this attack can be characterized by:
- Timing sensitivity – Malicious actors typically take advantage of the time it takes for blockchain transactions to be broadcast and confirmed.
- Network propagation – The attackers exploit the slight differences in the time it takes for different nodes to receive a block, which can lead to the acceptance of competing transactions.
- Double spending – The main goal of this attack is to spend the same coin twice, where the attacker uses the same funds for two separate transactions. One of them is confirmed, the other is invalidated, and the attacker benefits if the recipient of the second transaction accepts it before it is invalidated.
Assume you’re a vendor selling the latest crypto-enabled smartphones and that you accept online payments. One of the buyers says that they’ve completed the transaction on their end and shows you an edited previously successful transaction. Considering there may be some delay before you receive the transaction confirmation message, you give them the phone. However, you later realize that the buyer never actually sent the money.