The Double-Spend Problem

Physical Cash:
Alice has $10 bill → Gives to Bob → Alice has $0
                                    Bob has $10
Simple: The bill physically moved.

Digital "Cash" (naive approach):
Alice has file "10_dollars.dat" → Copies to Bob → Alice still has file!
                                                  Bob has file!
                                                  Both can spend it!

1. Alice has 10 BTC
2. Alice sends 10 BTC to Bob (Tx1) for goods
3. Alice creates another transaction sending 10 BTC to herself (Tx2)
4. If Alice can get Tx2 confirmed instead of Tx1...
5. Alice has goods AND 10 BTC!

Timeline:
─────────────────────────────────────────────────────────►
                                                      time
Alice broadcasts Tx1 to Bob
     │
     ├── Bob sees Tx1, ships goods
     │
     │   Meanwhile, Alice broadcasts Tx2 to miners
     │   │
     │   ├── Miners include Tx2 in block
     │   │
     │   └── Tx1 becomes invalid (double-spend detected)
     │
     └── Bob never gets paid!

Alice broadcasts Tx1 to merchant
Alice broadcasts Tx2 to miners (higher fee)
Miners prefer Tx2 → Tx1 never confirms

Attacker mines block with Tx2 (paying self)
Attacker sends Tx1 to merchant
Attacker releases pre-mined block
Tx2 confirms, Tx1 invalidated

Attacker mines private chain (without Tx1)
Tx1 confirms on public chain
Attacker releases longer private chain
Public chain reorganizes to attacker's version
Tx1 disappears from history

Mempool (unordered):
{Tx_A, Tx_B, Tx_C, Tx_D, Tx_E}

After block creation:
Block N: [Tx_A, Tx_C]
Block N+1: [Tx_B, Tx_E]
Block N+2: [Tx_D]

Any transaction spending the same UTXO/balance after
another is invalid—there's an objective "first."

Block 100 ─► Block 101 ─► Block 102 ─► Block 103
   │            │            │            │
   └────────────┴────────────┴────────────┘
   Each block hash includes previous block hash

To change Block 100:
1. Recalculate Block 100's hash
2. Recalculate Block 101's hash (it included old 100's hash)
3. Recalculate Block 102's hash
4. Recalculate Block 103's hash
5. Do all this faster than honest network extends the chain

Cost grows exponentially with depth

Honest mining is profitable:
- Block rewards (6.25 BTC ≈ $250,000 as of 2024)
- Transaction fees
- Predictable income

Attacking is expensive:
- Need >50% hash power
- Hardware costs billions
- Success crashes price (destroying your investment)
- Legal consequences

Rational actors choose honesty.

function assessRisk(confirmations: number, amount: number): string {
  // Risk decreases exponentially with confirmations
  // Higher amounts need more confirmations

  if (amount < 100) {
    // Small amount
    if (confirmations >= 1) return "low risk";
    return "wait for confirmation";
  }

  if (amount < 10000) {
    // Medium amount
    if (confirmations >= 3) return "low risk";
    if (confirmations >= 1) return "medium risk";
    return "high risk";
  }

  // Large amount
  if (confirmations >= 6) return "low risk";
  if (confirmations >= 3) return "medium risk";
  return "high risk—wait for more confirmations";
}

interface Transaction {
  hash: string;
  inputs: Array<{ txid: string; vout: number }>;
  timestamp: number;
}

class DoubleSpendMonitor {
  private knownSpends = new Map<string, Transaction>();

  checkTransaction(tx: Transaction): {
    safe: boolean;
    conflictingTx?: Transaction;
  } {
    for (const input of tx.inputs) {
      const spendKey = `${input.txid}:${input.vout}`;

      const existingTx = this.knownSpends.get(spendKey);
      if (existingTx && existingTx.hash !== tx.hash) {
        // Same input being spent by different transaction!
        return {
          safe: false,
          conflictingTx: existingTx,
        };
      }
    }

    // Record this transaction's spends
    for (const input of tx.inputs) {
      const spendKey = `${input.txid}:${input.vout}`;
      this.knownSpends.set(spendKey, tx);
    }

    return { safe: true };
  }
}

Bitcoin:
Transaction broadcast → Block mined → Confirmation
         ↓                  ↓              ↓
       0 sec              ~10 min        ~10 min

Window for attack: ~10 minutes

Solana:
Transaction broadcast → Processed → Confirmed → Finalized
         ↓                 ↓           ↓           ↓
       0 sec            ~400ms      ~400ms      ~12 sec

Window for attack: ~400 milliseconds

Two transactions spending from same account:
Tx1: Transfer 5 SOL from Alice to Bob
Tx2: Transfer 5 SOL from Alice to Carol

Processing:
1. Both arrive in same slot
2. Runtime sees conflict (same source account)
3. One executes, one fails
4. No double-spend possible

vs Bitcoin:
1. Both in mempool
2. Only one can be in a block
3. But which one is miner's choice
4. Race condition exists until confirmation

// Solana transaction validity
interface TransactionValidity {
  recentBlockhash: string; // Must be from last ~150 blocks
  lastValidBlockHeight: number; // Transaction expires after this
}

// If attacker tries to replay old transaction:
// - blockhash too old → rejected
// - nonce already used → rejected (for durable nonces)

Attack details:
- Attacker rented hash power
- Deposited BTG to exchanges
- Traded for other coins
- Released private chain (without deposits)
- Deposits disappeared
- Loss: ~$18 million

Lesson: Smaller networks with less hash power are vulnerable

Multiple 51% attacks:
- August 2020: ~$5.6 million double-spent
- Reorganized thousands of blocks
- Exchanges increased confirmation requirements

Lesson: Even top-20 coins can be attacked if hash rate is low

Variables:
- q: Attacker's fraction of hash power
- z: Number of confirmations
- P: Probability of successful double-spend

For Bitcoin (PoW):
P = 1                           if q > 0.5
P = (q/p)^z * Σ...              if q ≤ 0.5

where p = 1 - q (honest hash power)

Example probabilities for q = 0.3 (30% hash power):
z = 1:  45%
z = 2:  22%
z = 3:  11%
z = 4:  5%
z = 6:  1%

def is_attack_profitable(
    hash_power_fraction: float,
    target_amount: float,
    hardware_cost: float,
    electricity_cost_per_block: float,
    honest_mining_revenue_per_block: float,
    expected_blocks_to_attack: int
) -> dict:
    """
    Analyze whether a double-spend attack is economically rational.
    """
    # Opportunity cost: what attacker would earn mining honestly
    opportunity_cost = (
        honest_mining_revenue_per_block *
        expected_blocks_to_attack *
        hash_power_fraction
    )

    # Direct costs
    electricity = electricity_cost_per_block * expected_blocks_to_attack

    # Probability of success (simplified)
    success_prob = hash_power_fraction ** 2  # Very rough estimate

    # Expected value of attack
    expected_gain = target_amount * success_prob
    total_cost = opportunity_cost + electricity

    return {
        "expected_gain": expected_gain,
        "total_cost": total_cost,
        "profitable": expected_gain > total_cost,
        "break_even_amount": total_cost / success_prob
    }