A video sharing a potential double-spend exploit has gone viral on social media, and as a result Australian blockchain payments startup TravelbyBit is considering dropping on-chain bitcoin (BTC) and bitcoin cash (BCH) payments.
The video was published by Bitcoin Cash proponent Hayden Otto, and it shows how using a BTC feature known as replace-by-fee (RBF) he is able to double-spend bitcoin right after paying merchants who use TravelbyBit’s payment processing network to accept the cryptocurrency.
In the video Otto advises merchants to start accepting BCH, but TravelbyBit has shown it believes the exploit could also be used on the bitcoin cash blockchain and, as a result, is considering dropping both payment methods.
Speaking to Australian news outlet Micky Caleb Yeoh, TravelbyBit’s founder, initially said the firm would be “dropping both Bitcoin and Bitcoin Cash from the POS (Point of Sale)” but then revised his comments to saw it will wait “until we see more attempted fraud.”
If we see more of this taking place we would have to drop Bitcoin and Bitcoin Cash on-chain transactions on all our merchants across Australia.
Yeoh added that both BTC and BCH, as well as “many other blockchains” aren’t suitable for retail point of sale transactions as there are “trade-offs between user experience vs security.” TravelbyBit will, nevertheless, keep on accepting BTC via its layer-two scaling solution, the Lightning Network (LN) as it isn’t affected by the exploit.
The Zero Confirmation Exploit
In the viral video, Otto simply uses a bitcoin wallet to double-spend funds right after making the first transaction, ensuring he can replace the initial transaction with a second one before the network confirms it.
To do this, he sets the initial transaction’s fees to a minimum to then pay more for the fees on the second transaction, and send the funds back to himself. As the fees on the second transaction are bigger, this transaction will be validated first. This, BCH supporters allege, is possible thanks to RBF, which isn’t present on bitcoin cash.
At this very moment you can go and double spend $BTC at over 200 locations across Australia, thanks to @TravelbyBit powered by @Binance! https://t.co/a79ELQj3j3
— Hayden Otto (@haydenotto_) December 18, 2019
Bitcoin supporters who reacted to the video claim this isn’t an RBF problem, but a problem that involves accepting transactions that haven’t yet been confirmed by the network, known as zero confirmation transactions. This also affects the BCH network.
As one confirmation can take up to 10 minutes, businesses provide customers with a better experience by simply accepting zero confirmation transactions. The exploited was detailed in early December by Blockonomics founder and CEO Shiva S.
This involves a security trade-off that TravelbyBit’s founder claimed is covered by insurance the firm provides. Currently, the firm has 200 retail outlets listed on its website, but claims 400 merchants use its services.
Successfully Double-Spending Funds
Speaking to Micky, Otto revealed he had successfully used the exploit at three physical locations and on five online merchants using TravelbyBit’s payment processing solution, successfully double-spending funds numerous times.
Otto, which runs a rival payment processing solution that lets merchants accept BCH and currently has 20 retailers using it, said he returned the BTC to the merchants he used the exploit on, but pointed out the exploit was easy to use.
In response, Yeoh pointed out that double-spending is also possible on the BCHG network, and that TravelbyBit’s POS system was a non-profit venture looking to boost cryptocurrency adoption.
As CryptoGlobe reported, Binance has invested $2.5 million into the company as it’s pushing user-friendly adoption at retail stores through its zero confirmation transactions.
Featured image via Unsplash.