An Australian crypto payments network will drop onchain BTC and BCH payments after a video showing an easy ‘double spend’ exploit went viral.
The video was published overnight and shows Bitcoin Cash proponent Hayden Otto using a double-spend exploit on Australian retailers who use TravelbyBit’s payment processing network to accept Bitcoin.
But TravelbyBit said it believes Bitcoin Cash is similarly vulnerable to double-spending attacks.
“We will be dropping both Bitcoin and Bitcoin Cash from the POS (Point of Sale),” founder Caleb Yeoh told Micky this morning.
However, he declined to give a timeframe, and later moderated his comments to say they will “wait until we see more attempted fraud.”
“If we see more of this taking place we would have to drop Bitcoin and Bitcoin Cash on-chain transactions on all our merchants across Australia,” he said.
“The truth is both Bitcoin and Bitcoin Cash and many other blockchains are not suitable for retail point of sale transactions. There are trade-offs between user experience vs security.”
Yeoh said TravelbyBit will still allow users to spend Bitcoin at retailers using the Lightning Network which is designed for instant retail payments and is not exposed to the same risk.
TravelbyBit has 200 retail outlets listed on its website but says that 400 merchants all use the service.
— Hayden Otto (@haydenotto_) December 18, 2019
Bitcoin double spend video goes viral
The exploit doesn’t require any technical expertise or equipment apart from a free app – an Electrum wallet (or two) – and to read Blockonomics founder and CEO Shiva S’s blog that detailed the exploit in early December.
Otto, CEO of BitcoinBCH.com, runs the competing Bitcoin Cash payment processing network HULA which currently has about 20 retailers and is aggressively targeting greater market share.
He told Micky he’d successfully used the exploit at three physical locations and on five online merchants that use TravelbyBit’s payment processing software.
It’s so quick and easy to do, he claimed he’d done it once more while speaking to Micky.com.au
At its most basic, the exploit involves ‘paying’ a merchant who accepts Bitcoin with zero confirmations, but electing to use the lowest possible transaction fee.
This makes it appear to the merchant as if the transaction has been paid, so they hand over the goods
The fraudster can then resend the Bitcoin back to themselves – and by electing to use a much higher fee the second transaction overtakes the first, as these are processed much faster by the network.
Merchants get the money back one way or another
There were at least a dozen posts about the video on Reddit and hundreds of comments discussing the exploit.
Otto returned the Bitcoin to the merchants after detailing the exploit worked – however TravebyBit said the retailers are insured against fraud in any case.
He also used the exploit on desktop and pointed out that if the Bitcoin network was congested, the double-spend exploit could be performed hours or even days later
“You can pick any merchant, if they are on TravelbyBit, this exploit affects them,” said Otto today.
“I tried another one just now from my computer. They don’t seem to have disabled BTC or employed any further (Replace By Fee) RBF detection to detect this attack vector.”
“It allows you to replace transactions that you already broadcast to the network, with a new transaction that has a higher fee set. It even allows you to change the destination of the funds, which is even worse.”
Double spending is also possible on BCH
Bitcoin Cash does not have Replace By Fee but a similar exploit is possible, though it is not as easily mounted.
“As to Mr Otto’s views that Bitcoin Cash is somehow magically different you can see stats on double spending on Bitcoin Cash here,” said Yeoh.
Caleb Yeoh pointed out that TravelbyBit’s POS system was a non-profit venture, which is simply trying to boost adoption.
That’s why Binance invested $3.5 million into the company.
“Because Travelbybit is trying to push user-friendly adoption we do take zero confirmations for both Bitcoin and BCH and insure the merchants from losses,” he said, pointing out that making users wait 10 minutes for a Bitcoin confirmation was not feasible in retail situations.
“To continue to allow users to have the freedom to spend different currencies and to bridge the crypto adoption gap Travelbybit and Binance also announced plans last month to launch a crypto-backed travel rewards debit card.”
The card enables users to use their crypto for purchases from any merchant in Australia.