Conspiracy against “instant” Bitcoin transactions: RBF, CPFP and Scorched Earth

Last updated on September 8th, 2015 at 12:10 pm

Everyone assumes that Bitcoin transactions are instantaneous, and for most of Bitcoin’s history this was practically true – you could assume this without much risk. However, if we look a little deeper, we see that this cannot be the reality for long.

What is double spend?

Which of the following transactions would likely require the least fees?The “double spend” is the big technical challenge that Bitcoin solved for decentralized systems. As with every digital file, it is practically impossible to give it value, which can be exchanged since computers can copy-paste so easily.

If we imagine Bitcoin transactions like a cheque, which specifies where the money is coming from and where it is going (along with a cryptographic signature), we can all easily verify this information – it is its inclusion in the Bitcoin blockchain that makes this cheque actually valid.

Since one can sign thousands of these cheques all using the same money, all the cheques will bounce except for the one that is included in the blockchain. This is the transition from a zero-confirmation transaction to a confirmed transaction. On the other side, the conflicting transactions using the same coins more than once are called double spends.

At the moment, and according to the Bitcoin network’s current behavior, the first transaction to be seen will be the one to be included in the blockchain. This is easy and comfortable. Miners would throw away conflicting transactions, so the moment you see a valid transaction in the network (which is instant) you could assume that it will not be double spent and eventually included in the blockchain (not instant).

Is it recommended to rely on this?

I have been recommending to rely on zero-confirmation transactions, but for small transactions only. For the sake of small transactions, an attacker planning to commit fraud on a zero-confirmation transaction would have to orchestrate a complex attack, probably requiring some element of manipulation or bribery, and this is extremely unlikely to happen when small transactions are at stake, like purchasing coffee or a laptop.

However, the reality is that zero-confirmation transactions aren’t “blessed” by the blockchain and, therefore, don’t get all the promises that Bitcoin offers since they are potentially “reversible” (until they get confirmations).

So does this mean that Bitcoin transactions cannot be both irreversible and instant? The short answer is “true”: standard Bitcoin transactions do not enjoy both these properties at once. The longer answer is obviously more complicated.

Child-Pays-For-Parent (CPFP) vs. Replace-By-Fee (RBF)

Bitcoin-Mining-630x3501As we know, miners are responsible for including transactions into the blockchain, and in return they receive the transaction fees, as well as receiving the block reward for mined blocks (minting new coins) granted straight from the protocol.

If we assume that miners would prioritize profits, we can assume that a smart miner will include non-profitable transactions (fee-less transactions) if they are linked to transactions with enough fees to cover profits for both transactions.

For example, if I’m paying a business and they know that the fee is too small, they can take those coins and send them to another address with a new transaction that has double the fee. This means the miner will understand that he or she can only get the double fee if he or she includes the first transaction in the process.

This method of giving a profit motive to miners for accepting transactions is called “Child Pays For Parent” (CPFP), and we can assume that at some point miners will behave like this reliably.  This allows to solve certain fee problems such as allowing the receiving end of payments to pay for the transaction fee, and generally ensuring that certain transactions get included into the blockchain.

This allows for the receiving end to motivate miners to confirm a specific transaction. However, the sender can also motivate miners to confirm a specific transaction by using a double spend that has a higher fee. After all, it is just as reasonable to assume that miners will choose higher-fee double spends. This is called “Replace By Fee” (RBF), which is valid and legitimate according to the protocol, and is contradictory to the recommendation to rely on zero-confirmation transactions. This also allows to solve certain fee problems, such as allowing the sender to cancel or fix transactions (as long as they are still unconfirmed in the blockchain).

As of now, miners don’t really behave like this and so you can still assume that most small zero-confirmation transactions are safe. However, there is no way to promise that this will remain the case over time.

Wait… If both the sender and the receiving end can independently motivate miners to confirm specific transactions, who wins? The double spend or the original transaction?

Scorched Earth

If we combine both these concepts, which are both legitimate and perhaps even anticipated, we get to a slightly weird conclusion: neither the sender nor the receiving end wins. Only the miners do. As mentioned, all these profit motives are done by increasing the fee that the miner expects to receive from a certain transaction, and therefore every time the sender or the receiving end try to motivate the miner, the fee rises and the miner profits.

Let’s try an example.

Let’s assume Bob wants to cancel a transaction of one mBTC he sent to Alice, but Alice wants to ensure the transaction goes through. Originally Bob didn’t even add a fee and Alice’s wallet realizes this so it automatically uses CPFP and adds double the fee (0.2 mBTC fee, assuming the standard fee is 0.1 mBTC).

When the miners see this second transaction, they will want to include the original transaction because it’s the only way to get the double fee. Bob wants to cancel this , so he uses RBF and creates a new conflicting transaction which sends the original one mBTC back to him, except with a 0.3 mBTC fee. Since fees are taken out of the total Alice is actually willing to compromise and get only 0.8 mBTC and pay 0.2 mBTC to the miners, while Bob is willing to get only 0.7 mBTC (with 0.3 mBTC used as fees).

A miner who is looking at this will see one set of transactions that will net him 0.2 mBTC in fees, and another transaction that will net him 0.3 mBTC in fees, and will probably want to confirm Bob’s transaction. Alice knows this and creates a new CPFP transaction with a higher fee of 0.4 mBTC. After all, it’s better to get the leftover 0.6 mBTC than to get nothing. Bob goes ahead and raises his RBF to 0.5 mBTC. As you can imagine this will continue until Bob offers 0.9 mBTC in fees, while getting back only 0.1 mBTC. Alice, now extremely furious, will offer a new transaction with no leftover and the full one mBTC as fees for the miners just to spite Bob.

This whole fee race has caused Alice and Bob to burn through all the money and use it as fees until no change was left. Everyone acted rationally and expectedly. Who wins? The miner, who got the entire transaction as a fee instead of the small standard fee. And here we get to what has been called the “Scorched Earth” of zero-confirmation transactions.

Well, it is for this reason and others that unconfirmed transactions are not considered safe, especially as compared with transactions that have many confirmations. Although this isn’t the reality today, all this is valid and legitimate according to the protocol and does not require anything to happen, except that miners start acting more “rationally” and prioritize profits.

No such thing as “instant” Bitcoin transactions?

In the world of traditional money, instant transactions can only happen with cash in-person, or with a third party. Bitcoin is designed to eliminate the need for third parties, and even though we can anticipate Scorched Earth, it turns out that instant transactions are still possible without third parties, but not with the standard Bitcoin transactions.

blockchain futurePayment channels are another concept that can theoretically allow instant or high frequency transactions, and actually utilizes the fact that you can sign transactions without necessarily broadcasting them to be included in the blockchain immediately.

These ideas along with other off-chain solutions typically require “locking” funds in advance, but they could offer cheaper fees, instant transactions and generally higher flexibility, all while being trustless without third parties.

In conclusion, standard Bitcoin transactions are not blessed to be instant, at least not by the protocol. However, non-standard Bitcoin transactions such as off-chain payment channels can be instant, and perhaps offer even more than standard transactions do.

Ariel Horwitz

Ariel Horwitz is a Bitcoin activist, educator, and consultant. He has been involved with the Israeli Bitcoin Association, The Bitcoin Embassy in Tel Aviv, and has founded AlefBit - the first Bitcoin education website in Hebrew.

Comments are closed.