Race attack

A race attack, also known as a double-spending attack, is a type of attack on a blockchain network where an attacker attempts to spend the same cryptocurrency asset twice. The attack works by broadcasting two conflicting transactions simultaneously — one to a merchant or recipient, and one back to an address controlled by the attacker. Because blockchain transactions require time to be confirmed by miners, there is a brief window during which an unconfirmed transaction can be replaced by a competing one. The attacker hopes that the fraudulent return transaction will be confirmed before the legitimate payment to the merchant.

Race attacks are most threatening in scenarios where a merchant accepts zero-confirmation transactions — that is, transactions that have been broadcast to the network but not yet included in a block. This can happen in retail settings where speed is prioritized over security, such as accepting payment for goods at a point of sale. If the attacker's conflicting transaction reaches enough miners first, the merchant's transaction will be orphaned, and the attacker effectively receives the goods without ever parting with their funds.

The best defense against race attacks is to wait for one or more block confirmations before considering a transaction final. Each subsequent confirmation exponentially increases the cost and difficulty of reversing the transaction, as an attacker would need to outpace the entire network's hashing power. For Bitcoin, one confirmation is generally sufficient for small transactions, while larger, high-value transactions typically require six or more confirmations for strong security guarantees. Automated trading systems and payment processors should always incorporate confirmation depth checks before releasing goods or services.