A cryptocurrency ATM utilizing zero-confirmations was attacked via double-spends over 112 times in Calgary, Toronto, Montreal, Ottawa, Winnipeg, Hamilton and Sherwood Park across Canada.
There are currently four suspects that carried out the attacks around September 2018 that resulted in a loss of about $198,000 to the crypto ATM company. The reliance on zero-confirmations is a convenience so merchants and consumers do not have to wait for the recommended six confirmations, which could take over an hour on some blockchains. However, the risk is that individuals will take advantage of this by “double-spending” a transaction to make their first transaction invalid, while still receiving the goods/services from the merchant, which is cash in this case.
To a degree, zero-confirmations rely on the lack of economic incentives to conduct a computationally intensive attack for small rewards of stealing from merchants, but this logic does not necessarily hold true for larger merchants, such as crypto ATMs in this instance.
Merchants looking for solutions
Zero-confirmations are not conducive to merchants that sell higher priced items or do not deal in repeat businesses since this raises the risk of a successful double-spend attack. For example, a restaurant owner should easily be able to accept a zero-confirmation transaction since the consumer is most likely going to stay in the restaurant until the merchant can tell if there were additional confirmations or not. Plus, restaurants usually have repeat customers and build a degree of trust that the consumer is not going to steal from them. However, merchants such as car dealerships, ATMs, large electronics, etc have much higher priced products that consumers do not buy often and can easily steal. Thus, these merchants have to be careful to confirm their payments were received and when zero-confirmation are the solution to slow transactions, more confidence requires waiting for six or more transaction confirmations.
Zero-confirmations can be compared to credit card chargebacks since these plague merchants with lost revenue and lost product inventory, and sometimes even falsely. Expensive chargebacks are usually low probability, but high cost so merchants often want to minimize these as much as possible. Thus, moving from accepting credit cards that allow chargebacks to zero-confirmation cryptocurrencies that allow double-spend attacks is actually not a hugely visible move from the merchants’ viewpoint.
Dash provides solution with InstantSend
Dash is able to solve this problem with InstantSend that leverages the Masternode network to lock in transactions in less than two seconds for less than a penny since it is now becoming automatic with version 0.13. Thus, merchants are simultaneously able to fully and quickly process consumers’ orders without having a fear of being at risk of a double-spend attack. InstantSend is already providing a real-time solution for crypto vending machines since consumers want their drink/snack immediately and merchants do not want to be ripped off. This latest vulnerability of other cryptocurrencies illustrates Dash’s commitment to a fast, inexpensive, secure, decentralized, and everyday digital cash.