An Australian crypto payments network will drop onchain BTC and BCH payments after a video showing an easy ‘double spend’ exploit went viral.
Unfortunately for Bitcoin Cash proponent Hayden Otto – who made the video to extol the virtues of BCH – TravelbyBit said it will also drop support for Bitcoin Cash which it believes is similarly vulnerable to double spending attacks.
“We will be dropping both Bitcoin and Bitcoin Cash from the POS (Point of Sale),” founder Caleb Yeoh told Micky this morning.
However he declined to give a timeframe, and later moderated his comments to say they will “wait until we see more attempted fraud.”
“If we see more of this taking place we would have to drop Bitcoin and Bitcoin Cash on-chain transactions on all our merchants across Australia,” he said.
“The truth is both Bitcoin and Bitcoin Cash and many other blockchains are not suitable for retail point of sale transactions. There are trade-offs between user experience vs security.”
Yeoh said TravelbyBit will still allow users to spend Bitcoin at retailers using the Lightning Network.
However Lightning Network transactions account for just 3% of the total value on TravelbyBit.
TravelbyBit has 200 retail outlets listed on its website but says that 400 merchants all up use the service.
— Hayden Otto (@haydenotto_) December 18, 2019
Bitcoin double spend video goes viral
The video was published overnight and shows Otto using a double spend exploit on Australian retailers who use TravelbyBit’s payment processing network.
The only thing required for the attack is a free app – an Electrum wallet (or two) – and to read Blockonomics founder and CEO Shiva S’s blog that detailed the exploit in early December.
Otto, CEO of BitcoinBCH.com, runs the competing Bitcoin Cash payment processing network HULA which currently has about 20 retailers and is aggressively targeting greater market share.
He told Micky he’d successfully used the exploit at three physical locations and on five online merchants that use TravelbyBit’s payment processing software.
It’s so quick and easy to do, he claimed he’d done it once more while speaking to Micky.com.au
At its most basic, the exploit involves ‘paying’ a merchant who accepts Bitcoin with zero confirmations, but electing to use the lowest possible transaction fee.
This makes it appear to the merchant as if the transaction has been paid, so they hand over the goods
The fraudster can then resend the Bitcoin back to themselves – and by electing to use a much higher fee the second transaction overtakes the first, as these are processed much faster by the network.
Caleb Yeoh, CEO of TravelbyBit (left) at the Brisbane Airport
Merchants get the money back one way or another
There were at least a dozen posts about the video on Reddit and hundreds of comments discussing the exploit.
Otto returned the Bitcoin to the merchants after detailing the exploit worked – however TravebyBit said the retailers are insured against fraud in any case.
He also used the exploit on desktop and pointed out that if the Bitcoin network was congested, the double spend exploit could be performed hours or even days later
“You can pick any merchant, if they are on TravelbyBit, this exploit affects them,” said Otto today.
“I tried another one just now from my computer. They don’t seem to have disabled BTC or employed any further (Replace By Fee) RBF detection to detect this attack vector.”
“It allows you to replace transactions that you already broadcast to the network, with a new transaction that has a higher fee set. It even allows you to change the destination of the funds, which is even worse.”
Double spending is also possible on BCH
Bitcoin Cash does not have Replace By Fee but a similar exploit is possible, though it is not as easily mounted.
“As to Mr Otto’s views that Bitcoin Cash is somehow magically different you can see stats on double spending on Bitcoin Cash here,” said Yeoh.
Caleb Yeoh pointed out that TravelbyBit’s POS system was a non profit venture, which is simply trying to boost adoption.
That’s why Binance invested $3.5 million into the company.
“Because Travelbybit is trying to push user friendly adoption we do take zero confirmations for both Bitcoin and BCH and insure the merchants from losses,” he said, pointing out that making users wait 10 minutes for a Bitcoin confirmation was not feasible in retail situations.
“To continue to allow users to have the freedom to spend different currencies and to bridge the crypto adoption gap Travelbybit and Binance also announced plans last month to launch a crypto-backed travel rewards debit card.”
The card enables users to use their crypto for purchases from any merchant in Australia.
The post 400 Aussie merchants to drop Bitcoin after viral exploit video appeared first on Micky.