Papers
Topics
Authors
Recent
Search
2000 character limit reached

On-Spend Attacks: Analysis & Defenses

Updated 2 July 2026
  • On-spend attacks are adversarial strategies that allow spending the same digital asset twice by exploiting protocol, network, and implementation weaknesses.
  • Mathematical models and empirical studies quantify success probabilities and profitability, emphasizing the roles of confirmation depth and resource distribution.
  • Defense strategies involve increasing confirmation thresholds, robust network monitoring, and economic incentive engineering to mitigate double-spend vulnerabilities.

On-spend attacks, also known as double-spend attacks, constitute a class of adversarial strategies that allow an attacker to spend the same digital asset more than once in a distributed ledger or payment protocol. These attacks exploit synchrony gaps, consensus protocol weaknesses, implementation defects, or economic misalignments to subvert the intended invariants of asset transfer and settlement. The following review synthesizes theoretical and empirical results from state-of-the-art academic research, emphasizing mathematical characterization, attack methodologies, and defense strategies across PoW, PoS, BFT, and cross-layer/web payment protocols.

1. Models and Fundamental Mechanisms

The canonical on-spend attack in Proof-of-Work (PoW) blockchains is the private double-spend, in which an attacker with hash power fraction α<0.5\alpha < 0.5 secretly mines a competing chain that reverses a transaction after its apparent confirmation. The probability of success and profitability are tied to kk-confirmation security (where kk is the number of confirmations merchants wait), attacker resources, and protocol dynamics.

Mathematically, the probability that an attacker overtakes nn confirmation blocks is given by the infinite-sum Poisson-Gambler’s ruin formula: Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q} where qq is the attacker’s hash-fraction and (1q)(1-q) the honest hash-fraction (Ozisik et al., 2017). More detailed models incorporate finite cut-off times, explicit cost structures, and synchronization delays (Jang et al., 2019, Grunspan et al., 2019, Bissias et al., 2016).

On-spend attacks also exploit network partitioning, as in the Balance Attack, where an adversary controlling fraction α0.5\alpha \ll 0.5 induces temporary network splits and leverages the resulting consistency split to reorder or remove on-chain transactions with high probability (Natoli et al., 2016, Ekparinya et al., 2018). Non-consensus-plane attacks, such as web-layer timing mismatches and VM non-determinism, create equivalent semantics at the boundary between web APIs and async on-chain settlement (Li et al., 12 May 2026, Peng et al., 2018).

2. Variants and Attack Methodologies

2.1 Blockchain Consensus-Level Attacks

  • Classic private double-spend: Attacker withholds blocks, waits for a transaction to achieve kk confirmations, and then publishes a longer branch excluding the transaction, invalidating the recipient’s payment (Ozisik et al., 2017, Bissias et al., 2016).
  • Balance Attack: Network is partitioned into k2k\geq 2 subgroups of miners with near-equal hash-rate; the attacker delays inter-subgraph communication for kk0 seconds and mines on both sides. Upon reconnection, by exceeding the block-gap kk1 between subgroups, the attacker replaces the canonical chain with a privately-constructed one, triggering reorg and triggering a double-spend (Natoli et al., 2016, Ekparinya et al., 2018).
  • Stubborn/selfish double-spend: Mining pools use “stubbornness” strategies—matching or withholding blocks to optimize the probability and profitability of both double-spending and mining rewards, parameterized by the stubbornness level kk2 and confirmation rule kk3 (Doger et al., 6 Jan 2025).

Proof-of-Stake and BFT-based protocols are exposed to reorg and equivocation attacks below classical “Byzantine” threshold (e.g., sub-1/3 in ETH 2.0). In Ethereum 2.0, withholding blocks and attestations enables sub-1/3 attackers to induce short-range reorgs and delay finality, directly enabling profitable double-spends or deterministic front-running (Neuder et al., 2021).

2.3 Layer/Implementation and Web-Surface On-Spend Attacks

Several attacks exploit implementation or integration flaws:

  • VM divergence: Smart contract interpreters with differing memory safety, uninitialized reads, or inconsistent standard-library semantics enable forks that are exploitable for double-spend (Peng et al., 2018).
  • HTTP–chain boundary and web-layer attacks: Payment protocols such as x402 reveal cross-layer TOCTTOU vulnerabilities (e.g., granting resource access on mempool inclusion, failing to bind HTTP headers to on-chain settlement), replay attacks (idempotency failures), and cache leaks that all allow on-spend scenarios in web payments and API clients (Li et al., 12 May 2026).

3. Success Probability, Profitability, and Risk Quantification

3.1 Success Probability

  • Classic PoW (Nakamoto): kk4. For kk5, kk6, success probability falls to kk7, rationalizing “six confirmations” as a standard (Ozisik et al., 2017).
  • Balance Attack (PoW with partition): Chernoff bound (for kk8 partitions)

kk9

Required partition time falls steeply with kk0; in R3 consortium (Ethereum-private) with kk1, success probability approaches kk2 after kk3 minutes (Natoli et al., 2016, Ekparinya et al., 2018).

  • Finite-time Poisson model: The attack remains profitable for kk4 if and only if the expected reward (including block rewards and stolen value) exceeds the expected cost within finite attempt duration kk5 (Jang et al., 2019). For sub-majority adversaries, as kk6, kk7 and the attack becomes unprofitable.

3.2 Profit Maximization

Attackers weigh expected revenue from blocked funds, mining rewards, and transaction value against the rental or operational cost of mining. The point of profitability is when

kk8

Solving for the break-even spend kk9 yields formulae in terms of attacker hash-rate, block-reward, and confirmation depth (Grunspan et al., 2019, Bissias et al., 2016, Jang et al., 2019).

  • Attack optimization: The threshold at which an attacker can double-spend at zero mining cost corresponds to maximizing their stubbornness nn0 such that nn1. Merchant-set confirmation rules must satisfy nn2 to preclude risk-free attacks (Doger et al., 6 Jan 2025).

3.3 Empirical Characterization

  • Private/Public/Consortium Chains: BGP hijacking enables efficient partitions in consortium blockchains, while ARP spoofing attacks local/private setups—leading to nn3 double-spend success in nn4 minutes for both (Ekparinya et al., 2018).
  • Web-layer Protocols: In x402, revert-grant attacks yield unpaid service rates up to nn5 under nn6, and 100% under a Byzantine facilitator (Li et al., 12 May 2026).

4. Defenses and Protocol Mitigations

4.1 Protocol and Network-Level

  • Increasing confirmation depth nn7: Secure against larger attackers and higher-value transactions.
  • Delayed response/Two-phase commit: Deny service granting until transaction confirmation finality (nn8) at the settlement layer (Li et al., 12 May 2026).
  • Network monitoring and peer-diversity: Detect and respond to partitioning, BGP hijacks, or ARP spoofing (Ekparinya et al., 2018).

4.2 Incentive and Reward Engineering

  • Adversary-aware block assembly: Miners compute the adversary’s break-even point for double-spend profit nn9 and cap transaction-value per block at Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}0, neutralizing the economic incentive for sub-majority adversaries (Georghiades et al., 2023). This approach is shown to succeed at Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}1 attacker hash-rate for Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}2-confirmation Bitcoin workloads.
  • On-demand counterattack: If merchants or exchanges can credibly commit to rent Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}3 worth of hash-power (with Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}4 the value at risk, Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}5 rental price per share), the threat of counter-reorg provably deters any initial double-spend attempt (Moroz et al., 2020).

4.3 Implementation Fixes and Cross-Layer Hygiene

  • Deterministic VM execution/log hashing: Record and hash the sequence of database writes in each block header; full node replay checks for divergence, preventing all non-determinism-induced double-spends (Peng et al., 2018).
  • Memory safety and library unification: Harden runtime environments, enforce all cryptographic parameter checks, and prevent function/library drift between node implementations.
  • HTTP-chain atomicity: Bind crucial grant decisions (idempotency, resource, facilitator) atomically to settlement events, avoid cache-based content leaks, require authenticated discovery, and validate input metadata in web protocols (Li et al., 12 May 2026).

5. Taxonomy and Cross-Disciplinary Synthesis

Attack Classifications

Root Cause Example Exploits Mitigation Direction
Insufficient verification/binding Merkle-leaf duplication (NEO) Bind all data, no duplicated leaves
VM execution non-determinism EOS grow_memory bug Log-hash writes, standardized runtimes
Consensus protocol-level forks PoW reorg, stake-based reorgs Raise Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}6, BFT checkpointing, fines
Web/protocol surface inconsistencies x402 TOCTTOU, replay, cache leak Two-phase commit, binding, header hygiene

Design Principles

  • Disallow any unseeded non-deterministic or system-dependent behavior in contract execution.
  • Bind every bit of transaction and authorization data in the hash committed to consensus.
  • Require explicit atomicity at all cross-layer security boundaries.
  • Monitor and restrict attacks at the discovery, network, and consensus layers, not just at settlement.
  • Incentivize or enforce adversary-aware behavior in block construction, shifting economic defense from merchants to protocol-level consensus (Georghiades et al., 2023).

6. Emerging Directions and Case Studies

Numerous results confirm the relevance and sophistication of modern on-spend attacks:

  • In proof-of-work, attackers with even Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}7 can achieve Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}8 success on small consortium chains for modest partition times, while large public networks like Bitcoin require prohibitive delay durations for comparable risk (Natoli et al., 2016, Ekparinya et al., 2018).
  • Sub-majority attackers are profitable in Bitcoin at 6 confirmations only if they control at least Psucc(q,n)=k=0λkeλk![1i=0n1(k+i1i)qi(1q)k]withλ=nq1qP_{\mathrm{succ}}(q,n) = \sum_{k=0}^\infty \frac{\lambda^k e^{-\lambda}}{k!} \Bigl[\,1 - \sum_{i=0}^{n-1} \binom{k+i-1}{i} q^i (1-q)^k \Bigr] \qquad\text{with}\quad \lambda = n \frac{q}{1-q}9 of hash power given actual block-value turnover (Georghiades et al., 2023).
  • In distributed agentic payment protocols (e.g., x402), the attack surface includes cross-layer, web-API, and semantic inconsistencies absent from blockchain-only protocols, with measured attack success rates exceeding qq0 in realistic adverse settings (Li et al., 12 May 2026).
  • The optimal level of stubbornness for selfish/double-spending mining derives from explicit stochastic analysis and can substantially increase attacker reward and risk per attack cycle if confirmation parameters are too small (Doger et al., 6 Jan 2025).

7. Conclusions and Protocol Recommendations

On-spend attacks span a wide spectrum, from protocol-level mining reorgs and consensus mechanism exploits, through virtual machine non-determinism, to cross-layer web payment protocol attacks. Mathematical models and empirical studies consistently demonstrate that double-spend risk cannot be eliminated by confirmation depth alone; attackers with sub-majority resources can profit under poor protocol or ecosystem discipline.

Robust defense must combine:

  • Proper parameterization (qq1 scaling with transaction value and network structure),
  • Network-level monitoring of partitions and routing anomalies,
  • Implementation-level deterministic processing and cross-version unification,
  • Incentive-aligned mining, where adversary-aware reward functions cap the transaction value to neutralize double-spend profit,
  • Secure-by-design web and agentic payment protocols, where all grants and settlements are atomic and precisely bound.

Failure to engineer these mitigations exposes both permissionless and permissioned ledgers—and emerging web-native payment applications—to persistent on-spend risk. Adopting adversary-aware protocols and disseminating economic security responsibility to the protocol and miner ecosystem, rather than delegating confirmation thresholds to end-users, represents a forward-secure design principle substantiated by recent literature (Georghiades et al., 2023, Doger et al., 6 Jan 2025, Natoli et al., 2016, Ekparinya et al., 2018, Li et al., 12 May 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to On-Spend Attacks.