LearnBitcoin

Glossary

Race Attack

Attempting to double-spend a zero-confirmation transaction by quickly broadcasting a conflicting, higher-fee transaction.

A race attack is a double-spend against a zero-confirmation transaction. The attacker sends two conflicting transactions in quick succession: one to the merchant (or merchant's wallet's view of the network) and one paying themselves back, with the second crafted to win the race to miners.

Two flavors:

  • Vanilla race attack: broadcast tx-A to the merchant and tx-B to the rest of the network at roughly the same time, hoping miners see tx-B first.
  • RBF-enabled race: broadcast tx-A (RBF-flagged) to the merchant, then broadcast tx-B at a higher fee. Since Replace-by-Fee is honest about replacement, this isn't really an "attack" so much as the protocol working as documented; the merchant just didn't wait.

Mitigations on the merchant side:

  • Wait for at least one confirmation. Slow, but cryptographically the right answer.
  • Use Lightning for instant settlement. Lightning payments are final on the second-hop level immediately, no zero-conf risk.
  • Run a double-spend monitor that watches the mempool for conflicting transactions and flags them in real time. Reduces but doesn't eliminate the risk.

Many merchants still accept zero-conf for small amounts because the attack is non-trivial to execute (requires technical skill, decent timing, and a low-fee initial transaction that flags itself). The risk is real but the practical incidence is low. For amounts over a few dollars, wait for confirmations or use Lightning.

Key takeaways

  • Exploits zero-conf acceptance by sending a conflicting transaction
  • Relies on miners prioritizing the higher-fee or faster-broadcast TX
  • Merchants avoid by requiring confirmations or LN-based payments

Related terms (9)