Meet Ledger Nano™ Gen5, the most playful signer yet

Discover now

The most playful signer yet

Meet Ledger Nano™ Gen5

Shop now Learn more

Race Attack

Feb 18, 2025 | Updated Feb 18, 2025
A race attack is a malicious practice that involves someone accepting payment for an unconfirmed transaction, leading to double-spending.

A race attack is a malicious practice that involves someone accepting payment for an unconfirmed transaction, leading to double-spending.

What Is a Race Attack?

A race attack is a blockchain security vulnerability that involves creating two transactions using the same funds simultaneously. It’s an attempt to spend the same cryptocurrency multiple times before the network can confirm the transactions, which can result in double-spending

Generally, race attacks are a type of double-spending attack and are more prevalent in proof-of-work (PoW) networks. 

How Does It Work?

In this attack, the attacker initiates two conflicting transactions, intending to spend the same currency twice. To explain, the hacker sends one transaction to their wallet address and the other to a merchant or service provider. Both of these transactions are broadcast to the entire network simultaneously. 

The attacker typically exploits the network’s propagation delays and inconsistencies in transaction processing across different nodes. To put it differently, the perpetrator capitalizes on the time delay of blockchain transaction confirmation to ensure that the transaction sent to their wallet is confirmed first.

At the same time, the merchant may see their own transaction first and believe they’ll get paid. The merchant may mistakenly accept the unconfirmed transaction and fulfill the attacker’s order, thereby benefitting the hacker. This is because the rest of the network notices the double-spend first and effectively invalidates the transaction to the merchant, resulting in a loss for the merchant. However, the second transaction – sending the same coins to the attacker’s wallet – is confirmed. 

What Characterizes This Attack?

In summary, this attack can be characterized by:

  • Timing sensitivity – Malicious actors typically take advantage of the time it takes for blockchain transactions to be broadcast and confirmed. 
  • Network propagation – The attackers exploit the slight differences in the time it takes for different nodes to receive a block, which can lead to the acceptance of competing transactions.
  • Double spending – The main goal of this attack is to spend the same coin twice, where the attacker uses the same funds for two separate transactions. One of them is confirmed, the other is invalidated, and the attacker benefits if the recipient of the second transaction accepts it before it is invalidated.

Assume you’re a vendor selling the latest crypto-enabled smartphones and that you accept online payments. One of the buyers says that they’ve completed the transaction on their end and shows you an edited previously successful transaction. Considering there may be some delay before you receive the transaction confirmation message, you give them the phone. However, you later realize that the buyer never actually sent the money. 

Arbitrage

Arbitrage is a trading tool used to make profits by simultaneously buying and selling the same asset (or securities) across (or within) marketplaces to make profits off of the margins of the particular asset (or…

Full definition

DePIN

A Decentralized Physical Infrastructure Network, or DePIN, is a protocol using cryptocurrency tokens to incentivize creating, maintaining, and operating real-world infrastructures in a decentralized manner.

Full definition

Fear & Greed Index

The Fear & Greed Index is a tool that measures crypto market sentiment, gauging how investors feel about imminent price action.

Full definition

Own your crypto future

Stay informed with security tips, updates, and exclusive offers from Ledger

Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time. Learn more

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.