Finney Attack

A Finney attack is a double-spending exploit specific to Proof-of-Work blockchains where a malicious miner secretly mines a block containing a transaction that returns funds to their own wallet, then spends those same coins with a merchant before broadcasting the pre-mined block. The attack invalidates the payment to the merchant retroactively by replacing the transaction history with the miner's pre-prepared version.

Think of a Finney attack like writing a check to a store, collecting the merchandise, and then depositing a counter-check at the bank that cancels the first one.

How the Attack Works Step by Step

The sequence requires the attacker to be a miner with enough hash power to mine blocks on demand. The attack does not require 51% of the network, which is what makes it theoretically accessible to solo miners.

1. The attacker mines a block that includes a transaction sending coins from address A to address B, both addresses they control. They do not broadcast this block.
2. Using the same coins still at address A, the attacker sends a transaction to a merchant and receives goods or services in exchange. The merchant accepts this because the transaction has zero confirmations and the pre-mined block is still hidden.
3. The attacker immediately broadcasts the pre-mined block. Because the block contains a conflicting transaction for the same coins, the network accepts it as the valid chain.
4. The merchant's received transaction is invalidated. The coins return to the attacker's control. The goods are gone.

Why It Only Works Against Zero-Confirmation Transactions

The critical vulnerability is the merchant accepting payment before any block confirmation. Once a transaction has one or more confirmations, reversing it requires the attacker to outpace the entire network from that point forward. A pre-mined single block cannot override a chain that has moved ahead by multiple blocks since the merchant accepted payment.

Merchants who wait for one confirmation eliminate this attack entirely. Merchants who require six confirmations, the traditional Bitcoin standard for large transactions, reduce attack risk to near-zero under any realistic mining scenario.

Why It Is Named After Hal Finney

Hal Finney was a cryptographer, one of the first Bitcoin advocates, and the first person to receive a Bitcoin transaction directly from Satoshi Nakamoto. Finney theoretically described this attack scenario in 2009 to demonstrate why accepting unconfirmed transactions was risky. The attack was named in his honor because he identified it, not because he executed it.

Finney was also known for his earlier work on reusable proof-of-work systems before Bitcoin's launch. He passed away in August 2014 from ALS. No documented case of a successful large-scale Finney attack on the Bitcoin network has been confirmed in the public record, partly because the mining hash rate required to execute it reliably makes the expected profit negligible compared to the cost of honest mining.

Finney Attack vs. Race Attack vs. 51% Attack

These three double-spending methods differ in their requirements and scale. A race attack broadcasts two conflicting transactions simultaneously and hopes the fraudulent one wins the race to confirmation. It requires no mining power but is even less reliable than a Finney attack. A 51% attack requires controlling the majority of the network's hash power, enabling the attacker to rewrite recent history at will. It is the most powerful and most expensive variant.

The Finney attack sits between these two. It requires real mining power and careful timing but less than a 51% share. It is precise and targets a specific transaction rather than the whole network.

Sources:
https://www.ledger.com/academy/glossary/finney-attack
https://www.gemini.com/cryptopedia/double-spend-attacks-bitcoin
https://finst.com/en/learn/articles/what-is-the-double-spending-problem