What is a Race Attack in Crypto

A race attack is a double-spend attempt targeting merchants who accept zero-confirmation Bitcoin transactions. The attacker sends two conflicting transactions simultaneously: one to the merchant and one back to themselves. Only one can be confirmed in the blockchain. The attacker wins if miners confirm the version that returns funds to the attacker before the merchant notices anything is wrong.

How a Race Attack Is Executed

The attacker creates two transactions that spend the same Bitcoin inputs. The first transaction sends funds to the merchant. The second transaction redirects those same funds to an address the attacker controls. Both transactions hit the network at roughly the same time.

Different nodes see different transactions first, depending on network propagation paths. Some miners receive the merchant-directed transaction. Others receive the attacker's redirect. Whichever version a miner picks up first is the one they attempt to include in the next block. If the attacker's version wins the race, the merchant's transaction becomes invalid and is rejected by the network.

The attacker collects whatever they purchased from the merchant and keeps the Bitcoin. The merchant has no recourse.

Why This Attack Works Against 0-Conf Merchants

A merchant who waits for even one block confirmation eliminates virtually all race attack risk. Once a transaction is included in a block, replacing it requires controlling 51% of the network's hash power, which makes it economically infeasible for all but the most resourced attackers.

The attack only works when a merchant releases goods or services immediately upon seeing an unconfirmed transaction. Physical goods, digital downloads, and in-person purchases are the most common targets. A coffee shop accepting Bitcoin and handing over the drink before the transaction confirms is a viable target. An exchange that holds a deposit until it confirms is not.

How to Defend Against Race Attacks

The defenses are straightforward, but each involves a tradeoff with user experience.

Wait for one confirmation. One block confirmation, roughly 10 minutes on Bitcoin, eliminates the attack entirely for all practical purposes.
Use Lightning Network. Payments over Lightning Network are cryptographically final at the moment of settlement. There is no mempool step that an attacker can exploit.
Check for RBF signaling. Transactions flagged with Replace-by-Fee signaling are explicitly designed to be replaceable. Refusing RBF-flagged transactions at point of sale blocks the easiest version of this attack.
Monitor the mempool. Specialized software can detect if a conflicting transaction was broadcast alongside the one directed at your address. If two transactions spending the same inputs appear simultaneously, that is a strong signal of a race attack in progress.

Race Attack vs. Finney Attack

These two double-spend types are often confused. A race attack involves two transactions broadcast simultaneously without any mining pre-work. A Finney attack requires the attacker to also be a miner who pre-mines a block containing their own redirect transaction, then broadcasts the merchant-directed transaction and immediately publishes the pre-mined block. The Finney attack is more powerful but requires significant mining resources. The race attack requires nothing but two conflicting signed transactions and a willing merchant.

Sources

https://bitcoin.org/en/developer-guide#detecting-forks
https://mempool.space
https://lightning.network/lightning-network-paper.pdf

‍

About the Author

Jan Strandberg is the Founder and CEO of Acquire.Fi. He brings over a decade of experience scaling high-growth ventures in fintech and crypto.

Before founding Acquire.Fi, Jan was Co-Founder of YIELD App and the Head of Marketing at Paxful, where he played a central role in the business’s growth and profitability. Jan's strategic vision and sharp instinct for what drives sustainable growth in emerging markets have defined his career and turned early-stage platforms into category leaders.

Buy and sell secondaries

Trade SAFT, SAFE notes, locked tokens, and other digital assets in the public Secondaries and OTC marketplace

Access the Public Deal Flow

Acquire a frontier tech business

Browse our curated list of frontier tech businesses and projects available for acquisition; including revenue-generating crypto platforms, DeFi projects, and licensed financial organizations.

Access the Public M&A Marketplace

With deep roots in traditional finance and the digital asset industry, Acquire.Fi operates as a specialist M&A advisory firm. Coverage spans M&A, secondaries, OTC, and capital markets advisory across digital assets and frontier tech. Our team has decades of combined experience across every stage of the deal lifecycle.

Stay Informed

Read market updates, deal flow intelligence, and transaction news from the Acquire.Fi team.

Assets and M&A

Public M&A Marketplace Private M&A Mandates Sell a Business M&A Owners Dashboard

OTC and Secondaries

Public OTC and Secondaries Marketplace Private OTC and Secondaries Transactions Submit Buy Order Submit Sell Order

Services

M&A Advisory Services Pricing

Tools

Business Valuation Calculator ETH Gas Calculator

Learn

Successful Transactions About How Acquire.Fi Works Blogs Glossary Terms & Conditions Privacy Policy

For inquiries, reach the team directly.

team@acquire.fi

DISCLAIMER: Acquire.Fi is a listing and advertising platform for businesses and secondaries and does not certify or verify the information provided to the platform by the business owners. Acquisition Solutions Inc. (Acquire.Fi) does not hold itself out as providing any legal, financial or other advice. Acquire.Fi also does not make any recommendation or endorsement as to any investment, advisor or other service or product or to any material submitted by third parties to Acquire.Fi. Acquire.Fi is not a licensed crypto asset service provider and does not provide regulated financial services. The following list is compiled from Acquire.Fi partners.