Bitcoin Double-Spending Attack Detection using Graph Neural Network

BY KEYHUNTER 05.03.2025
Bitcoin Double-Spending Attack Detection using Graph Neural Network

Bitcoin transactions include unspent transaction outputs (UTXOs) as their inputs and generate one or more newly owned UTXOs at specified addresses. Each UTXO can only be used as an input in a transaction once, and using it in two or more different transactions is referred to as a double-spending attack. Ultimately, due to the characteristics of the Bitcoin protocol, double-spending is impossible. However, problems may arise when a transaction is considered final even though its finality has not been fully guaranteed in order to achieve fast payment. In this paper, we propose an approach to detecting Bitcoin double-spending attacks using a graph neural network (GNN). This model predicts whether all nodes in the network contain a given payment transaction in their own memory pool (mempool) using information only obtained from some observer nodes in the network. Our experiment shows that the proposed model can detect double-spending with an accuracy of at least 0.95 when more than about 1% of the entire nodes in the network are observer nodes.

Index Terms—Bitcoin, double-spending, deep learning, graph neural network

I. INTRODUCTION

Bitcoin [1] transactions use the concept of unspent transaction output (UTXO). UTXO is the Bitcoin balance received by transactions included in the blockchain in the past. An owner of this UTXO can send bitcoins by using it as an input when creating a new transaction. At this time, attempting to use the same UTXO more than once in multiple transactions is called a double-spending attack [2]. For convenience, in this paper, we refer to a transaction generated for fast payment and known to the merchant as $\text{tx}{\text{pay}}$, and a transaction to double-spend UTXOs that have already been used as inputs of $\text{tx}{\text{pay}}$ as $\text{tx}{\text{attack}}$. Eventually, double-spending is impossible in Bitcoin because only one chain with the longest block extension is recognized as valid according to Bitcoin’s longest chain rule. For fast payment, if the merchant approves $\text{tx}{\text{pay}}$ without sufficient confirmation, and the attacker creates $\text{tx}_{\text{attack}}$, the merchant may not be paid.

In this paper, we propose an approach to detect Bitcoin double-spending attacks using a graph neural network (GNN) [3]. The Bitcoin P2P network can be considered as an undirected graph where peer nodes are vertices and their connections are edges. We use GNN to predict whether there is a $\text{tx}{\text{attack}}$ across the network for $\text{tx}{\text{pay}}$, using only information obtained from a few observer nodes that we can find in their mempools all unconfirmed transactions. We assume that double-spending does not occur if all nodes have $\text{tx}_{\text{pay}}$. To the best of our knowledge, this work is a novel approach that uses GNN to predict the propagation status of an unconfirmed transaction in the Bitcoin P2P network.

II. RELATED WORK

Many attempts are being made to achieve fast Bitcoin payments while preventing double-spending attacks. For instance, the Lightning network [4] uses a Layer-2 payment protocol to improve payment speed. Additionally, many other studies have proposed methods that require partial modification of the Bitcoin protocol [5]–[9]. However, it would be difficult to modify the Bitcoin protocol solely for this purpose. Furthermore, most attempts are difficult for ordinary people who do not know much about blockchain, such as merchants. They would not be able to operate a payment channel for the Lightning network or manage peer connections of their own Bitcoin nodes to remain connected to arbitrary samples of nodes to make it difficult for attackers to successfully execute double-spending. In contrast, a platform called GAP600 [10] provides real-time guarantee service for fast payment through risk scoring for each unconfirmed transaction through network monitoring. However, specific risk analysis and evaluation methods are not disclosed at all.

III. METHOD

In this paper, we construct virtual Bitcoin networks to generate data through transaction propagation simulations. Although a GNN model is learned through graph structures that are different from the real Bitcoin network topology, it is possible to apply the learned model to the real Bitcoin network thanks to the characteristic of GNN.

In this work, we do not use the topology of the actual Bitcoin network, but instead create virtual Bitcoin networks with a similar structure. The number of nodes in the virtual Bitcoin networks is fixed at 14,000 by referring to the website bitnodes.io [11], which captures and displays reachable Bitcoin nodes in real-time. Additionally, according to [12], the Bitcoin network is not a random graph and has some community structures. Therefore, we assume that the Bitcoin network is similar to a scale-free network [13]. A characteristic of the scale-free network is that a node with a higher degree gets more new connections. We use the Barabási-Albert model [14] to create virtual Bitcoin networks.

Our GNN task is graph classification, which predicts whether every node on the graph has a given transaction (tx_{pay}) in its mempool. Given information about whether some nodes, which are observers on the graph, possess tx_{pay}, we predict whether all the nodes on the graph have tx_{pay} in their mempool. Observer nodes are randomly selected for each generated data. Our model uses two GNN layers, and after each GNN layer, a ReLU activation function to provide non-linearity and a dropout to prevent overfitting are added. In the last part, for graph classification, the softmax value of each node embedding is aggregated by calculating the mean value, and it is passed through a fully connected layer to produce an output for classification. In our case, the input graph uses the Bitcoin network as it is. We also use cross-entropy loss to train the model and existing three popular GNN algorithms for GNN layers: GCN [15], GraphSAGE [16], and GAT [17].

In addition, we design node features to include information around the nodes on the graph. The number of neighboring nodes of each label (Non-Observers: 0.5, Observers with tx_{pay}: 1, Observers without tx_{pay}: 0) is used as features, and we also added the number of each combination consisting of the neighboring node label and the label of a node one hop further away from it as features.

IV. Experiment

We conducted experiments on a total of six cases by varying the number of observer nodes. For each case, we generated 1,000 datasets where the number of observer nodes was 10, 50, 100, 150, 200, and 250 out of the total 14,000 nodes. We split each dataset into 700 for training and 300 for testing. We also evaluated the model using 5-fold cross-validation on the training dataset.

A. Observer Nodes: 150, 200, and 250

Table I presents the average accuracy of cross-validation for each model when the number of observer nodes is 150, 200, and 250, as well as the accuracy, precision, recall, and F1-score values for the test set. All three types of GNN layers demonstrated similar performance under the same number of observer nodes, and the higher the number of observer nodes, the higher the accuracy. In all cases, the accuracy was at least 0.95, and it is interesting to note that the recall had a value of 1.0. In our experiment, recall indicates how accurately the model predicted that there was no double-spending attack when there was no actual attack. In other words, the models trained in this experiment accurately predicted that there was no attack for all cases where there was no double-spending attack. Precision refers to the ratio of cases where there is actually no attack among those predicted by the model in our experiment that there is no double-spending attack. It is an essential indicator of the efficiency of double-spending attack detection for Bitcoin fast payment because the higher the precision value, the higher the rate of predicting that there is no attack only when there is actually no double-spending attack. As expected, the precision had a larger value as the number of observer nodes increased, and values of at least about 0.91 or higher were obtained.

B. Observer Nodes: 10, 50, and 100

When the number of observer nodes is 10, 50, and 100, we could not train the model. We found that train loss does not decrease even after repeated learning steps. We concluded that this is because the number of nodes with information, i.e., observer nodes, is too small to predict the state of the entire graph consisting of 14,000 nodes. In this experiment, it was possible to detect a double-spending attack with high accuracy only when the mempool data of at least about 1% or more of the nodes was known.

V. Conclusion

This paper proposes a GNN-based approach to detect Bitcoin double-spending attacks by predicting attempts to double-spend UTXOs in payment transactions. The model achieved an accuracy of at least 0.95 by monitoring 150 or more observer nodes’ mempool in a 14,000-node P2P network. However, training was inadequate with less than 100 observer nodes.

Acknowledgements

This work was supported by Coinone and Smart HealthCare Program(www.kipot.or.kr) funded by the Korean National Police Agency(KNPA, Korea) [Project Name: Development of an Intelligent Big Data Integrated Platform for Police Officers’ Personalized Healthcare / Project Number: 220222M01]

REFERENCES

[1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Decentralized Business Review, p. 21260, 2008.

[2] G. O. Karame, E. Androulaki, M. Roeschlin, A. Gervais, and S. Čapkun, “Misbehavior in bitcoin: A study of double-spending and accountability,” ACM Transactions on Information and System Security (TISSEC), vol. 18, no. 1, pp. 1–32, 2015.

[3] F. Scarselli, M. Gori, A. C. Tsoi, M. Hagenbuchner, and G. Monfardini, “The graph neural network model,” IEEE transactions on neural networks, vol. 20, no. 1, pp. 61–80, 2008.

[4] J. Poon and T. Dryja, “The bitcoin lightning network: Scalable off-chain instant payments,” 2016.

[5] M. Herrmann, “Implementation, evaluation and detection of a doublespend-attack on bitcoin,” Master’s thesis, ETH Zürich, Department of Computer Science, 2012.

[6] G. O. Karame, E. Androulaki, and S. Capkun, “Two bitcoins at the price of one? double-spending attacks on fast payments in bitcoin,” Cryptology EPrint Archive, 2012.

[7] ——, “Double-spending fast payments in bitcoin,” in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 906–917.

[8] C. Pérez-Solà, S. Delgado-Segura, G. Navarro-Arribas, and J. Herrera-Joancomartí, “Double-spending prevention for bitcoin zero-confirmation transactions,” International Journal of Information Security, vol. 18, no. 4, pp. 451–463, 2019.

[9] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ecdsa),” International journal of information security, vol. 1, no. 1, pp. 36–63, 2001.

[10] GAP600, Available at https://www.gap600.com/, accessed: 2022-12-15.

[11] BITNODES, Available at https://bitnodes.io/, accessed: 2022-12-15.

[12] M. Essaid, S. Park, and H.-T. Ju, “Bitcoin’s dynamic peer-to-peer topology,” International Journal of Network Management, vol. 30, no. 5, p. e2106, 2020.

[13] A.-L. Barabási and E. Bonabeau, “Scale-free networks,” Scientific american, vol. 288, no. 5, pp. 60–69, 2003.

[14] A.-L. Barabási and R. Albert, “Emergence of scaling in random networks,” science, vol. 286, no. 5439, pp. 509–512, 1999.

[15] T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” arXiv preprint arXiv:1609.02907, 2016.

[16] W. Hamilton, Z. Ying, and J. Leskovec, “Inductive representation learning on large graphs,” Advances in neural information processing systems, vol. 30, 2017.

[17] P. Veličković, G. Cucurull, A. Casanova, A. Romero, P. Lio, and Y. Bengio, “Graph attention networks,” arXiv preprint arXiv:1710.10903, 2017.

Useful information for enthusiasts:

Contact me via Telegram: @ExploitDarlenePRO