Periodically, the "0-conf transactions" subject comes on the table : is it really secure ? Shouldn't we / the developers do something about them to make them more secure, or to avoid them, or to discourage them, or whatever... ? Aren't these 0-conf transactions the basis on which double-spend can be built, hence scamming merchants ?

What is it?

In Bitcoin Core and Bitcoin Cash, a 0-conf transaction is a transaction that is being broadcast from the sender to the rest of the network, and not yet confirmed (hence 0-confirmation). Once broadcast, the transaction will join some buffer space, the mempool , and will rest there as long as needed for it to be included in a mined block. Once mined, the transaction will have 1 confirmation. Each new block added to the blockchain will add one confirmation on top of it.

Between the time when the transaction arrives in this mempool and the time it is picked up by a miner, added into a block and this block is added to the blockchain (adding one confirmation to this transaction), many things could happen.

For instance, the Replace By Fee functionality allows the sender to replace its previous unconfirmed transaction by increasing its fee (this option does not exist anymore in Bitcoin Cash). There could also be a discrepancy in the mempool between the nodes the merchant sees and the other nodes of the whole network : when the broadcast of the transaction is done, it can introduce a difference between the two non-synchronized parts of the network which could be sometimes interpreted as a double-spend attempt.

In that frame, a double-spend would be the same transaction sending the same coins to two different addresses. Some such double-spend transactions can be monitored on sites such as https://doublespend.cash . Most of the time, the transaction paying the most fees will simply win (be added to the next block mined) and the other one discarded.

What are the risks, really?

On the merchant point-of-view, the risk is that one such unconfirmed transaction (0-conf) could be replaced or cancelled by another one where the final destination of the coins is not in his or her pockets but the consumer's.

However, in order for a scammer to pull this off, there needs to be sufficiently complex conditions that renders the whole operation uneconomic. Typically, besides deploying enough hash power to rival miners, it could mean increasing the latency of the merchant node or the first node the merchant will look at to see if the transaction did reach the mempool , in a kind of denial of service or flood attack.

At this point, one must understand that this kind of attacks are in no way simple and worth the trouble if the transaction is based on a small amount. Trying to defraud a merchant using these methods for the proverbial cup of coffee will therefore not happen. On the other side, as soon as the amount is worth it, the merchant will simply wait for the transaction to fetch at least one confirmation in order to close the deal, thereby reducing greatly its risk.

In fact, for the merchant, accepting 0-confirmation transaction is a pure matter of risk analysis . It has been calculated that (as of june 2018) for transaction below a fiat value of 32.000 USD (about 35 to 40 BCH), the risk of fraud is very close to zero, and in any case way below the current rate observed in major Credit card companies.

And in fact, as of today, the list of merchant defrauded using a double-spend on Bitcoin Cash is rather flimsy and can be seen below :

In April 2014, an interesting article published on Coindesk described the exact same 0-conf issue on Bitcoin at that time. All the arguments pretty much stand for Bitcoin Cash now. The IEEE paper from which the article has been written is worth a look too.

0-Conf : How risky is it?

As said, any merchant accepting unconfirmed transaction takes a risk. However, to grasp how low this risk is, let's recall that a few months ago, Cryptonize.it offered a $1000 gift card for a double-spend successful attempt. For months, nobody was able to successfully craft a double-spend transaction, and in fact, an attempt even backfired on the hacker :

Furthermore, Bitcoin Cash has a specific characteristic that renders the double-spend even more unlikely : having bigger blocks not only means that Bitcoin Cash can process a lot of transaction per seconds (currently, around 100), it also means that most if not all transactions in the mempool will reach the next block and get confirmed in the next ̶1̶0̶ 5 minutes in average . This further reduces the time span when the transaction can be double-spent; bear in mind that on Bitcoin Core implementation, the throughput being limited to 3 transactions per second, anytime the network reaches this capacity, the average time for a transaction to be picked up in the next block shots up, even when fees swell to ludicrous amounts.

Since the Bitcoin Cash block size is designed to swipe the mempool clean on the next block, crafting a double-spend attempt is a very risky and costly game of speed for the attacker against a network in which all incentives are built to keep it fast.

Why 0-conf matters

Keeping in mind the previous points (a very low risk, a shallow mempool , a transaction included in the next block for low fees) and as explained in this paper from Eric Voorhees in 2015 , 0-conf is really a viable option for the regular merchant .

For the customer, it means a fast and reliable transaction : in under 5 seconds, the transaction initiated on one side appears on the other.

Here, the user experience is paramount : no hassle for the change, no delay, no uncertainty .

On the merchant side, the fee is microscopic compared to Credit Card charges .

Just for information, note that Paypal charges between 2.7 and 4.4% on every transaction. Major Credit cards companies will charge between 1.5% and 3.5%... where median Bitcoin Cash fee is lower than 0.1%.

On top of that, in order to accept credit cards, most businesses will need to sign up with a Merchant Services Provider (MSP) that act as middlemen between the merchant and the credit issuer. For yet another fee, they are the ones that handle processing of all credit card payments for these businesses - everything from collecting interchange fees to managing the transfer of funds between the merchant's bank and the credit issuing bank. These MSPs add another layer of processing, middlemen hence costs to the transaction, that can range from 0.08$ to 0.10$ per transaction plus 0.18% to 0.25%, on top of which there can be a monthly rent (that could range around 99$).

In the end, this makes quite a difference for the small merchant, the little shop and corner outlet that has to choose between Bitcoin Cash Point Of Sales (PoS), which can be done with regular devices, phones, on basically free PoS software, and the regular credit card reader that can rapidly reach tens of dollars ( VeriFone VX 520 card reader is available at $161 for instance).

Furthermore, there can be no charge-back attempt as is routinely done on Paypal, Amazon, Visa, Amex, Mastercard and so many others, that are creating a heavy burden on small outlets : they need to keep a reserve funds, and hundreds if not thousands of man hours are wasted in processing these charge-backs where legitimate reimbursements are only a few (and can be dealt on a case by case basis).

0-Conf, in itself, has a clear use case for every regular customer of an outlet where there is little to no worry about fraud, and so no reason whatsoever to wait for one or two confirmation.

0-Conf, a misnomer?

However, although 0-conf transactions work well on Bitcoin Cash, this "0-Conf" is a rather badly named concept : it does not carry the fact that it is "secure way enough" for small everyday transactions, it does not carry the fact that it is fast and reliable and it does not carry the fact that it is still very cheap even with this level of reliability and security.

A few weeks ago, there were small debates on Reddit to try and rename the concept ( here or there for instance). Some good ideas were proposed but it seems none have stick. I tend to think that in order to sell many ideas and helping Bitcoin Cash reach its full-scale target, marketing is of utmost importance. 0-Conf is a great benefit for Bitcoin Cash as it gives the speed and efficiency most other cryptocurrencies sorely lack.