FAQ: How much is lost in a Double-Spend attack?


A lot of people are speculating about how much is lost by an Exchange from a Double-Spend attack.

It’s important to understand:

A Double-Spend attack is not a loss, it is Zero Sum.

If the attacker deposits +1,000 BTG, and then reversion takes -1,000 BTG, that adds up to zero. <-- No loss.

But if, during that time, the attacker is allowed to trade for BTC, and withdrawal of the BTC is approved <-- this is a loss.

Analysis of the BTG blockchain may show BTG being deposited and reverted several times… but those deposits/withdrawals all cancel out to zero. It’s the same coins back and forth.

So, how much do the Exchanges lose?

An Exchange that sees this is an attack and does not approve a BTC withdrawal loses nothing.

But an Exchange that allows BTC withdrawal and only later notices the attack? They have lost BTC. How much? Depends how much BTC (or other coin) was withdrawn.

The net total dollar impact to an Exchange cannot be calculated from the BTG side, which adds up to Zero. The net dollar impact comes from the number of BTC (or other coins) the attacker was allowed to withdraw.

Who can say?

We can’t see which Exchanges lost funds, or how much they lost. That information belongs to the Exchanges and cannot be seen on the BTG chain. The exchanges would need to tell us.

Exchanges with good security and fraud prevention systems may have lost little or nothing.

This is why Exchanges have KYC (Know Your Customer) rules and deposit limits, and why Exchanges must be more careful with large withdrawals than with small withdrawals - bigger withdrawal, bigger risk! They have these rules, and they set their requirements and limits based on their individual Risk Tolerance and their Loss Reserves.