Finney Attack

A Finney attack is a double-spend technique against merchants who accept zero-confirmation payments, named after early Bitcoin contributor Hal Finney, who first described it. Unlike a simple race attack, a Finney attack requires the attacker to be a miner, because it hinges on secretly pre-mining a block.

How it works

The attacker first mines a block that includes a transaction paying coins from their own address back to themselves — but does not broadcast that block. Holding the block in reserve, the attacker then uses the same coins to pay a merchant who accepts the unconfirmed transaction and releases goods on sight. Immediately afterward, the attacker broadcasts the pre-mined block. Because that block already spent the coins to the attacker's own address, it takes precedence and the merchant's payment is invalidated — the goods are gone but the coins return to the attacker.

Why it is hard in practice

The attack demands precise timing: the attacker must find a block, then complete the merchant interaction before another miner publishes a competing block, all while the pre-mined block grows staler by the second. At today's industrial hashrate and difficulty, the window is tiny and the opportunity cost of withholding a found block is high. Requiring even a single confirmation defeats it entirely.

The Finney attack belongs to the zero-confirmation family alongside the Race Attack and the Vector76 Attack; all are forms of double-spend that vanish once a payment is confirmed in the chain.