Race Attack

A race attack is the simplest form of double-spend against a merchant who accepts zero-confirmation payments. The attacker creates two conflicting transactions spending the same coins: one paying the merchant and one paying an address they control. They send the merchant-facing transaction directly to the merchant while simultaneously flooding the network with the self-paying transaction, betting that miners will confirm the latter and orphan the former.

How it works

The name comes from the literal race between the two transactions to propagate across the network and reach miners' mempools. If the merchant releases goods the instant they see the payment in their own mempool — without waiting for a block — the attacker wins whenever the conflicting transaction is the one that ultimately gets mined. Tactics like connecting directly to the merchant's node, or using replace-by-fee to outbid the original, raise the attacker's odds.

Defenses

The race attack only works against parties that accept payments instantly on sight. The definitive defense is to wait for at least one block confirmation, which makes both the race and the related Finney Attack ineffective. Merchants who cannot wait sometimes use listening nodes that watch for conflicting transactions, monitor for replace-by-fee flags, or restrict zero-confirmation acceptance to low-value or trusted transactions. Lightning Network payments sidestep the problem entirely by settling instantly off-chain.

The race attack is the entry point of the zero-confirmation double-spend family that also includes the Vector76 Attack; all are species of double-spend.