Blockchain & Cryptocurrency Glossary

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

  • search-icon Clear Definitions
  • search-icon Practical
  • search-icon Technical
  • search-icon Related Terms

Finney Attack

2 min read
Pronunciation
[fin-ee uh-tak]
Analogy
Imagine you write two checks from the same account: Check A (kept secret) pays yourself back, and Check B (given to a shop) pays for goods. You are also secretly trying to 'approve' Check A yourself (mining a block with it). The shop accepts Check B immediately without waiting for bank confirmation (0-conf). If you successfully 'approve' Check A first (find the next block), you quickly reveal it, making Check B bounce because the funds were already spent by Check A.
Definition
A Finney attack is a specific type of double-spending attack against recipients who accept 0-confirmation transactions on a Proof-of-Work blockchain. It involves a miner pre-mining a block containing a transaction sending coins back to themselves (or another controlled address) but withholding this block, while simultaneously sending the same coins to a merchant in a separate transaction broadcast to the network. If the miner finds the next block, they release their pre-mined block, invalidating the merchant's transaction.
Key Points Intro
The Finney attack is a theoretical double-spend exploit targeting recipients accepting unconfirmed (0-conf) transactions on PoW blockchains.
Key Points

Targets 0-Confirmation Transactions: Exploits recipients who accept payments before they are included in a block.

Requires Mining Capability: The attacker must be a miner capable of finding blocks.

Involves Pre-mining & Withholding: Attacker mines a block with a conflicting transaction but doesn't broadcast it immediately.

Conditional Double Spend: Succeeds only if the attacker mines the next block after the victim accepts the 0-conf transaction.

Example
A malicious miner wants to buy an expensive item from an online merchant who instantly ships goods upon seeing a transaction broadcast (0-conf). The miner creates Transaction A sending 10 BTC back to their own address and includes it in a block template they are mining. They also create Transaction B sending the same 10 BTC to the merchant and broadcast it. The merchant sees Transaction B and ships the item. If the miner then successfully mines their block containing Transaction A, they broadcast it. This block gets accepted by the network, making Transaction B invalid (a double spend), and the merchant receives no payment.
Technical Deep Dive
The attack sequence is: 1. Miner generates Tx A (Miner -> Miner's Address) and includes it in Block X (but does not broadcast Block X). 2. Miner generates Tx B (Miner -> Merchant's Address), using the same inputs as Tx A, and broadcasts Tx B to the network. 3. Merchant sees Tx B (unconfirmed) and accepts it, delivering goods/services. 4. Miner continues mining. If they find the next block (Block X containing Tx A), they immediately broadcast it. 5. If Block X propagates successfully and is accepted by the network, Tx B becomes invalid as its inputs were already spent in Block X. The attack relies on the attacker mining the very next block relatively quickly after the merchant accepts Tx B.
Security Warning
The primary defense against Finney attacks (and most double-spending) is to wait for one or more confirmations on the blockchain before considering a transaction final, especially for high-value transactions. Accepting 0-confirmation transactions carries inherent risk.
Caveat
The Finney attack is difficult to execute reliably as it requires the attacker to mine the next block. The probability depends on the attacker's hash rate relative to the network. For blockchains with fast block times, the window for the attack is smaller. It's primarily a theoretical risk for those accepting 0-conf.
Related Terms
Mining
Vector76 Attack

Finney Attack - Related Articles

No related articles for this term.