Finney Attack

A Finney attack is a form of double-spending in blockchain networks where a miner pre-mines a transaction in a block but deliberately withholds broadcasting it to the network.

What Is a Finney Attack?

Named after Hal Finney, the developer who first theorized this vulnerability, a Finney attack is a type of double-spending attack where a malicious miner creates a block containing a transaction that sends coins back to themselves but doesn’t immediately broadcast this block to the network. This allows them to spend the same coins in a separate transaction while having a “backup” transaction ready to invalidate it.

How Does It Work?

The attack works through a carefully orchestrated sequence:

1. The attacker, who must be a miner, creates a transaction sending coins from their wallet A to their wallet B.
2. Instead of broadcasting this transaction, they privately mine a block containing this transaction.
3. Using the same coins from wallet A, the attacker makes a purchase from a merchant who accepts unconfirmed transactions.
4. Once the merchant delivers goods or services (believing they’ve been paid), the attacker broadcasts their previously mined block.
5. When the network accepts this pre-mined block, it invalidates the transaction to the merchant, effectively allowing the attacker to keep both the coins and the purchased goods.

This attack specifically targets merchants who prioritize transaction speed over security by accepting payments before blockchain confirmation. What’s more, these attacks only succeed under specific conditions:

• The attacker must have mining capabilities with enough mining power to generate their block before another miner confirms the merchant’s transaction.
• The victim must accept unconfirmed or zero-confirmation transactions. 
• The pre-mined block must remain unbroadcast until after the merchant accepts the fraudulent transaction.