Bitcoin Duplicate Transactions: An Interesting Yet Low-Risk System Vulnerability

There is a unique phenomenon in the Bitcoin network: two completely identical transactions. This situation is possible because coinbase transactions do not require any transaction inputs, but instead directly generate new Bitcoins. Therefore, two different coinbase transactions can potentially send the same amount of Bitcoin to the same address, constructed in exactly the same way, resulting in completely identical transactions. Since these transactions are identical in content, their transaction IDs ( TXID ) will also match, as the TXID is a hash digest of the transaction data.

The two sets of repeated transactions occurred between November 14 and 15, 2010, with a time span of about 16 hours. The first set of repeated transactions is sandwiched between the second set. We classify d5d2....8599 as the first repeated transaction since it became a copy first, even though it first appeared on the blockchain after another repeated transaction e3bf....b468.

Interestingly, different block explorers behave differently when displaying these duplicate transactions. Some explorers default to showing earlier blocks, while others display later blocks.

The total amount of Bitcoin involved in these repeated transactions is 200 BTC, or it can be understood as 100 BTC. As of now, all of these Bitcoins have not yet been used. Theoretically, if someone possesses the private keys associated with these outputs, they might be able to use these Bitcoins. However, once used, the duplicate 50 BTC will be irretrievably lost and cannot be used again, so in reality, only 100 BTC may be recoverable.

Duplicate transactions can obviously cause some issues. They may confuse wallets and block explorers, making it difficult to determine the true source of Bitcoin. Additionally, they may be used for certain attacks and exploitations.

To address this issue, Bitcoin developers proposed the BIP30 soft fork scheme in 2012, prohibiting the use of duplicate TXIDs for transactions, unless the previous TXID has already been used. Later, this rule was modified to apply to all blocks, not just those after March 15, 2012.

In July 2012, the BIP34 soft fork proposal was put forward and activated in March 2013. This change required coinbase transactions to include the block height, which seemed to completely solve the issue of duplicate transactions. However, it turned out that there were still some coinbase transactions in blocks before the activation of BIP34, where the first byte of their scriptSigs matched exactly with the future valid block height.

The next block that may have duplicate transactions is 1,983,702, which is expected to be produced around January 2046. If miners want to carry out this type of attack, they not only need to be lucky enough to find this block, but also incur huge costs. At the current Bitcoin price, this would cost over $15 million.

Considering the difficulty and cost of copy trading, as well as the rarity of opportunities to exploit it, this vulnerability does not appear to be a major security issue for Bitcoin. Nevertheless, developers have spent a significant amount of time on this issue over the years, and the year 2046 may be seen as a deadline for some developers to fix it. There are many ways to address this bug, which may require a soft fork. One possible fix is to enforce the SegWit commitment.