A bug that could exploit LBRY's paid content feature
A few days ago, as always I was roaming in and outside of LBRY, preparing to boost my last post about Roller Coin. For this purpose, I moved some LBC from my cold wallet to lbry.
I was expecting to wait for 10-20 confirmations before staking that lbc but to my utter surprise, the LBCs were available for immediate spending. While the blockchain explorer was showing only 1 confirmation.
That raised suspicion. I resent another small amount to test and this time also was instantly spendable. Shortly after that I contacted a Person from Team and got the following reply, confirming this as an intentional feature for newbies.
The Attack Surface
LBRY's one of the valuable features is "PayWall". Where content creators can lock their content and request payment through LBC to get the content enabling them to earn revenue which opens up a new exploit if used with the "0con Bug"
Double Spending Attack
Explanation: LBRY's blockchain [LBRYcrd] is designed based on Bitcoin, with substantial modifications. In the bitcoin blockchain, there's a term named "Double Spending", where you can actually reverse the transaction.
More on this: Replace by fee in Bitcoin on StackExchange
How does this affect LBRY?
Let's say, I want to buy a content worth 1000 LBC in LBRY. But I do the following steps to get the content for free!
Send 1000 LBC from external wallet to LBRY.tv
Immediately double spend and reverse the transaction
At the same time buy the content while the LBC is still available
N.B. - This can greatly discourage even damage the creator's motivation and financial support.
How LBRY is mitigating this attack?
Short and simple. LBRY has a static fee of nearly 0.001 LBC.
Now the long part. A wallet named "LBRY Vault" forked from electrum wallet can adjust fees. (The latest version includes a slider for the purpose). While this slider is useful to determine either you want a Fast/Expensive or Slow/Cheap transaction in the bitcoin eco-system, this feature is useless for LBC as the fees will always remain the same.
Thus resulting in the potential bug to remain in theories.
Resources -
Replace by Fee tools:https://github.com/petertodd/replace-by-fee-tools
Blockchain's prevention measures to Mitigate Double spending:https://www.investopedia.com/ask/answers/061915/how-does-block-chain-prevent-doublespending-bitcoins.asp