Refusal to Pay Arbitrage Attack: An Attack Method and Prevention of Bitcoin OTC Transactions

Chapter 0 Introduction

There are all kinds of bad guys outside the Bitcoin market, and they are very hardworking and have many ideas.

This article introduces a method to attack OTC traders.

Chapter 1 OTC Trading Platform Trading Process

Before talking about the fraud methods, let’s explain the OTC transaction process in the simplest terms.

A standard OTC trading platform transaction process is as follows:

1. The seller places a sell order on the platform;

2. The buyer places an order, and then the platform locks the seller’s coins;

3. The buyer pays the seller via bank transfer or Alipay, and then notifies the platform that the payment has been made;

4. After the seller confirms receipt of the payment, he chooses to release the locked coins, and the platform transfers the coins to the buyer's account.

5. The deal is done.

In the third step of this process, the buyer usually has 90 minutes to pay. If the buyer does not pay within 90 minutes, the transaction will be automatically cancelled. If the buyer clicks "paid", the transaction will not be cancelled.

Well, this refusal to pay attack uses this 90-minute time to complete the attack.

Chapter 2: Refusal to Pay Arbitrage Attacks

Because Bitcoin prices are highly volatile, within 90 minutes, the price may rise , fall, or even go sideways.

The buyer is an attacker in itself.

Now the buyer places an order on the OTC platform to buy a batch of Bitcoin, for example, 10 BTC at a price of 12500/BTC.

The buyer then has 90 minutes to pay.

At the same time, the buyer watches the market on a Bitcoin exchange, waiting for the price to rise . Once the price rises within 90 minutes, the buyer sells 10 BTC on the exchange.

The buyer then pays the seller via Alipay or bank transfer, etc., and the OTC order is confirmed and purchased.

If the price does not rise within 90 minutes, the buyer cancels the OTC order.

This way, buyers can arbitrage without risk.

Because there are fees for buying coins on exchanges and for transferring Bitcoin, and considering various costs, as long as the increase in Bitcoin prices exceeds the sum of various fees and other transaction frictions within 90 minutes, the buyer can complete the arbitrage. Otherwise, the buyer will give up and launch the next round of attacks.

This attack method harms the seller because when his coins are locked, he cannot trade . This will greatly reduce the efficiency of fund utilization. This is similar to a Taobao store encountering a competitor who takes a photo of all the inventory in the store, but refuses to pay, and automatically cancels the transaction after 24 hours. In this way, the store cannot operate within 24 hours.

Another risk for sellers is hedging failure. Generally, sellers of OTC transactions will use hedging methods to ensure that their supply is sufficient. For example, if a coin is sold on the OTC platform, he will buy a coin through other channels. This ensures that the total amount of coins will not decrease. Generally, for this kind of hedging, the seller will quickly complete the hedging within the time of locking the coin, and will not wait for the buyer to pay before purchasing the coin. Otherwise, the risk of price fluctuations is too great.

However, after the buyer launches a refusal to pay attack on the seller, if the price remains flat or falls within 90 minutes, the buyer cancels the transaction. Then the seller's hedge fails and the seller buys a few more coins for nothing.

Chapter 3 How to Prevent Denial of Payment Attacks

This type of attack is completely within the scope permitted by the rules. To prevent it, only the platform can judge and punish the attacker.

The first method is for the platform to restrict and punish suspicious buyers.

The platform can limit the number of times a buyer can cancel a transaction in a day. For example, a buyer can cancel a maximum of three transactions a day. This method is the same as when we buy train tickets on the 12306 platform, we can only cancel three times a day.

The platform can charge for canceling more transactions, for example, a buyer has 5 opportunities to cancel a transaction per day, and if he cancels more than that, he will have to pay.

The platform can punish buyers who frequently cancel transactions by reducing their payment time, leaving you no time to complete your attack.

The second type is for sellers to proactively report such buyers, or allow sellers to proactively create a blacklist to reject such buyers.

Chapter 4 Conclusion

In the long run, it is actually more cost-effective to be a good person.