Replay Attacks Explained…or…”God, I miss Mr. Sparkles.”

First, a brief review of how blockchains work:

Blockchains consist of blocks. Blocks are created (mined) every so often and added to the blockchain.

Blocks contain transactions.

Commonly, a transaction sends money from one account to another. The data required to describe such a transaction includes the senders account, the recipients account, and the amount of money to send.

Such a transaction must be signed by the private key of the sender.

Once it is signed, the data is packed up as bytecode and pushed from the senders chosen blockchain node to the rest of the blockchain.

It is the private key that protects the senders currency. No one can create a valid transaction without signing that transaction, creating a properly signed string of bytes describing that specific transaction.

Miners gather these transactions, and, for a fee, add them to the next block mined, should they be the lucky miner that mines that block.

A duplicate blockchain:

Now, imagine we make an exact copy of a blockchain, as easily accessible as the rest of the blockchain. The state of the Copy blockchain, and it’s history, is exactly the same as the state of the Original blockchain, for all intents and purposes, up until the moment the next block is created on each chain.

Further, a set of miners appears to service the copy blockchain. Further, criminals are aware of this.

The day the Copy blockchain is created, 99% of the world decides to use the new Copy blockchain, including you. You make sure your blockchain node only talks to nodes on that chain.

For convenience, we will call the currency of the Original blockchain ETC, and the currency of the Copy blockchain ETH.

You, not having read this post, decide it would be a good idea to sell all your ETC to a stranger in exchange for USD, at five cents per ETC.

So you fire up a second computer, with a different blockchain node, and make sure it only talks to the Original blockchain. You copy your private keys to that computer, and sell all your ETC to that stranger for a few pennies per ETC.

Hey, it’s not a big deal, right? You don’t care about ETC, really. You are just making a few extra bucks. What you really care about is that ETH you need to use to pay off your house and buy Unicorns with.

You pocket the 5000USD and run, grinning, to the super-expensive ice-cream store, where you buy the most expensive, and delicious, five thousand dollar ice cream ever — an ice cream that only the smartest, wealthiest people can afford.

When you get home, licking your lovely ice cream cone, you decide to check your ETH balance.

“What the WHAT!!”, you say, dropping your ice cream into the kitty litter. Your ETH balance is ZERO!!

But you were so smart!!! What could have happened!!!

Well, remember that transaction you made, sending one bazillion ETC to random_person in exchange for five thousand US dollars?

That was signed by your private key, and uploaded to a blockchain with the same account history. Your account is the same, the account of the criminal you sold fifty million ETC to is the same, everything is the same.

All the criminal had to do was to broadcast that same transaction to the Copy blockchain, the one with the ETH currency, and it looked valid, because it was!

The realization dawns upon you. All that effort you put into understanding blockchain tech, the good luck you had to be an early adopter. It’s all gone…leaving you only with the sad, sticky ice cream that remains on your sad hand to show for it.

It tastes terrible. Your cat, Mr. Sparkles, thinks you are crazy and moves out. When you are evicted, a more sensible person moves in. Mr. Sparkles is adopted by the new owner, who buys him a Unicorn. :(

Beware the replay attack. Don’t let this happen to you.