Various potential attacks on the bitcoin network and its use as a payment system, real or theoretical, have been considered. The bitcoin protocol includes several features that protect it against some of those attacks, such as unauthorized spending, double spending, forging bitcoins, and tampering with the block chain. Other attacks, such as theft of private keys, require due care by users.
Unauthorized spending is mitigated by bitcoin's implementation of public-private key cryptography. For example; when Alice sends a bitcoin to Bob, Bob becomes the new owner of the bitcoin. Eve observing the transaction might want to spend the bitcoin Bob just received, but she cannot sign the transaction without the knowledge of Bob's private key.
A specific problem that an internet payment system must solve is double-spending, whereby a user pays the same coin to two or more different recipients. An example of such a problem would be if Eve sent a bitcoin to Alice and later sent the same bitcoin to Bob. The bitcoin network guards against double-spending by recording all bitcoin transfers in a ledger (the block chain) that is visible to all users, and ensuring for all transferred bitcoins that they haven't been previously spent.
If Eve offers to pay Alice a bitcoin in exchange for goods and signs a corresponding transaction, it is still possible that she also creates a different transaction at the same time sending the same bitcoin to Bob. By the rules, the network accepts only one of the transactions. This is called a race attack, since there is a race which transaction will be accepted first. Alice can reduce the risk of race attack stipulating that she will not deliver the goods until Eve's payment to Alice appears in the block chain.
A variant race attack (which has been called a Finney attack by reference to Hal Finney) requires the participation of a miner. Instead of sending both payment requests (to pay Bob and Alice with the same coins) to the network, Eve issues only Alice's payment request to the network, while the accomplice tries to mine a block that includes the payment to Bob instead of Alice. There is a positive probability that the rogue miner will succeed before the network, in which case the payment to Alice will be rejected. As with the plain race attack, Alice can reduce the risk of a Finney attack by waiting for the payment to be included in the block chain.
The other principal way to steal bitcoins would be to modify block chain ledger entries. For example, Eve could buy something from Alice, like a sofa, by adding a signed entry to the block chain ledger equivalent to Eve pays Alice 100 bitcoins. Later, after receiving the sofa, Eve could modify that block chain ledger entry to read instead: Eve pays Alice 1 bitcoin, or replace Alice's address by another of Eve's addresses. Digital signatures cannot prevent this attack: Eve can simply sign her entry again after modifying it.
To prevent modification attacks, each block of transactions that is added to the block chain includes a cryptographic hash code that is computed from the hash of the previous block as well as all the information in the block itself. When the bitcoin software notices two competing block chains, it will automatically assume that the chain with the greatest amount of work to produce it is the valid one. Therefore, in order to modify an already recorded transaction (as in the above example), the attacker would have to recalculate not just the modified block, but all the blocks after the modified one, until the modified chain contains more work than the legitimate chain that the rest of the network has been building in the meantime. Consequently, for this attack to succeed, the attacker must outperform the honest part of the network.
Each block that is added to the block chain, starting with the block containing a given transaction, is called a confirmation of that transaction. Ideally, merchants and services that receive payment in bitcoin should wait for at least one confirmation to be distributed over the network, before assuming that the payment was done. The more confirmations that the merchant waits for, the more difficult it is for an attacker to successfully reverse the transaction in a block chain unless the attacker controls more than half the total network power, in which case it is called a 51% attack. For example, if the attacker possesses 10% of the calculation power of the bitcoin network and the shop requires 6 confirmations for a successful transaction, the probability of success of such an attack will be 0.02428%.
This attack was first introduced by Ittay Eyal and Emin Gun Sirer at the beginning of November 2013. In this attack, the attacker finds blocks but does not broadcast them. Instead, the attacker mines their own private chain and later (when another miner or network of miners finds their own block) publishes several private blocks in a row. This forces the "honest" network to abandon their previous work and switch to the attacker's branch. As a result, honest miners lose a significant part of their revenue, causing a relatively greater proportion of blocks in the block chain to be of the attacker's work and thereby increasing the attacker's profits. According to the authors, the profit margin of the selfish miner grows superlinearly with the attacker's hashpower; thus if a rational miner observes and joins the selfish miner's pool, both miners' profits will increase (thus giving both the rational miner an incentive to join and the selfish miner an incentive to accept the join). This makes the attack and incentives even stronger, potentially leading to a 51% attack and the collapse of the currency.
Gavin Andresen and Ed Felten disagreed with this conclusion, Felten defending his assertion that the bitcoin protocol is incentive compatible. The original authors responded that the disagreement stemmed from Felten's misunderstanding of how miners are compensated in mining pools, that the assertion was in error, given the presence of a strategy that dominates honest mining, and that the error stemmed from Felten et al. not modeling block withholding attacks in their analysis
Along with transaction graph analysis, which may reveal connections between bitcoin addresses (pseudonyms), there is a possible attack which links a user's pseudonym to its IP address. If the peer is using Tor, the attack includes a method to separate the peer from the Tor network, forcing them to use their real IP address for any further transactions. The attack makes use of bitcoin mechanisms of relaying peer addresses and anti-DoS protection. The cost of the attack on the full bitcoin network is under €1500 per month.