Recently, We found PST token which support both Arweave native tx mode and bundle item tx mode have potential to course some security issues, such as double-spend attack. To test this idea, I did an experiment and share the results below.
bAR is a PST token developed using smartweave and can be minted via uploading data to the Arweave network or by burning AR.
Since bAR supports both Arweave native transaction mode and bundle item tx mode with real-time confirmation, there is a theoretical possibility of a double-spend attack.
Experimental account:
G1ylJbqKaG-qL7LexEHtyKp1sgJ_Q0l52vsNvbOLRdU
Before starting the experiment, it had 0.091492 bAR.
bAR Contract address:
VFr3Bk-uM-motpNNkkFg4lNW1BMmSfzqsVO551Ho4hA
bAR real-time exchange website:
In this experiment, we send bundle item tx to convert bAR to stampcoin in real-time through this website.
Send Arweave native tx to transfer all 0.091492 bAR from the experimental account to another account, noted as TX1.
As TX1 is not yet packed in the block of the Arweave, the balance shown in the Stamp exchange site is still 0.091492 bAR.
So we could buy 9 stampcoin with 0.09 bar at this exchange site, noted as TX2 and TX3 (as the exchange involves 2 transactions).