BitPay strongly recommends that goods or services are only fulfilled when the BitPay invoice status is either 'Confirmed' or 'Complete'.  Fulfillment on any other status (including “Paid”) results in increased risk of loss due to double-spend attempts. Make sure to fetch the BitPay invoice status after receiving an IPN (Instant Payment Notification), since IPNs are not secure.

About the Bitcoin network

As the Bitcoin network gains interest and subsequent use it is not uncommon for transaction confirmation times to increase due to limited network resources.  Increased transaction traffic on the network allows bitcoin miners (those participants who confirm transactions) to be more selective when choosing which transactions to confirm (e.g. put into the “next” blockchain block).  The decision criteria used by bitcoin miners to choose transactions includes both the size of the transaction (in bytes) and the fee amount included with the transaction (in BTC).  This process allows bitcoin miners to deprioritize larger transactions and those transactions with lower fees.

There is no qualification by the network that prevents the same bitcoin from being used in multiple, parallel (unconfirmed) transactions.  All unconfirmed transactions are at risk of being involved with double-spend attempts.  The risk increases on a per transaction basis the longer the transaction remains unconfirmed.  Those wishing to attempt to commit double-spend transactions may attempt to exploit this knowledge in combination with an improperly configured BitPay merchant.

BitPay invoice payment and fulfillment 

BitPay wraps every bitcoin transaction in an “invoice”.  The BitPay invoice is associated with a status (or state) from the time it is created to the time it is settled (e.g., bank deposit to the merchant).  Not all invoice status values are associated with activity on the bitcoin blockchain.  The following invoice status values are relevant with respect to double-spend attempts.

​​

The merchants fulfillment of product or service on an invoice with status “Paid” introduces double-spend risk since multiple, unconfirmed transactions on the bitcoin network could be using the exact same bitcoin.  Once a transaction receives at least one bitcoin block confirmation the risk drops dramatically to be statistically zero.

Merchants who desire or demand product or service fulfillment immediately at the time of customer payment accept this risk.  However, the risk should be offset by the merchants ability to, for example, retrieve their fulfillment (e.g., revoke a software license or prevent shipment) or write-off their fulfillment (e.g., a product with “infinite” inventory).

BitPay minimizes double-spend risk 

BitPay does employ a "transaction scoring" algorithm that minimizes this risk for merchants, however it does not completely eliminate double-spend risk.  The scoring algorithm is designed to detect transactions that may never confirm or may confirm only after very long periods of time. 

 In this instance we automatically change the way we notify the merchant about payments received on that specific invoice so that the merchant does not immediately fulfill an order with a transaction that we feel is at risk of being double-spent. Learn more: https://blog.bitpay.com/advanced-merchant-risk-mitigation/