Thanks for the thoughtful response. According to it, 0-conf transactions are possible in BTC as well. Why isn't more people using this? It seems safe enough, since attacking such a transaction is probably more expensive than the gains from the scam.
It's only safe in the sense that most people aren't trying to rip you off.
A moderately technically sophisticated attacker will concurrently broadcast one txn version near miners, and another to as many other nodes as they can reach. Their success rate on double spends can easily be >90% and the marginal cost of the attack is approximately zero.
Other than the technical know-how to setup the transaction broadcasting and the risk that you might just pay for what you were buying, there is no cost to the scam.
The situation is somewhat worse on BCH in the sense that they only have ~1.2% of Bitcoin's hashrate, so there are many single Bitcoin miners that can reorg bch, so even single confirmations aren't particularly safe.
There are, of course, plenty of cases where 0-conf could be accepted-- e.g. you could credit someone assets but not allow withdraw until they clear, or if goods will ship the next day you need only check that they've confirmed before shipment. Some places do this now.
Can't this attack be made impractical with some heuristic? For example, only accept 0-conf transactions if a given number of nodes have this transaction in their mempool. (I'm thinking of both BTC and BCH)
No, because only a single node really matters: the next node to mine a block-- which may not even be reachable to you. Even if the attack worked just 10% of the time, that's like a free 10% rebate credit card for the attacker.
(and more generally, only a couple nodes matter at all for this purpose-- the set of nodes that could mine the next block)
Plus bch hashrate is so low the attacker can mine the next block themselves with rented hashrate, because the mining pays next to break even, renting the hashrate isn't a significant loss in the expectation.
