It has become trivial to double-spend; do not accept zero-confirmation transactions!*
Accepting zero-confirmation transactions today is not safe: Especially, with the full blocks of late, it is almost trivial to double-spend.
Only accepting the first seen transaction for the same inputs and discarding double-spending transactions had been a policy that made zero-confirmation viable for a while. However, it merely being a suggested policy, it had not been followed by all mining pools for some time.
Now, some clients also relay double-spending transactions, in order to make double-spend attempts more visible, which in turn however helps double-spend attempts to spread through the network, therefore enabling their success.
Successful attacks have been performed by sending one transaction with low mining-priority due to “dust/low-fee/reused-address/large-size/etc.” paying the merchant, then, even after receiving the goods, to send a normal transaction. The payment to the merchant will not get picked up quickly, especially with fairly full blocks, while the normal transaction gets picked up eventually by some mining pool that doesn’t enforce the “first-seen transaction policy”. See Simon Green on Bitcoin-Dev-Mailinglist: Significant losses by double-spending unconfirmed transactions
From what I have been reading, this has already caused e.g. Shapeshift, BitPay, and Coinbase trouble for accepting zero-confirmation transactions.
With full blocks, some clients relaying doublespending transactions, and miners choosing highest fee, it is easy to doublespend. Do not accept zero-confirmation transactions.*
*If a transaction pays a good fee and is highly relayable/minable, it may be safe, but you definitely need to check.
Based Blockchain Network