Conference Paper

On the Instability of Bitcoin Without the Block Reward

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Bitcoin provides two incentives for miners: block rewards and transaction fees. The former accounts for the vast majority of miner revenues at the beginning of the system, but it is expected to transition to the latter as the block rewards dwindle. There has been an implicit belief that whether miners are paid by block rewards or transaction fees does not affect the security of the block chain. We show that this is not the case. Our key insight is that with only transaction fees, the variance of the block reward is very high due to the exponentially distributed block arrival time, and it becomes attractive to fork a "wealthy" block to "steal" the rewards therein. We show that this results in an equilibrium with undesirable properties for Bitcoin's security and performance, and even non-equilibria in some circumstances. We also revisit selfish mining and show that it can be made profitable for a miner with an arbitrarily low hash power share, and who is arbitrarily poorly connected within the network. Our results are derived from theoretical analysis and confirmed by a new Bitcoin mining simulator that may be of independent interest. We discuss the troubling implications of our results for Bitcoin's future security and draw lessons for the design of new cryptocurrencies.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Since the block reward is fixed, there is no benefit in taking the risk of orphaning previous blocks. However, in a volatile block reward model, a miner might find it more profitable to attempt to orphan a previously mined block with a significantly high transaction fee to steal those transactions [9,11]. Additionally, a miner may choose to mine a secret fork of blocks to prevent others from building on that fork, allowing the miner to include all available transactions from the mempool in its secret fork. ...
... Some research has analyzed Bitcoin's security under the volatile block reward model. Carlsten et al. [11] raised concerns about Bitcoin security as the protocol reward diminishes to zero, introducing the undercutting attack and showing how selfish mining could become more threatening in a transaction-fee-driven era. While the paper highlights Bitcoin's instability under the volatile reward model, the analysis relies on simplified assumptions, such as unlimited block space, allowing blocks to collect all available transaction fees. ...
... The undercutting attack, introduced by Carlsten et al. in [11], can be profitable in scenarios where a significant portion of the mining power is petty-compliant. Petty-compliant miners are those who may deviate from the honest mining strategy to earn higher profits. ...
Preprint
Full-text available
As Bitcoin experiences more halving events, the protocol reward converges to zero, making transaction fees the primary source of miner rewards. This shift in Bitcoin's incentivization mechanism, which introduces volatility into block rewards, could lead to the emergence of new security threats or intensify existing ones. Previous security analyses of Bitcoin have either considered a fixed block reward model or a highly simplified volatile model, overlooking the complexities of Bitcoin's mempool behavior. In this paper, we present a reinforcement learning-based tool designed to analyze mining strategies under a more realistic volatile model. Our tool uses the Asynchronous Advantage Actor-Critic (A3C) algorithm to derive near-optimal mining strategies while interacting with an environment that models the complexity of the Bitcoin mempool. This tool enables the analysis of adversarial mining strategies, such as selfish mining and undercutting, both before and after difficulty adjustments, providing insights into the effects of mining attacks in both the short and long term. Our analysis reveals that Bitcoin users' trend of offering higher fees to speed up the inclusion of their transactions in the chain can incentivize payoff-maximizing miners to deviate from the honest strategy. In the fixed reward model, a disincentive for the selfish mining attack is the initial loss period of at least two weeks, during which the attack is not profitable. However, our analysis shows that once the protocol reward diminishes to zero in the future, or even currently on days when transaction fees are comparable to the protocol reward, mining pools might be incentivized to abandon honest mining to gain an immediate profit.
... However, the seminal work of Eyal and Sirer [2014], now referred to as "Selfish Mining", identified a fundamentally different cause for concern: an attacker with 34% of the computational power could manipulate the protocol in a way that does not violate consensus, but earns that attacker a > 34% fraction of the mining rewards. 1 This agenda has exploded over the past decade, and there is now a vast body of work considering strategic manipulation of consensus protocols (e.g. Bahrani and Weinberg, 2023, Brown-Cohen et al., 2019, Carlsten et al., 2016, Eyal and Sirer, 2014, Ferreira et al., 2022, Ferreira and Weinberg, 2021, Fiat et al., 2019, Goren and Spiegelman, 2019, Kiayias et al., 2016, Sapirshtein et al., 2016, Tsabary and Eyal, 2018, Yaish et al., 2023, 2022, Zur et al., 2020. ...
... Manipulating Consensus Protocols. We have already briefly cited a subset of the substantial body of work studying profitable manipulations of consensus protocols [Bahrani and Weinberg, 2023, Brown-Cohen et al., 2019, Carlsten et al., 2016, Eyal and Sirer, 2014, Ferreira et al., 2022, Ferreira and Weinberg, 2021, Fiat et al., 2019, Goren and Spiegelman, 2019, Kiayias et al., 2017, Sapirshtein et al., 2016, Tsabary and Eyal, 2018, Yaish et al., 2023, 2022. Of these, [Brown-Cohen et al., 2019, Ferreira andWeinberg, 2021] also study Proof-of-Stake protocols, but longest-chain variants (and therefore have minimal technical overlap). ...
... ← − exp( ) and +1 ← − + exp( )10 We assume this to focus on the relevant aspects of the paper and is consistent in prior work that focuses on incentives[Bahrani and Weinberg, 2023, Carlsten et al., 2016, Eyal and Sirer, 2014, Ferreira and Weinberg, 2021, Ferreira et al., 2019, Kiayias et al., 2016, Sapirshtein et al., 2016 Computing Optimal Manipulations in Cryptographic Self-Selection Proof-of-Stake Protocols ...
Preprint
Full-text available
Cryptographic Self-Selection is a paradigm employed by modern Proof-of-Stake consensus protocols to select a block-proposing "leader." Algorand [Chen and Micali, 2019] proposes a canonical protocol, and Ferreira et al. [2022] establish bounds f(α,β)f(\alpha,\beta) on the maximum fraction of rounds a strategic player can lead as a function of their stake α\alpha and a network connectivity parameter β\beta. While both their lower and upper bounds are non-trivial, there is a substantial gap between them (for example, they establish f(10%,1)[10.08%,21.12%]f(10\%,1) \in [10.08\%, 21.12\%]), leaving open the question of how significant of a concern these manipulations are. We develop computational methods to provably nail f(α,β)f(\alpha,\beta) for any desired (α,β)(\alpha,\beta) up to arbitrary precision, and implement our method on a wide range of parameters (for example, we confirm f(10%,1)[10.08%,10.15%]f(10\%,1) \in [10.08\%, 10.15\%]). Methodologically, estimating f(α,β)f(\alpha,\beta) can be phrased as estimating to high precision the value of a Markov Decision Process whose states are countably-long lists of real numbers. Our methodological contributions involve (a) reformulating the question instead as computing to high precision the expected value of a distribution that is a fixed-point of a non-linear sampling operator, and (b) provably bounding the error induced by various truncations and sampling estimations of this distribution (which appears intractable to solve in closed form). One technical challenge, for example, is that natural sampling-based estimates of the mean of our target distribution are \emph{not} unbiased estimators, and therefore our methods necessarily go beyond claiming sufficiently-many samples to be close to the mean.
... Prior work also show that revenue from transaction fees is clearly increasing (Easley et al., 2017). With the volume of transactions growing aggressively ( Figure 2.2a) over time and the block rewards, in Bitcoin, halving every four years, it is inevitable that transaction fees will be an important, if not the only, criterion for including a transaction, leading possibly to undercutting attacks (Carlsten et al., 2016). Below, we analyze whether Bitcoin users incentivize miners via transaction fees and if such incentives are effective today. ...
... As the block reward halves every four years in the Bitcoin blockchain, some recent work focused on analyzing how the incentives will change when transaction fees dominate the rewards. Carlsen et al. (Carlsten et al., 2016) showed that having only transaction fees as incentives will create instability. Tsabary and Eyal (Tsabary and Eyal, 2018) extended this result to more general cases including both block rewards and transaction fees. ...
... Those prior works, however, assume that miners follow a certain norm for transaction selection and ordering (mostly the fee rate norm) and look at miners' incentives in terms of how much compute power to exert and when (or some equivalent metric). There are also prior studies on the security issues of having transaction fees as the prime miners' incentive (Carlsten et al., 2016;Li et al., 2018); and a vast literature on the security of blockchains more generally (e.g., (Gencer et al., 2018;Karame, 2016;Vasek et al., 2014)). Again, however, these studies focus on miners' incentives to mine and not on transaction ordering; for the latter, they assume that miners follow a norm. ...
Preprint
Full-text available
Blockchains revolutionized centralized sectors like banking and finance by promoting decentralization and transparency. In a blockchain, information is transmitted through transactions issued by participants or applications. Miners crucially select, order, and validate pending transactions for block inclusion, prioritizing those with higher incentives or fees. The order in which transactions are included can impact the blockchain final state. Moreover, applications running on top of a blockchain often rely on governance protocols to decentralize the decision-making power to make changes to their core functionality. These changes can affect how participants interact with these applications. Since one token equals one vote, participants holding multiple tokens have a higher voting power to support or reject the proposed changes. The extent to which this voting power is distributed is questionable and if highly concentrated among a few holders can lead to governance attacks. In this thesis, we audit the Bitcoin and Ethereum blockchains to investigate the norms followed by miners in determining the transaction prioritization. We also audit decentralized governance protocols such as Compound to evaluate whether the voting power is fairly distributed among the participants. Our findings have significant implications for future developments of blockchains and decentralized applications.
... Prior work also show that revenue from transaction fees is clearly increasing (Easley et al., 2017). With the volume of transactions growing aggressively (Figure 2.2a) over time and the block rewards, in Bitcoin, halving every four years, it is inevitable that transaction fees will be an important, if not the only, criterion for including a transaction, leading possibly to undercutting attacks (Carlsten et al., 2016). Below, we analyze whether Bitcoin users incentivize miners via transaction fees and if such incentives are effective today. ...
... As the block reward halves every four years in the Bitcoin blockchain, some recent work focused on analyzing how the incentives will change when transaction fees dominate the rewards. Carlsen et al. (Carlsten et al., 2016) showed that having only transaction fees as incentives will create instability. Tsabary and Eyal (Tsabary and Eyal, 2018) extended this result to more general cases including both block rewards and transaction fees. ...
... Those prior works, however, assume that miners follow a certain norm for transaction selection and ordering (mostly the fee rate norm) and look at miners' incentives in terms of how much compute power to exert and when (or some equivalent metric). There are also prior studies on the security issues of having transaction fees as the prime miners' incentive (Carlsten et al., 2016;Li et al., 2018); and a vast literature on the security of blockchains more generally (e.g., (Gencer et al., 2018;Karame, 2016;Vasek et al., 2014)). Again, however, these studies focus on miners' incentives to mine and not on transaction ordering; for the latter, they assume that miners follow a norm. ...
Thesis
Full-text available
Blockchains revolutionized centralized sectors like banking and finance by promoting decentralization and transparency. In a blockchain, information is transmitted through transactions issued by participants or applications. Miners crucially select, order, and validate pending transactions for block inclusion, prioritizing those with higher incen- tives or fees. The order in which transactions are included can impact the blockchain final state. Moreover, applications running on top of a blockchain often rely on governance protocols to decentralize the decision-making power to make changes to their core functionality. These changes can affect how participants interact with these applications. Since one token equals one vote, participants holding multiple tokens have a higher voting power to support or reject the proposed changes. The extent to which this voting power is distributed is questionable and if highly concentrated among a few holders can lead to governance attacks. In this thesis, we audit the Bitcoin and Ethereum blockchains to investigate the norms followed by miners in determining the transaction prioritization. We also audit decentralized governance protocols such as Compound to evaluate whether the vot- ing power is fairly distributed among the participants. Our findings have significant implications for future developments of blockchains and decentralized applications.
... However, as the supply of mining hardware is limited (Capponi et al., 2023), the impact of previous halvings on miners' revenues have been over-compensated by steep price increases pre-halving in the medium to long term (Visual Capitalist, 2024). Nevertheless, the widening divergence between the decreasing security budget and the rising total value of Bitcoin has been identified as a substantial long-term security problem (Carlsten et al., 2016). ...
... This decreasing trend in the security budget contrasts with the increasing total market capitalization of Bitcoin, raising significant concerns. The issue is often referred to as the long-term Bitcoin security problem in the literature (Carlsten et al., 2016;Kraner et al., 2022). Various solutions have been proposed, including removing the hard supply cap of 21 million Bitcoins, imposing mandatory minimum transaction fees, promoting charitable mining, or even switching to other consensus mechanisms (Kroll et al., 2013). ...
... However, few of these solutions are deemed practical or likely to be accepted by the Bitcoin community. Previous work has mainly focused on the long-term security problem arising from the periodic reduction of the block subsidy in a low transaction-fee regime (Carlsten et al., 2016). Some works have also considered price-induced instability (Noda et al., 2020). ...
... Before 2016, there was a belief that the dominant source of the miners' income does not impact the security of the blockchain. However, Carlsten et al. [2] pointed out the effects of the high variance of the miners' revenue per block caused by exponentially distributed block arrival time in transactionfee-based protocols. The authors showed that undercutting (i.e., forking) a wealthy block is a profitable strategy for a malicious miner. ...
... We also discuss related problems present (not only) in transactionfee-based regime. In particular, we focus on minimizing the mining gap [2], [4], (i.e., the situation, where the immediate reward from transaction fees does not cover miners' expenditures) as well as balancing significant fluctuations in miners' revenue. ...
... 3) We demonstrated that with our approach, the mining gap can be minimized since the miners at the beginning of the mining round can get the reward from FRSCs, which stabilizes their income. 4) We empirically demonstrate that using our approach the threshold of DEFAULT-COMPLIANT miners who strictly do not execute undercutting attack is lowered from 66% (as reported in the original work [2]) to 30%. ...
Conference Paper
Full-text available
In this paper, we review the undercutting attacks in the transaction-fee-based regime of proof-of-work (PoW) blockchains with the longest chain fork-choice rule. Next, we focus on the problem of fluctuations in mining revenue and the mining gap - i.e., a situation, in which the immediate reward from transaction fees does not cover miners' expenditures. To mitigate these issues, we propose a solution that splits transaction fees from a mined block into two parts - (1) an instant reward for the miner of a block and (2) a deposit sent to one or more fee-redistribution smart contracts (FRSCs) that are part of the consensus protocol. At the same time, these redistribution smart contracts reward the miner of a block with a certain fraction of the accumulated funds of the incoming fees over a predefined time. This setting enables us to achieve several interesting properties that are beneficial for the incentive stability and security of the protocol. With our solution, the fraction of Default-Compliant miners who strictly do not execute undercutting attacks is lowered from the state-of-the-art result of 66% to 30%.
... Incentives play an essential role in the evolution of public, permissionless blockchains such as Ethereum. Misaligned incentives, however, can lead to a lack of interest in contributing to a network or, potentially, to profit-seeking attacks, dangering consensus stability [17]. MEV has emerged as a powerful incentive within Ethereum [20], enabling network participants to gain profits beyond protocol rewards through strategic transaction issuance and ordering [46]. ...
... Furthermore, data from EigenPhi shows ongoing MEV extraction, with approximately $9.5 million in profit generated within a month from May 2023 to June 2023 [6]. Although a lower-bound, these estimates already highlight the significance of MEV as a powerful incentive on Ethereum, emphasizing its consideration in design decisions to prevent consensus destabilizing attacks [17,28,32]. ...
... MEV's negative implications are manifold [42], with issues including user value loss, network congestion due to MEV searchers competing [20], value disparities among blocks incentivising consensus destabilising attacks [17], and centralisation of MEV supply chain components due to economies of scale [37]. In response, innovative solutions are emerging across different system layers [42]. ...
Preprint
Full-text available
This study explores the intricacies of waiting games, a novel dynamic that emerged with Ethereum's transition to a Proof-of-Stake (PoS)-based block proposer selection protocol. Within this PoS framework, validators acquire a distinct monopoly position during their assigned slots, given that block proposal rights are set deterministically, contrasting with Proof-of-Work (PoW) protocols. Consequently, validators have the power to delay block proposals, stepping outside the honest validator specs, optimizing potential returns through MEV payments. Nonetheless, this strategic behaviour introduces the risk of orphaning if attestors fail to observe and vote on the block timely. Our quantitative analysis of this waiting phenomenon and its associated risks reveals an opportunity for enhanced MEV extraction, exceeding standard protocol rewards, and providing sufficient incentives for validators to play the game. Notably, our findings indicate that delayed proposals do not always result in orphaning and orphaned blocks are not consistently proposed later than non-orphaned ones. To further examine consensus stability under varying network conditions, we adopt an agent-based simulation model tailored for PoS-Ethereum, illustrating that consensus disruption will not be observed unless significant delay strategies are adopted. Ultimately, this research offers valuable insights into the advent of waiting games on Ethereum, providing a comprehensive understanding of trade-offs and potential profits for validators within the blockchain ecosystem.
... Third, extant studies on cryptocurrency output volume impacts on the mining industry primarily focus on scenarios where the blockchain no longer issues new cryptocurrencies and the only cryptocurrencies included in the block are the user transaction fees (Carlsten et al., 2016;Hayes, 2017;Huberman et al., 2021). ...
... Assuming that miners' computing powers are equal across the chain, the equilibrium total computing power correlates positively with block revenue (i.e., the number of cryptocurrencies contained in a block; Easley et al., 2019). Other studies Carlsten et al., 2016;Huberman et al., 2021) have focused on improving transaction fees to keep miners motivated when no new cryptocurrencies are issued. Therefore, ...
Article
Full-text available
Blockchains use the Proof-of-Work (PoW) consensus mechanism to ensure security. However, if a few large miners increasingly control most of the computing power (hashrate) on the blockchain, the blockchain may become inoperable. To investigate whether this concern materializes, we examine the impact of miners’ revenue (i.e., cryptocurrency price and cryptocurrency output volume) on computing power using dynamic panel analysis, instrumental variables, and various robustness tests on miners’ panel data in the Bitcoin blockchain from 2011 to 2024. We found that cryptocurrency prices and output volumes exert a positive effect on all miners’ computing power, with a notably stronger effect observed among smaller-scale miners. The cryptocurrency price has a more positive impact on small miners, whereas the volume of cryptocurrency output has a more positive impact on large miners. Although the decrease in cryptocurrency output caused by the deflationary cryptocurrency issuance mechanism inhibits miners’ computing power expansion, the scale of large miners is more stable than that of small miners in a fluctuating cryptocurrency market. Therefore, there is a risk of large miners monopolizing the blockchain.
... DeFi protocols [2,3,4,5,6,7,8] facilitate various financial services, including trading, lending, and borrowing through decentralized applications (dApps). Despite the rapid growth of DeFi ecosystems, challenges [9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24] persist, especially concerning transaction efficiency and security. ...
... The rapid growth of DeFi has brought significant challenges [9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24], particularly concerning gas fees [1]. Elevated gas fees not only deter users but also impede the growth and scalability of DeFi platforms. ...
Article
Full-text available
This paper presents a comprehensive framework for optimizing gas fees in decentralized finance (DeFi) pools on the Ethereum blockchain, aimed at enhancing both transaction efficiency and security. The proposed Theory of Gas Fee Minimization strategically optimizes parameters such as initial token supply, transaction volumes, and gas fees to achieve significant cost reductions and increased transaction throughput. Our computational simulations demonstrate that by addressing factors like market volatility, network congestion, and impact cost factors, the framework effectively minimizes gas fees while reducing the profitability of sandwich attacks, thereby enhancing the security of DeFi ecosystems. The introduction of the Gas Cost Surface provides a novel approach to dynamically managing gas fees, offering insights into the complex interactions between swap amounts and market volatility. This research underscores the importance of rigorous optimization techniques in DeFi protocol design, contributing to the development of more efficient, secure, and user-friendly decentralized financial systems. The findings provide valuable guidance for developers, researchers, and stakeholders seeking to improve the performance and resilience of DeFi platforms, setting new standards for efficiency and security in the blockchain ecosystem.
... The expectation is that transaction fees will gradually replace coin-based rewards as the primary revenue source [1]. However, deviant mining threats have emerged under the transaction fee regime, such as the Undercutting Attack [2], Selfish Mining [3], Pool Hopping [4] and Mining Gap [2] which can significantly impact the system's integrity and efficiency. To address these challenges, Zhao et al. [5] have proposed the concept of Dynamic Transaction Storage (DTS) strategies. ...
... The expectation is that transaction fees will gradually replace coin-based rewards as the primary revenue source [1]. However, deviant mining threats have emerged under the transaction fee regime, such as the Undercutting Attack [2], Selfish Mining [3], Pool Hopping [4] and Mining Gap [2] which can significantly impact the system's integrity and efficiency. To address these challenges, Zhao et al. [5] have proposed the concept of Dynamic Transaction Storage (DTS) strategies. ...
Conference Paper
Full-text available
Decentralized Finance (DeFi), propelled by Blockchain technology, has revolutionized traditional financial systems, improving transparency, reducing costs, and fostering financial inclusion. However, transaction activities in these systems fluctuate significantly and the throughput can be effected. To address this issue, we propose a Dynamic Mining Interval (DMI) mechanism that adjusts mining intervals in response to block size and trading volume to enhance the transaction throughput of Blockchain platforms. Besides, in the context of public Blockchains such as Bitcoin, Ethereum, and Litecoin, a shift towards transaction fees dominance over coin-based rewards is projected in near future. As a result, the ecosystem continues to face threats from deviant mining activities such as Undercutting Attacks, Selfish Mining, and Pool Hopping, among others. In recent years, Dynamic Transaction Storage (DTS) strategies were proposed to allocate transactions dynamically based on fees thereby stabilizing block incentives. However, DTS' utilization of Merkle tree leaf nodes can reduce system throughput. To alleviate this problem, in this paper, we propose an approach for combining DMI and DTS. Besides, we also discuss the DMI selection mechanism for adjusting mining intervals based on various factors.
... Whenever nodes learn about a new block (ln. [10][11][12][13][14][15][16][17][18][19][20][21][22], they share it with the other nodes and they update their preference. As soon as there are k subblocks (ln. ...
... On a separate note, Carlsten et al. [11] demonstrate that selfish mining becomes more profitable when considering transaction fees in addition to mining rewards. They present a strategy targeting Bitcoin which leverages transaction fees to outperform honest behavior for any α > 0 and γ < 1. ...
Preprint
Full-text available
Proof-of-work (PoW) cryptocurrencies rely on a balance of security and fairness in order to maintain a sustainable ecosystem of miners and users. Users demand fast and consistent transaction confirmation, and in exchange drive the adoption and valuation of the cryptocurrency. Miners provide the confirmations, however, they primarily seek rewards. In unfair systems, miners can amplify their rewards by consolidating mining power. Centralization however, undermines the security guarantees of the system and might discourage users. In this paper we present Tailstorm, a cryptocurrency that strikes this balance. Tailstorm merges multiple recent protocol improvements addressing security, confirmation latency, and throughput with a novel incentive mechanism improving fairness. We implement a parallel proof-of-work consensus mechanism with k PoWs per block to obtain state-of-the-art consistency guarantees. Inspired by Bobtail and Storm, we structure the individual PoWs in a tree which, by including a list of transactions with each PoW, reduces confirmation latency and improves throughput. Our proposed incentive mechanism discounts rewards based on the depth of this tree. Thereby, it effectively punishes information withholding, the core attack strategy used to reap an unfair share of rewards. We back our claims with a comprehensive analysis. We present a generic system model which allows us to specify Bitcoin, BkB_k, and Tailstorm from a joint set of assumptions. We provide an analytical bound for the fairness of Tailstorm and Bitcoin in honest networks and we confirm the results through simulation. We evaluate the effectiveness of dishonest behaviour through reinforcement learning. Our attack search reproduces known optimal strategies against Bitcoin, uncovers new ones against BkB_k, and confirms that Tailstorm's reward discounting makes it more resilient to incentive layer attacks.
... MEV not only causes user losses, but also poses a significant threat to the network. Intense competition among MEV searchers to exploit these opportunities can result in considerable network congestion and may even incentivize miners to reorganize the blockchain [11,15]. ...
Preprint
Full-text available
Ethereum, as a representative of Web3, adopts a novel framework called Proposer Builder Separation (PBS) to prevent the centralization of block profits in the hands of institutional Ethereum stakers. Introducing builders to generate blocks based on public transactions, PBS aims to ensure that block profits are distributed among all stakers. Through the auction among builders, only one will win the block in each slot. Ideally, the equilibrium strategy of builders under public information would lead them to bid all block profits. However, builders are now capable of extracting profits from private order flows. In this paper, we explore the effect of PBS with private order flows. Specifically, we propose the asymmetry auction model of MEV-Boost auction. Moreover, we conduct empirical study on Ethereum blocks from January 2023 to May 2024. Our analysis indicates that private order flows contribute to 54.59% of the block value, indicating that different builders will build blocks with different valuations. Interestingly, we find that builders with more private order flows (i.e., higher block valuations) are more likely to win the block, while retain larger proportion of profits. In return, such builders will further attract more private order flows, resulting in a monopolistic market gradually. Our findings reveal that PBS in current stage is unable to balance the profit distribution, which just transits the centralization of block profits from institutional stakers to the monopolistic builder.
... To better understand the issues in existing Multi-BFT protocols, refer to Fig. 1, where block 4 is proposed after blocks 5, 6, 8, and 9 but is globally ordered and executed before them. Such violations may lead to various attacks including front-running attacks [3,15], undercutting attacks [22], and incentive-based attacks [7,16,17]. For example, consider a front-running attack [3,15] of cryptocurrency exchange, in which an attacker sees a large buy order in block 5, shown in Fig. 1. ...
Preprint
Multi-BFT consensus runs multiple leader-based consensus instances in parallel, circumventing the leader bottleneck of a single instance. However, it contains an Achilles' heel: the need to globally order output blocks across instances. Deriving this global ordering is challenging because it must cope with different rates at which blocks are produced by instances. Prior Multi-BFT designs assign each block a global index before creation, leading to poor performance. We propose Ladon, a high-performance Multi-BFT protocol that allows varying instance block rates. Our key idea is to order blocks across instances dynamically, which eliminates blocking on slow instances. We achieve dynamic global ordering by assigning monotonic ranks to blocks. We pipeline rank coordination with the consensus process to reduce protocol overhead and combine aggregate signatures with rank information to reduce message complexity. Ladon's dynamic ordering enables blocks to be globally ordered according to their generation, which respects inter-block causality. We implemented and evaluated Ladon by integrating it with both PBFT and HotStuff protocols. Our evaluation shows that Ladon-PBFT (resp., Ladon-HotStuff) improves the peak throughput of the prior art by \approx8x (resp., 2x) and reduces latency by \approx62% (resp., 23%), when deployed with one straggling replica (out of 128 replicas) in a WAN setting.
... Eyal and Sirer (2018) demonstrate that Bitcoin miners can earn higher rewards through strategic behavior. A significant body of literature followed exploring strategic actions in blockchain protocols, including Kiayias et al. (2016), Carlsten et al. (2016), Cai et al. (2024). ...
Preprint
Full-text available
Bitcoin demonstrated the possibility of a financial ledger that operates without the need for a trusted central authority. However, concerns persist regarding its security and considerable energy consumption. We assess the consensus protocols that underpin Bitcoin's functionality, questioning whether they can ensure economically meaningful security while maintaining a permissionless design that allows free entry of operators. We answer this affirmatively by constructing a protocol that guarantees economic security and preserves Bitcoin's permissionless design. This protocol's security does not depend on monetary payments to miners or immense electricity consumption, which our analysis suggests are ineffective. Our framework integrates economic theory with distributed systems theory, and highlights the role of the protocol's user community.
... However, these certain qualities have inadvertently exposed sensitive information to potential exploitation by hackers, thereby enabling them to reap financial gain [3]- [5]. Among the various exploitative strategies is the sandwich attack, a sophisticated front-running and back-running strategy within cryptocurrency transactions, emblematic of Miner Extractable Value (MEV) [6]. This attack phenomenon was systematically identified and analyzed for the first time by Zhou, Qin, et al. [7] in 2021. ...
Preprint
Full-text available
The openness and transparency of Ethereum transaction data make it easy to be exploited by any entities, executing malicious attacks. The sandwich attack manipulates the Automated Market Maker (AMM) mechanism, profiting from manipulating the market price through front or after-running transactions. To identify and prevent sandwich attacks, we propose a cascade classification framework GasTrace. GasTrace analyzes various transaction features to detect malicious accounts, notably through the analysis and modeling of Gas features. In the initial classification, we utilize the Support Vector Machine (SVM) with the Radial Basis Function (RBF) kernel to generate the predicted probabilities of accounts, further constructing a detailed transaction network. Subsequently, the behavior features are captured by the Graph Attention Network (GAT) technique in the second classification. Through cascade classification, GasTrace can analyze and classify the sandwich attacks. Our experimental results demonstrate that GasTrace achieves a remarkable detection and generation capability, performing an accuracy of 96.73\% and an F1 score of 95.71\% for identifying sandwich attack accounts.
... We adopt the two prominent blockchains, Bitcoin and Ethereum, as examples. For Bitcoin, it takes approximately six blocks to ensure the finality of a transaction, which is about one hour [42]. On Ethereum, it takes about 15 minutes for a block to finalize 2 . ...
Article
Full-text available
Federated learning (FL) is a machine learning paradigm, which enables multiple and decentralized clients to collaboratively train a model under the orchestration of a central aggregator. FL can be a scalable machine learning solution in big data scenarios. Traditional FL relies on the trust assumption of the central aggregator, which forms cohorts of clients honestly. However, a malicious aggregator, in reality, could abandon and replace the client's training models, or insert fake clients, to manipulate the final training results. In this work, we introduce zkFL , which leverages zero-knowledge proofs to tackle the issue of a malicious aggregator during the training model aggregation process. To guarantee the correct aggregation results, the aggregator provides a proof per round, demonstrating to the clients that the aggregator executes the intended behavior faithfully. To further reduce the verification cost of clients, we use blockchain to handle the proof in a zero-knowledge way, where miners ( i.e. , the participants validating and maintaining the blockchain data) can verify the proof without knowing the clients' local and aggregated models. The theoretical analysis and empirical results show that zkFL achieves better security and privacy than traditional FL, without modifying the underlying FL network structure or heavily compromising the training speed.
... The problem of selfish mining in public blockchains (see, e.g., [44][45][46][47][48]) arises when a minority mining pool adopts a strategic approach to maximize its rewards at the expense of other miners. This attack strategy involves the mining pool keeping its successfully mined blocks private, creating a fork in the blockchain. ...
Article
Full-text available
This paper explores the concept of proportional lumpability as an extension of the original definition of lumpability, addressing the challenges posed by the state space explosion problem in computing performance indices for large stochastic models. Lumpability traditionally relies on state aggregation techniques and is applicable to Markov chains demonstrating structural regularity. Proportional lumpability extends this idea, proposing that the transition rates of a Markov chain can be modified by certain factors, resulting in a lumpable new Markov chain. This concept facilitates the derivation of precise performance indices for the original process. This paper establishes the well-defined nature of the problem of computing the coarsest proportional lumpability that refines a given initial partition, ensuring a unique solution exists. Additionally, a polynomial time algorithm is introduced to solve this problem, offering valuable insights into both the concept of proportional lumpability and the broader realm of partition refinement techniques. The effectiveness of proportional lumpability is demonstrated through a case study that consists of designing a model to investigate selfish mining behaviors on public blockchains. This research contributes to a better understanding of efficient approaches for handling large stochastic models and highlights the practical applicability of proportional lumpability in deriving exact performance indices.
... Most published game-theoretic investigations focus on investigating blockchain adoption in Bitcoin and cryptocurrency environments, where miners compete to obtain rewards from the platform. The interactions among the miners to extract or verify new blocks, as well as to attack the platform, have been analyzed using game-theoretical approaches (Babaioff et al., 2012;Carlsten et al., 2016;Eyal, 2015). Various noncooperative and stochastic games have been developed to model the security issues, computational power and reward allocations among blockchain miners in the bitcoin and cryptocurrency settings (Z. . ...
... It is important to study the future of attacks, because they may be affected by halving of the Bitcoin mining reward [7]. ...
Article
Full-text available
Bitcoin uses blockchain technology to maintain transactions order and provides probabilistic guarantees to prevent double-spending, assuming that an attacker’s computational power does not exceed 50% of the network power. In this paper, we design a novel bribery attack and show that this guarantee can be hugely undermined. Miners are assumed to be rational in this setup and they are given incentives that are dynamically calculated. In this attack, the adversary misuses the Bitcoin protocol to bribe miners and maximize their gained advantage. We will reformulate the bribery attack to propose a general mathematical foundation upon which we build multiple strategies. We show that, unlike Whale Attack, these strategies are practical, especially in the future when halvings lower the mining rewards. In the so called ’guaranteed variable-rate bribing with commitment’ strategy, through optimization by Differential Evolution (DE), we show how double spending is possible in the Bitcoin ecosystem for any transaction whose value is above 218.9BTC, and this comes with 100% success rate. A slight reduction in the success probability, e.g. by 10%, brings the threshold down to 165BTC. If the rationality assumption holds, this shows how vulnerable blockchain-based systems like Bitcoin are. We suggest a soft fork on Bitcoin to fix this issue at the end.
... There is a rich literature on block rewards as incentives for mining [7,16,17,19,23,32,33,36,39,48]. Recent work also analyzed the implications of relying on transaction fees separately [6] and in conjunction with block rewards [43], as well as the relationship between such incentives and transaction waiting times [10]. These prior work assume that transactions are broadcast to all miners and the fees offered is uniform across miners. ...
Chapter
Full-text available
In permissionless blockchains, transaction issuers include a fee to incentivize miners to include their transactions. To accurately estimate this prioritization fee for a transaction, transaction issuers (or blockchain participants, mjohnme@mpi-sws.orgore generally) rely on two fundamental notions of transparency, namely contention and prioritization transparency. Contention transparency implies that participants are aware of every pending transaction that will contend with a given transaction for inclusion. Prioritization transparency states that the participants are aware of the transaction or prioritization fees paid by every such contending transaction. Neither of these notions of transparency holds well today. Private relay networks, for instance, allow users to send transactions privately to miners. Besides, users can offer fees to miners via either direct transfers to miners’ wallets or off-chain payments—neither of which are public. In this work, we characterize the lack of contention and prioritization transparency in Bitcoin and Ethereum resulting from such practices. We show that private relay networks are widely used and private transactions are quite prevalent. We show that the lack of transparency facilitates miners to collude and overcharge users who may use these private relay networks despite them offering little to no guarantees on transaction prioritization. The lack of these transparencies in blockchains has crucial implications for transaction issuers as well as the stability of blockchains. Finally, we make our data sets and scripts publicly available.
... However, as the reward gets halved approximately every four years, the need to understand the underlying dynamics of transaction fees will become pivotal in the future. In Carlsten et al. [10], the authors envision the stability of the system when the block reward reduces to the transaction fees. ...
Article
Full-text available
The process of mining blocks on a blockchain utilizing a Proof-of-Work consensus mechanism carries inherent risks, particularly when the operational expenses associated with mining exceed the rewards earned. Building on previous findings on mining in pools, this paper delves into the question of whether the theoretical formulas for the ruin probability and the expected value of future surplus obtained under particular model assumptions are indeed validated empirically. In particular, we include the presence of transactions fees in the block rewards in our analysis. We also provide algorithms to fit the involved generalized hyperexponential distributions to actual data. Moreover, we perform a sensitivity analysis for different factors of interest, and we quantify the relevance of incorporating temporal dependence and transaction fees in the model.
Article
Full-text available
Blockchain and cryptocurrencies have changed the way we transact and interact in the digital age. However, the rapid advancement of these technologies has resulted in major environmental impacts. Efficient implementation of blockchain requires the use of large amounts of energy and computing power, with consensus algorithms as the foundation. The purpose of this study is to investigate the environmental implications of blockchain and cryptocurrency implementation, as well as initiatives to mitigate these issues. The type of research is a library study (library research) using a qualitative method, namely by combining, collecting information or previous scientific papers on relevant topics. Along with the growing popularity of cryptocurrencies, the continuous mining process often results in large energy consumption and carbon emissions, sparking concerns about their long-term viability and environmental impact. Based on the results of previous research and research sources, the author found a solution to the problem of high energy consumption from the use of blockchain, namely: Proof of Stake (PoS), Proof of Authority (PoA), Sidechains and Layer-2 Solutions, Hardware Optimization, Implementation of Consensus Algorithms Based on RUST.
Preprint
Cryptographic Self-Selection is a common primitive underlying leader-selection for Proof-of-Stake blockchain protocols. The concept was first popularized in Algorand [CM19], who also observed that the protocol might be manipulable. [FHWY22] provide a concrete manipulation that is strictly profitable for a staker of any size (and also prove upper bounds on the gains from manipulation). Separately, [YSZ23, BM24] initiate the study of undetectable profitable manipulations of consensus protocols with a focus on the seminal Selfish Mining strategy [ES14] for Bitcoin's Proof-of-Work longest-chain protocol. They design a Selfish Mining variant that, for sufficiently large miners, is strictly profitable yet also indistinguishable to an onlooker from routine latency (that is, a sufficiently large profit-maximizing miner could use their strategy to strictly profit over being honest in a way that still appears to the rest of the network as though everyone is honest but experiencing mildly higher latency. This avoids any risk of negatively impacting the value of the underlying cryptocurrency due to attack detection). We investigate the detectability of profitable manipulations of the canonical cryptographic self-selection leader selection protocol introduced in [CM19] and studied in [FHWY22], and establish that for any player with α<3520.38\alpha < \frac{3-\sqrt{5}}{2} \approx 0.38 fraction of the total stake, every strictly profitable manipulation is statistically detectable. Specifically, we consider an onlooker who sees only the random seed of each round (and does not need to see any other broadcasts by any other players). We show that the distribution of the sequence of random seeds when any player is profitably manipulating the protocol is inconsistent with any distribution that could arise by honest stakers being offline or timing out (for a natural stylized model of honest timeouts).
Article
Demand for blockchains such as Bitcoin and Ethereum is far larger than supply, necessitating a mechanism that selects a subset of transactions to include “on-chain” from the pool of all pending transactions. This paper investigates the problem of designing a blockchain transaction fee mechanism through the lens of mechanism design. We introduce two new forms of incentive-compatibility that capture some of the idiosyncrasies of the blockchain setting, one (MMIC) that protects against deviations by profit-maximizing miners and one (OCA-proofness) that protects against off-chain collusion between miners and users. This study is immediately applicable to major change (made on August 5, 2021) to Ethereum’s transaction fee mechanism, based on a proposal called “EIP-1559.” Originally, Ethereum’s transaction fee mechanism was a first-price (pay-as-bid) auction. EIP-1559 suggested making several tightly coupled changes, including the introduction of variable-size blocks, a history-dependent reserve price, and the burning of a significant portion of the transaction fees. We prove that this new mechanism earns an impressive report card: it satisfies the MMIC and OCA-proofness conditions, and is also dominant-strategy incentive compatible (DSIC) except when there is a sudden demand spike. We also introduce an alternative design, the “tipless mechanism,” which offers an incomparable slate of incentive-compatibility guarantees—it is MMIC and DSIC, and OCA-proof unless in the midst of a demand spike.
Article
Cryptojacking is a new type of IoT (Internet of Things) attack, where an attacker hijacks the computing power of IoT devices such as wireless routers, smart TVs, set-top boxes, or cameras to mine cryptocurrencies, e.g., PyRoMineIoT. The attackers launch selfish mining-like (SM-like) attacks to obtain lucrative mining rewards with the stolen computing power, once the power exceeds a threshold. Generally, a single deep learning (DL) model with a single feature (e.g. fork height) is trained to detect SM-like attacks. However, the existing model fails to detect every SM-like attack since the model training ignores other distinctive features (e.g. mining rewards and blocking rate) of SM-like attacks. In this paper, SM-NEEDLE, an eNsEmblE Deep LEarning (NEEDLE) method is proposed to detect SM-like attacks. More specifically, the distinctive features are extracted from the blockchain system, where SM-like simulators emulate the strategies of SM-like attacks. Further, to circumvent the local optima problem caused by the single DL model (e.g. Back-Propagation Neural Network, BPNN), the SM-NEEDLE trains multiple BPNNs with these distinctive features. Evaluation results indicate the accuracy and false negative rate (FNR) of SM-NEEDLE for detecting SM-like attacks (including SM1 and its variants) are 98.9% and 1.48% respectively. That is, 98.9% of SM-like attacks are correctly identified and only 1.48% of attacks are undetectable.
Chapter
Blockchains are digital ledgers of transactions that aim to be decentralized, secure, and tamper-proof. To achieve this goal, they rely on a consensus algorithm, with the most well-known being the proof-of-work (PoW) algorithm. In PoW, a group of specialized users known as miners invest a significant amount of energy to secure the blockchain ledger. Miners are incentivized to participate in the network through the potential rewards they can earn, which are based on the number of blocks they are able to consolidate and add to the chain. An important characteristic of the PoW algorithm is that miners’ rewards must be statistically proportional to the amount of computational power (and hence energy) invested in this process. In this work, we study the selfish miner attack by means of a stochastic model based on a quantitative process algebra. When a successful attack occurs, a miner or mining pool is able to receive more rewards than they should, at the expense of other miners. The model analysis allows us to derive the conditions under which the attack becomes convenient for the miners.
Chapter
We describe and analyze perishing mining, a novel block-withholding mining strategy that lures profit-driven miners away from doing useful work on the public chain by releasing block headers from a privately maintained chain. We then introduce the dual private chain (DPC) attack, where an adversary that aims at double spending increases its success rate by intermittently dedicating part of its hash power to perishing mining. We detail the DPC attack’s Markov decision process, evaluate its double spending success rate using Monte Carlo simulations. We show that the DPC attack lowers Bitcoin’s security bound in the presence of profit-driven miners that do not wait to validate the transactions of a block before mining on it.
Article
Bitcoin is the largest cryptocurrency in the market, which uses blockchain technology to bring in features like decentralization, anonymity, and trust. However, it still struggles with broader adaptation due to long verification times and high transaction fees. As a result, it is lagging behind competitors. We need to provide faster confirmations to tackle these issues while ensuring stable earnings for the miners. However, it is challenging to increase the block sizes or decrease the average block creation time without affecting the stability and security of the network. To address this conundrum, firstly, an optimization problem is formulated where the objective is to increase the transaction count in every cycle. Based on that, a comprehensive learning framework is developed to solve the formulated problem since the issue is intractable and hard to solve in polynomial time. The proposed learning framework includes (i) implementing a viable data-driven infrastructure with a machine learning (ML) root, (ii) training learning models with efficient generalization capability, and (iii) predicting the ideal block size in every block generation cycle. Our concept uses extreme gradient boost (XGB) as its core algorithm, which analyzes nine attributes associated with the Bitcoin network. These network-allied data points assist the model in creating an adaptive block size in the blockchain. XGB, trained using the last four years of real-world data, can predict block sizes with a 63.41% accuracy. The model ensures an all-around positive change in Bitcoin with a 12.29% increase in block size, a 13.45% increase in transaction fee (USD), and a 14.88% increase in transaction approval rate and transaction count, thus addressing the long wait time and broader adaption issue.
Article
The selfish mining (SM) attack of Eyal and Sirer allows a rational mining pool with a hash power ( α ) much less than 50% of the whole Bitcoin network to steal from the fair shares of honest miners. This attack has been studied extensively in various settings in order for its optimization and mitigation. In this context, Heilman proposes a defense “Freshness Preferred”, based on timestamps, which are issued routinely by a timestamp authority. In contrast, we consider the case where timestamps are generated by no authority; instead every miner includes the current time into a block freely. However, due to two attacks that we discover, this turns out to be a non-trivial task. These attacks are Oracle mining , which works by cleverly setting the timestamp to future, and Bold mining , which works by generating an alternative chain starting from a previous block. Unfortunately, these attacks are hard to analyze and optimize, and to our knowledge, the available tools fail to help us for this task. To ease this, we come up with generalized formulas for revenue and profitability of SM attacks. Our analyses show that the use of timestamps could be promising for selfish mining mitigation. Nevertheless, Freshness Preferred in its current form is quite vulnerable, as any rational miner with α > 0 can directly benefit from our attacks. To cope with this problem, we propose a novel SM mitigation algorithm Fortis without an authority, which protects the honest miners’ shares against any attacker with α<27.0%\alpha \lt 27.0\% against all the known SM-type attacks. By building upon the blockchain simulator BlockSim, we simulate our Oracle and Bold mining attacks against Freshness Preferred and Fortis . Simulation results also demonstrate the effectiveness of these attacks against the former and their ineffectiveness against the latter.
Chapter
The term miner extractable value (MEV) has been coined to describe the value which can be extracted by a miner, e.g., from manipulating the order of transactions within a given timeframe. \textsc {MEV} has been deemed an important factor to assess the overall economic stability of a cryptocurrency. This stability also influences the economically rational choice of the security parameter k, by which a merchant defines the number of required confirmation blocks in cryptocurrencies based on Nakamoto consensus. Unfortunately, although being actively discussed within the cryptocurrency community, no exact definition of \textsc {MEV} was given when the term was originally introduced. In this paper, we outline the difficulties in defining different forms of extractable value, informally used throughout the community. We show that there is no globally unique \textsc {MEV}/\textsc {EV} which can readily be determined, and that a narrow definition of \textsc {MEV} fails to capture the extractable value of other actors like users, or the probabilistic nature of permissionless cryptocurrencies. We describe an approach to estimate the minimum extractable value that would incentivize actors to act maliciously and thus can potentially lead to consensus instability. We further highlight why it is hard, or even impossible, to precisely determine the extractable value of other participants, considering the uncertainties in real world systems. Finally, we outline a peculiar yet straightforward technique for choosing the individual security parameter k, which can act as a workaround to transfer the risk of an insufficiently chosen k to another merchant.KeywordsMiner Extractable ValueExtractable ValueExpected Extractable ValueCryptocurrenciesGame Theory
Article
Recent advances in the blockchain research have been made in two important directions. One is refined resilience analysis utilizing game theory to study the consequences of selfish behavior of users (miners), and the other is the extension from a linear (chain) structure to a non-linear (graphical) structure for performance improvements, such as IOTA and Graphcoin. The first question that comes to mind is what improvements that a blockchain system would see by leveraging these new advances. In this paper, we consider three major properties for a blockchain system: α -partial verification, scalability, and finality-duration. We establish a formal framework and prove that no blockchain system can achieve α -partial verification for any fixed constant α , high scalability, and low finality-duration simultaneously. We observe that classical blockchain systems like Bitcoin achieves full verification ( α = 1) and low finality-duration, Ethereum 2.0 Sharding achieves low finality-duration and high scalability. We are interested in whether it is possible to partially satisfy the three properties.
Article
Full-text available
Bitcoin is a decentralized crypto-currency, and an accompanying protocol, created in 2008. Bitcoin nodes continuously generate and propagate blocks---collections of newly approved transactions that are added to Bitcoin's ledger. Block creation requires nodes to invest computational resources, but also carries a reward in the form of bitcoins that are paid to the creator. While the protocol requires nodes to quickly distribute newly created blocks, strong nodes can in fact gain higher payoffs by withholding blocks they create and selectively postponing their publication. The existence of such selfish mining attacks was first reported by Eyal and Sirer, who have demonstrated a specific deviation from the standard protocol (a strategy that we name SM1). In this paper we extend the underlying model for selfish mining attacks, and provide an algorithm to find ϵ\epsilon-optimal policies for attackers within the model, as well as tight upper bounds on the revenue of optimal policies. As a consequence, we are able to provide lower bounds on the computational power an attacker needs in order to benefit from selfish mining. We find that the profit threshold -- the minimal fraction of resources required for a profitable attack -- is strictly lower than the one induced by the SM1 scheme. Indeed, the policies given by our algorithm dominate SM1, by better regulating attack-withdrawals. Using our algorithm, we show that Eyal and Sirer's suggested countermeasure to selfish mining is slightly less effective than previously conjectured. Next, we gain insight into selfish mining in the presence of communication delays, and show that, under a model that accounts for delays, the profit threshold vanishes, and even small attackers have incentive to occasionally deviate from the protocol. We conclude with observations regarding the combined power of selfish mining and double spending attacks.
Conference Paper
Full-text available
Conference Paper
Full-text available
One of the unique features of the digital currency Bitcoin is that new cash is introduced by so-called miners carrying out resource-intensive proof-of-work operations. To increase their chances of obtaining freshly minted bitcoins, miners typically join pools to collaborate on the computations. However, intense competition among mining pools has recently manifested in two ways. Miners may invest in additional computing resources to increase the likelihood of winning the next mining race. But, at times, a more sinister tactic is also employed: a mining pool may trigger a costly distributed denial-of-service (DDoS) attack to lower the expected success outlook of a competing mining pool. We explore the trade-off between these strategies with a series of game-theoretical models of competition between two pools of varying sizes. We consider differences in costs of investment and attack, as well as uncertainty over whether a DDoS attack will succeed. By characterizing the game’s equilibria, we can draw a number of conclusions. In particular, we find that pools have a greater incentive to attack large pools than small ones. We also observe that larger mining pools have a greater incentive to attack than smaller ones.
Article
Full-text available
Bitcoin is a "crypto currency", a decentralized electronic payment scheme based on cryptography. Bitcoin economy grows at an incredibly fast rate and is now worth some 10 billions of dollars. Bitcoin mining is an activity which consists of creating (minting) the new coins which are later put into circulation. Miners spend electricity on solving cryptographic puzzles and they are also gatekeepers which validate bitcoin transactions of other people. Miners are expected to be honest and have some incentives to behave well. However. In this paper we look at the miner strategies with particular attention paid to subversive and dishonest strategies or those which could put bitcoin and its reputation in danger. We study in details several recent attacks in which dishonest miners obtain a higher reward than their relative contribution to the network. In particular we revisit the concept of block withholding attacks and propose a new concrete and practical block withholding attack which we show to maximize the advantage gained by rogue miners.
Conference Paper
Full-text available
The Bitcoin cryptocurrency records its transactions in a public log called the blockchain. Its security rests critically on the distributed protocol that maintains the blockchain, run by participants called miners. Conventional wisdom asserts that the mining protocol is incentive-compatible and secure against colluding minority groups, that is, it incentivizes miners to follow the protocol as prescribed. We show that the Bitcoin mining protocol is not incentive-compatible. We present an attack with which colluding miners obtain a revenue larger than their fair share. This attack can have significant consequences for Bitcoin: Rational miners will prefer to join the selfish miners, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency. Unless certain assumptions are made, selfish mining may be feasible for any group size of colluding miners. We propose a practical modification to the Bitcoin protocol that protects Bitcoin in the general case. It prohibits selfish mining by pools that command less than 1/4 of the resources. This threshold is lower than the wrongly assumed 1/2 bound, but better than the current reality where a group of any size can compromise the system.
Article
Full-text available
Algorithms in varied fields use the idea of maintaining a distribution over a certain set and use the multiplicative update rule to iteratively change these weights. Their analyses are usually very similar and rely on an exponential potential function. In this survey we present a simple meta-algorithm that unifies many of these disparate algorithms and derives them as simple instantiations of the meta-algorithm. We feel that since this meta-algorithm and its analysis are so simple, and its applications so broad, it should be a standard part of algorithms courses, like “divide and conquer.”
Conference Paper
The Bitcoin protocol requires nodes to quickly distribute newly created blocks. Strong nodes can, however, gain higher payoffs by withholding blocks they create and selectively postponing their publication. The existence of such selfish mining attacks was first reported by Eyal and Sirer, who have demonstrated a specific deviation from the standard protocol (a strategy that we name SM1). In this paper we investigate the profit threshold – the minimal fraction of resources required for a profitable attack. Our analysis provides a bound under which the system can be considered secure against such attacks. Our techniques can be adapted to protocol modifications to assess their susceptibility to selfish mining, by computing the optimal attack under different variants. We find that the profit threshold is strictly lower than the one induced by the SM1 scheme. The policies given by our algorithm dominate SM1 by better regulating attack-withdrawals. We further evaluate the impact of some previously suggested countermeasures, and show that they are less effective than previously conjectured. We then gain insight into selfish mining in the presence of communication delays, and show that, under a model that accounts for delays, the profit threshold vanishes, and even small attackers have incentive to occasionally deviate from the protocol. We conclude with observations regarding the combined power of selfish mining and double spending attacks.
Conference Paper
Conference Paper
Cryptocurrencies like Bitcoin and the more recent Ethereum system allow users to specify scripts in transactions and contracts to support applications beyond simple cash transactions. In this work, we analyze the extent to which these systems can enforce the correct semantics of scripts. We show that when a script execution requires nontrivial computation effort, practical attacks exist which either waste miners' computational resources or lead miners to accept incorrect script results. These attacks drive miners to an ill-fated choice, which we call the verifier's dilemma, whereby rational miners are well-incentivized to accept unvalidated blockchains. We call the framework of computation through a scriptable cryptocurrency a consensus computer and develop a model that captures incentives for verifying computation in it. We propose a resolution to the verifier's dilemma which incentivizes correct execution of certain applications, including outsourced computation, where scripts require minimal time to verify. Finally we discuss two distinct, practical implementations of our consensus computer in real cryptocurrency networks like Ethereum.
Conference Paper
The Bitcoin protocol supports optional direct payments from transaction partners to miners. These “fees” are supposed to substitute miners’ minting rewards in the long run. Acknowledging their role for the stability of the system, the right level of transaction fees is a hot topic of normative debates. This paper contributes empirical evidence from a historical analysis of agents’ revealed behavior concerning their payment of transaction fees. We identify several regime shifts, which can be largely explained by changes in the default client software or actions of big intermediaries in the ecosystem. Overall, it seems that rules dominate ratio, a state that is sustainable only if fees remain negligible.
Article
In the multiarmed bandit problem, a gambler must decide which arm of K non-identical slot machines to play in a sequence of trials so as to maximize his reward. This classical problem has received much attention because of the simple model it provides of the trade-off between exploration (trying out each arm to find the best one) and exploitation (playing the arm believed to give the best payoff). Past solutions for the bandit problem have almost always relied on assumptions about the statistics of the slot machines. In this work, we make no statistical assumptions whatsoever about the nature of the process generating the payoffs of the slot machines. We give a solution to the bandit problem in which an adversary, rather than a well-behaved stochastic process, has complete control over the payoffs. In a sequence of T plays, we prove that the per-round payo of our algorithm approaches that of the best arm at the rate O(T-1/2). We show by a matching lower bound that this is the best possible. We also prove that our algorithm approaches the per-round payo of any set of strategies at a similar rate: if the best strategy is chosen from a pool of N strategies, then our algorithm approaches the per-round payo of the strategy at the rate O((log N)T-1/2(-1/2)). Finally, we apply our results to the problem of playing an unknown repeated matrix game. We show that our algorithm approaches the minimax payo of the unknown game at the rate O(T-1/2).
Conference Paper
We present an empirical investigation into the prevalence and impact of distributed denial-of-service (DDoS) attacks on operators in the Bitcoin economy. To that end, we gather and analyze posts mentioning “DDoS” on the popular Bitcoin forum bitcointalk.org. Starting from around 3 000 different posts made between May 2011 and October 2013, we document 142 unique DDoS attacks on 40 Bitcoin services. We find that 7% of all known operators have been attacked, but that currency exchanges, mining pools, gambling operators, eWallets, and financial services are much more likely to be attacked than other services. Not coincidentally, we find currency exchanges and mining pools are much more likely to have DDoS protection such as CloudFlare, Incapsula, or Amazon Cloud. We show that those services that have been attacked are more than three times as likely to buy anti-DDoS services than operators who have not been attacked. We find that big mining pools (those with historical hashrate shares of at least 5%) are much more likely to be DDoSed than small pools. We investigate Mt. Gox as a case study for DDoS attacks on currency exchanges and find a disproportionate amount of DDoS reports made during the large spike in trading volume and exchange rates in spring 2013. We conclude by outlining future opportunities for researching DDoS attacks on Bitcoin.
Conference Paper
Bitcoin is quickly emerging as a popular digital payment system. However, in spite of its reliance on pseudonyms, Bitcoin raises a number of privacy concerns due to the fact that all of the transactions that take place are publicly announced in the system. In this paper, we investigate the privacy provisions in Bitcoin when it is used as a primary currency to support the daily transactions of individuals in a university setting. More specifically, we evaluate the privacy that is provided by Bitcoin (i) by analyzing the genuine Bitcoin system and (ii) through a simulator that faithfully mimics the use of Bitcoin within a university. In this setting, our results show that the profiles of almost 40% of the users can be, to a large extent, recovered even when users adopt privacy measures recommended by Bitcoin. To the best of our knowledge, this is the first work that comprehensively analyzes, and evaluates the privacy implications of Bitcoin.
Article
We study the economics of Bitcoin transaction fees in a simple static partial equilibrium model with the specificity that the system security is directly linked to the total computational power of miners. We show that any situation with a fixed fee is equivalent to another situation with a limited block size. In both cases, we give the optimal value of the transaction fee or of the block size. We also show that making the block size a non binding constraint and, in the same time, letting the fee be fixed as the outcome of a decentralized competitive market cannot guarantee the very existence of Bitcoin in the long-term.
Article
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
Article
In the multiarmed bandit problem, a gambler must decide which arm of K non- identical slot machines to play in a sequence of trials so as to maximize his reward. This classical problem has received much attention because of the simple model it provides of the trade-off between exploration (trying out each arm to find the best one) and exploitation (playing the arm believed to give the best payoff). Past solutions for the bandit problem have almost always relied on assumptions about the statistics of the slot machines. In this work, we make no statistical assumptions whatsoever about the nature of the process generating the payoffs of the slot machines. We give a solution to the bandit problem in which an adversary, rather than a well-behaved stochastic process, has complete control over the payoffs. In a sequence of T plays, we prove that the per-round payoff of our algorithm approaches that of the best arm at the rate O(T −1/2). We show by a matching lowerbound that this is the best possible. We also prove that our algorithm approaches the per-round payoff of any set of strategies at a similar rate: if the best strategy is chosen from a pool of N strategies, then our algorithm approaches the per-round payoff of the strategy at the rate O((log N )1/2T −1/2). Finally, we apply ourr esults to the problem of playing an unknown repeated matrix game. We show that our algorithm approaches the minimax payoff of the unknown game at the rate O(T −1/2).
Article
In this paper we describe the various scoring systems used to calculate rewards of participants in Bitcoin pooled mining, explain the problems each were designed to solve and analyze their respective advantages and disadvantages.
Article
We develop and implement a collocation method to solve for an equilibrium in the dynamic legislative bargaining game of Duggan and Kalandrakis (2008). We formulate the collocation equations in a quasi-discrete version of the model, and we show that the collocation equations are locally Lipchitz continuous and directionally differentiable. In numerical experiments, we successfully implement a globally convergent variant of Broyden's method on a preconditioned version of the collocation equations, and the method economizes on computation cost by more than 50% compared to the value iteration method. We rely on a continuity property of the equilibrium set to obtain increasingly precise approximations of solutions to the continuum model. We showcase these techniques with an illustration of the dynamic core convergence theorem of Duggan and Kalandrakis (2008) in a nine-player, two-dimensional model with negative quadratic preferences.
Conference Paper
External regret compares the performance of an online algorithm, selecting among N actions, to the performance of the best of those actions in hindsight. Internal regret compares the loss of an online algorithm to the loss of a modified online algorithm, which consistently replaces one action by another. In this paper, we give a simple generic reduction that, given an algorithm for the external regret problem, converts it to an efficient online algorithm for the internal regret problem. We provide methods that work both in the full information model, in which the loss of every action is observed at each time step, and the partial information (bandit) model, where at each time step only the loss of the selected action is observed. The importance of internal regret in game theory is due to the fact that in a general game, if each player has sublinear internal regret, then the empirical frequencies converge to a correlated equilibrium. For external regret we also derive a quantitative regret bound for a very general setting of regret, which includes an arbitrary set of modification rules (that possibly modify the online algorithm) and an arbitrary set of time selection functions (each giving different weight to each time step). The regret for a given time selection and modification rule is the difference between the cost of the online algorithm and the cost of the modified online algorithm, where the costs are weighted by the time selection function. This can be viewed as a generalization of the previously-studied sleeping experts setting.
Article
We study the construction of prediction algorithms in a situation in which a learner faces a sequence of trials, with a prediction to be made in each, and the goal of the learner is to make few mistakes. We are interested in the case that the learner has reason to believe that one of some pool of known algorithms will perform well, but the learner does not know which one. A simple and effective method, based on weighted voting, is introduced for constructing a compound algorithm in such a circumstance. We call this method the Weighted Majority Algorithm. We show that this algorithm is robust in the presence of errors in the data. We discuss various versions of the Weighted Majority Algorithm and prove mistake bounds for them that are closely related to the mistake bounds of the best algorithms of the pool. For example, given a sequence of trials, if there is an algorithm in the pool A that makes at most m mistakes then the Weighted Majority Algorithm will make at most c(log jAj + m) mi...
A transaction fee market exists without a block size limit. 2015. R. Peter. A transaction fee market exists without a block size limit
  • R Peter
Bitcoin is not broken
  • K Hill
The economics of bitcoin mining, or bitcoin in the presence of adversaries
  • J A Kroll
  • I C Davey
  • E W Felten
The economics of bitcoin transaction fees. Working Paper GATE 2014-07. halshs-00951358
  • N Houy
Shadow-bitcoin: scalable simulation via direct execution of multithreaded applications
  • A Miller
  • R Jansen
Evaluating user privacy in bitcoin
  • E Androulaki
  • G O Karame
  • M Roeschlin
  • T Scherer
  • S Capkun
learning and correlated equilibrium
  • Calibrated