Conference Paper

# On the Instability of Bitcoin Without the Block Reward

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

## Abstract

Bitcoin provides two incentives for miners: block rewards and transaction fees. The former accounts for the vast majority of miner revenues at the beginning of the system, but it is expected to transition to the latter as the block rewards dwindle. There has been an implicit belief that whether miners are paid by block rewards or transaction fees does not affect the security of the block chain. We show that this is not the case. Our key insight is that with only transaction fees, the variance of the block reward is very high due to the exponentially distributed block arrival time, and it becomes attractive to fork a "wealthy" block to "steal" the rewards therein. We show that this results in an equilibrium with undesirable properties for Bitcoin's security and performance, and even non-equilibria in some circumstances. We also revisit selfish mining and show that it can be made profitable for a miner with an arbitrarily low hash power share, and who is arbitrarily poorly connected within the network. Our results are derived from theoretical analysis and confirmed by a new Bitcoin mining simulator that may be of independent interest. We discuss the troubling implications of our results for Bitcoin's future security and draw lessons for the design of new cryptocurrencies.

## No full-text available

... While classical literature in consensus primarily dealt with "error models", such as fail-stop or Byzantine [79], the pressing question post-Bitcoin is whether the incentives of the participants align with what the consensus protocol asks them to do. Motivated by this, one line of work investigated whether the Bitcoin protocol is an equilibrium under certain conditions [56,50], while another pinpointed protocol deviations that can be more profitable for some players, assuming others follow the protocol [29,81,45,13]. The research body includes tweaks towards improving the underlying blockchain protocol in various settings [31,55], game-theoretic studies of pooling behavior [59,13,2], as well as equilibria that involve abstaining from the protocol [32] in high cost scenarios. ...
... Motivated by this, one line of work investigated whether the Bitcoin protocol is an equilibrium under certain conditions [56,50], while another pinpointed protocol deviations that can be more profitable for some players, assuming others follow the protocol [29,81,45,13]. The research body includes tweaks towards improving the underlying blockchain protocol in various settings [31,55], game-theoretic studies of pooling behavior [59,13,2], as well as equilibria that involve abstaining from the protocol [32] in high cost scenarios. Going beyond consensus, economic mechanisms have also been considered in the context of multi-party computation [57,20,19], to disincentivize "cheating". ...
... 17 hours). 13 Furthermore, transactions are typically not finalized immediately; for instance, most parties finalize a Bitcoin transaction after 6 confirmations and an Ethereum transaction after 240 confirmations (equiv. approximately 1 hour). ...
Preprint
Full-text available
We study Nash-dynamics in the context of blockchain protocols. Specifically, we introduce a formal model, within which one can assess whether the Nash dynamics can lead utility maximizing participants to defect from "honest" protocol operation, towards variations that exhibit one or more undesirable infractions, such as abstaining from participation and extending conflicting protocol histories. Blockchain protocols that do not lead to such infraction states are said to be compliant. Armed with this model, we study the compliance of various Proof-of-Work (PoW) and Proof-of-Stake (PoS) protocols, with respect to different utility functions and reward schemes, leading to the following results: i) PoS ledgers under resource-proportional rewards can be compliant if costs are negligible, but non-compliant if costs are significant, ii) PoW and PoS under block-proportional rewards exhibit different compliance behavior, depending on the lossiness of the network, iii) considering externalities, such as exchange rate fluctuations, we quantify the benefit of economic penalties in the context of PoS protocols with respect to compliance.
... Carlsten et al. [8] further revealed other severe issues when Blockchain transitions to a transaction-fee regime. Specifically, the time-varying nature of transaction fees allows a richer set of strategic deviations such as Selfish Mining [9], Undercutting [8], Mining Gap [8], Pool Hopping [10], etc. ...
... Carlsten et al. [8] further revealed other severe issues when Blockchain transitions to a transaction-fee regime. Specifically, the time-varying nature of transaction fees allows a richer set of strategic deviations such as Selfish Mining [9], Undercutting [8], Mining Gap [8], Pool Hopping [10], etc. These strategic deviations would not present in the block-reward model. ...
... Carlsten et al. [8] further revealed other severe issues when Blockchain transitions to a transaction-fee regime. Specifically, the time-varying nature of transaction fees allows a richer set of strategic deviations such as Selfish Mining [9], Undercutting [8], Mining Gap [8], Pool Hopping [10], etc. These strategic deviations would not present in the block-reward model. ...
Preprint
Full-text available
As the core technology behind Bitcoin, Blockchain's decentralized, tamper-proof, and traceable features make it the preferred platform for organizational innovation. In current Bitcoin, block reward is halved every four years, and transaction fees are expected to become the majority of miner revenues around 2140. When transaction fee dominates mining rewards, strategic deviations such as Selfish Mining, Undercutting, and Mining Gap could threaten the integrity and security of the Blockchain. This paper proposes a set of Dynamic Transaction Storage (DTS) strategies for maintaining a sustainable Blockchain under the transaction-fee regime. We demonstrate that block incentive volatility can be reduced through systematic simulation by applying DTS strategies and avoiding strategic deviations. With DTS, public Blockchains such as Bitcoin become sustainable when the mining reward is solely based on the transaction fee.
... Such an equilibrium is especially concerning because it implies that there is perpetual disagreement regarding which chain represents the Bitcoin blockchain and thus perpetual disagreement regarding the set of transactions that have settled on the Bitcoin blockchain. Carlsten et al. (2016) also examine whether forks may arise but in the absence of block rewards. ...
... The results of Carlsten et al. (2016), Biais et al. (2019) and Hinzen et al. (2022) cast doubt on Bitcoin's ability to serve as a viable payment system. Those same results, however, do not imply that BTC cannot remain a prominent asset. ...
Article
Full-text available
We survey extant literature on the economics of blockchain fundamentals, with particular focus on Bitcoin, proof-of-work, and proof-of-stake. We formally clarify Bitcoin's economic significance in solving the double-spending problem without a centralized entity. We then transition to the economics literature, highlighting the key endogenous economic interactions among participants in the Bitcoin ecosystem as well as the economics of proof-of-stake and other potential consensus algorithms. Along the way, we discuss various literature that provides important insights regarding fees, forks, and price volatility. We conclude by reflecting on the next generation of blockchain innovations. Expected final online publication date for the Annual Review of Financial Economics, Volume 13 is November 2022. Please see http://www.annualreviews.org/page/journal/pubdates for revised estimates.
... This section formally defines our model and, in particular, the optimization problem considered by a strategic player. Like prior work [7,5,8], we consider a single strategic player who is best responding to a profile of honest players. The purpose of this analysis, like in prior work, is to understand the maximum disruption that can be caused when a 1 − α fraction of the stake is owned by honest players, and an α fraction of the stake is owned by strategic players. ...
... In order to focus on the relevant aspects, we assume that any broadcast is received by all other users. This is consistent with prior work that focuses on the underlying incentives, and not distributed computing[7,5,3,8]. ...
Preprint
Cryptographic Self-Selection is a subroutine used to select a leader for modern proof-of-stake consensus protocols, such as Algorand. In cryptographic self-selection, each round $r$ has a seed $Q_r$. In round $r$, each account owner is asked to digitally sign $Q_r$, hash their digital signature to produce a credential, and then broadcast this credential to the entire network. A publicly-known function scores each credential in a manner so that the distribution of the lowest scoring credential is identical to the distribution of stake owned by each account. The user who broadcasts the lowest-scoring credential is the leader for round $r$, and their credential becomes the seed $Q_{r+1}$. Such protocols leave open the possibility of a selfish-mining style attack: a user who owns multiple accounts that each produce low-scoring credentials in round $r$ can selectively choose which ones to broadcast in order to influence the seed for round $r+1$. Indeed, the user can pre-compute their credentials for round $r+1$ for each potential seed, and broadcast only the credential (among those with a low enough score to be the leader) that produces the most favorable seed. We consider an adversary who wishes to maximize the expected fraction of rounds in which an account they own is the leader. We show such an adversary always benefits from deviating from the intended protocol, regardless of the fraction of the stake controlled. We characterize the optimal strategy; first by proving the existence of optimal positive recurrent strategies whenever the adversary owns last than $38\%$ of the stake. Then, we provide a Markov Decision Process formulation to compute the optimal strategy.
... For example, selfish mining is a well-known attack on Bitcoin's incentive mechanism that allows a strategic party to reap more than its fair share of block rewards by waiting to publish its blocks until it causes the most damage to the honest majority [23]. Many subsequent papers explored both (i) attacks on Bitcoin's incentive mechanism [24], [25], [26], [27], [28] and (ii) attacks on other blockchain protocols [9], [10], [11], [12]. In [13], the authors highlight the lack of systematic game-theoretic analysis of recently proposed blockchain protocols. ...
... Selfish mining family of attacks allow the attacker to grab greater fraction of the reward [23], [24], [25], [39], [40]. Undercutting attacks allow a party to grab greater reward in the absence of a block reward at the expense of security of the blockchain [26], [27], [28]. Few others have described various attacks for different blockchain protocols [9], [10], [11], [12]. ...
Preprint
Full-text available
Blockchains lie at the heart of Bitcoin and other cryptocurrencies that have shown great promise to revolutionize finance and commerce. Although they are gaining increasing popularity, they face technical challenges when it comes to scaling to support greater demand while maintaining their desirable security properties. In an exciting line of recent work, many researchers have proposed various scalable blockchain protocols that demonstrate the potential to solve these challenges. However, many of these protocols come with the assumptions of honest majority and symmetric network access which may not accurately reflect the real world where the participants may be self-interested or rational. Secondly, these works show that their protocol works in an ideal environment where each party has equal access to the network whereas different parties have varying latencies and network speeds. These assumptions may render the protocols susceptible to security threats in the real world, as highlighted by the literature focused on exploring game-theoretic attacks on these protocols. We propose a scalable blockchain protocol, Interlude, which comes with the typical security guarantees while focusing on game-theoretic soundness and network fairness. The novelty of Interlude is that it has a relatively simple design consisting of a sequence of parallel blocks containing disjoint transaction sets that can be mined quickly followed by a series block that is slow to mine and gives the honest parties in the network time to synchronize. Thus, between the chaos of parallel blocks, our blockchain protocol masquerades an interlude moment of harmony in series blocks that synchronize the network.
... According to our evaluation, the miner earned as high as 700 ETH for mining a single private transaction. This can lead to serious consensus security issues, such as the undercutting attacks [13], [22]. We also find that private transactions are not always private. ...
... To successfully launch the undercutting attacks, attackers need to give enough money incentives to the miners since the main goal of a rational miner is to maximize its profits. Previously, Carlsten et al. [13] consider the transaction fees as the only factor that causes undercutting attacks; In [22], it also takes Ordering Optimization (OO) fees (including MEV) into account. According to Gong et al. [39], before private transactions were introduced, the money deliberately left by attackers may not be enough to incentivize the miners to launch the undercutting attack. ...
Preprint
Recently, Decentralized Finance (DeFi) platforms on Ethereum are booming, and numerous traders are trying to capitalize on the opportunity for maximizing their benefits by launching front-running attacks and extracting Miner Extractable Values (MEVs) based on information in the public mempool. To protect end users from being harmed and hide transactions from the mempool, private transactions, a special type of transactions that are sent directly to miners, were invented. Private transactions have a high probability of being packed to the front positions of a block and being added to the blockchain by the target miner, without going through the public mempool, thus reducing the risk of being attacked by malicious entities. Despite the good intention of inventing private transactions, due to their stealthy nature, private transactions have also been used by attackers to launch attacks, which has a negative impact on the Ethereum ecosystem. However, existing works only touch upon private transactions as by-products when studying MEV, while a systematic study on private transactions is still missing. To fill this gap and paint a complete picture of private transactions, we take the first step towards investigating the private transactions on Ethereum. In particular, we collect large-scale private transaction datasets and perform analysis on their characteristics, transaction costs and miner profits, as well as security impacts. This work provides deep insights on different aspects of private transactions.
... The process of producing new blocks is referred to as mining, the mining target value is dependent on the current network is called difficulty. Miners get rewarded for their expense of computational resources with a block reward (Carlsten et al., 2016). ...
Thesis
Full-text available
The digital transformation facilitates new forms of collaboration between companies along the supply chain and between companies and consumers. Besides sharing information on centralized platforms, blockchain technology is often regarded as a potential basis for this kind of collaboration. However, there is much hype surrounding the technology due to the rising popularity of cryptocurrencies, decentralized finance (DeFi), and non-fungible tokens (NFTs). This leads to potential issues being overlooked. Therefore, this thesis aims to investigate, highlight, and address the current weaknesses of blockchain technology: Inefficient consensus, privacy, smart contract security, and scalability. First, to provide a foundation, the four key challenges are introduced, and the research objectives are defined, followed by a brief presentation of the preliminary work for this thesis. The following four parts highlight the four main problem areas of blockchain. Using big data analytics, we extracted and analyzed the blockchain data of six major blockchains to identify potential weaknesses in their consensus algorithm. To improve smart contract security, we classified smart contract functionalities to identify similarities in structure and design. The resulting taxonomy serves as a basis for future standardization efforts for security-relevant features, such as safe math functions and oracle services. To challenge privacy assumptions, we researched consortium blockchains from an adversary role. We chose four blockchains with misconfigured nodes and extracted as much information from those nodes as possible. Finally, we compared scalability solutions for blockchain applications and developed a decision process that serves as a guideline to improve the scalability of their applications. Building on the scalability framework, we showcase three potential applications for blockchain technology. First, we develop a token-based approach for inter-company value stream mapping. By only relying on simple tokens instead of complex smart-contracts, the computational load on the network is expected to be much lower compared to other solutions. The following two solutions use offloading transactions and computations from the main blockchain. The first approach uses secure multiparty computation to offload the matching of supply and demand for manufacturing capacities to a trustless network. The transaction is written to the main blockchain only after the match is made. The second approach uses the concept of payment channel networks to enable high-frequency bidirectional micropayments for WiFi sharing. The host gets paid for every second of data usage through an off-chain channel. The full payment is only written to the blockchain after the connection to the client gets terminated. Finally, the thesis concludes by briefly summarizing and discussing the results and providing avenues for further research.
... The security of blockchain systems has been widely discussed since their inception [49]. Several papers analyzed the incentive system of the Bitcoin system and proposed potential attacks given specific incentive incompatibilities [18,27,44,46,59,71]. Other studies extend the analysis to Proof-of-Stake protocols [20,54]. ...
Preprint
Transaction fee mechanism (TFM) is an essential component of a blockchain protocol. However, a systematic evaluation of the real-world impact of TFMs is still absent. Using rich data from the Ethereum blockchain, mempool, and exchanges, we study the effect of EIP-1559, one of the first deployed TFMs that depart from the traditional first-price auction paradigm. We conduct a rigorous and comprehensive empirical study to examine its causal effect on blockchain transaction fee dynamics, transaction waiting time and security. Our results show that EIP-1559 improves the user experience by making fee estimation easier, mitigating intra-block difference of gas price paid, and reducing users' waiting times. However, EIP-1559 has only a small effect on gas fee levels and consensus security. In addition, we found that when Ether's price is more volatile, the waiting time is significantly higher. We also verify that a larger block size increases the presence of siblings. These findings suggest new directions for improving TFM.
... To compare, the miner of block 13025736 earns a total of 2.019 ETH: 2 ETH for the block creation reward, plus 0.137 in transaction fees minus 0.118 in burnt fees. In this case, as is a typical for blocks outside price bursts, the transaction fees are small compared to the block rewards [20]. However, the miners of blocks 13025737 and 13025738 earn 3.472 ETH and 45.646 ETH, respectively. ...
... That is, they may deviate from the prescribed protocol to gain additional rewards because it may not be a strategic miner's best response to follow the protocol honestly. Selfish mining, petty mining, and undercutting are some of the strategies that may lead to greater rewards for the miners Carlsten et al. [2016], Sapirshtein et al. [2016]. In the game-theory literature, a system is said to be incentive compatible if it rewards each player greater for playing truthfully as compared to all other possible strategies. ...
Preprint
Full-text available
Cryptocurrencies are poised to revolutionize the modern economy by democratizing commerce. These currencies operate on top of blockchain-based distributed ledgers. Existing permissionless blockchain-based protocols offer unparalleled benefits like decentralization, anonymity, and transparency. However, these protocols suffer in performance which hinders their widespread adoption. In particular, high time-to-finality and low transaction rates keep them from replacing centralized payment systems such as the Visa network. Permissioned blockchain protocols offer attractive performance guarantees, but they are not considered suitable for deploying decentralized cryptocurrencies due to their centralized nature. Researchers have developed several multi-layered blockchain protocols that combine both permissioned and permissionless blockchain protocols to achieve high performance along with decentralization. The key idea with existing layered blockchain protocols in literature is to divide blockchain operations into two layers and use different types of blockchain protocols to manage each layer. However, many such works come with the assumptions of honest majority which may not accurately reflect the real world where the participants may be self-interested or rational. These assumptions may render the protocols susceptible to security threats in the real world, as highlighted by the literature focused on exploring game-theoretic attacks on these protocols. We generalize the "layered" approach taken by existing protocols in the literature and present a framework to analyze the system in the BAR Model and provide a generalized game-theoretic analysis of such protocols. Using our analysis, we identify the critical system parameters required for a distributed ledger's secure operation in a more realistic setting.
... Research suggests that swift surges in transaction fees might deter cryptocurrency usage and prompt regular users (i.e., transaction senders) to abandon this technology (Easleyet al., 2019), and that, conversely, the sharp and unpredictable drops in fees paid to "miners"-i.e., a special type of users who contribute computing power to verify the transactions-might discourage miner participation, leading to security and stability concerns (Carlsten et al., 2016). Unfortunately, recent drastic turbulences in transaction fees and processing times have revived concerns about the stability of cryptocurrencies while propelling businesses to back away from cryptocurrency adoption and leading to the so called "transaction fee crisis" (Huo, 2017). ...
Chapter
Full-text available
Cryptocurrency, operated through blockchain technology, is a new form of digital currency which is used as a medium of exchange. It is used in many countries but Bangladesh Bank, the central bank of Bangladesh, halts a ban on its use and/or trading considering its negative aspects. So, the perception towards virtual currency in Bangladesh remains under shadow. Hence, the study investigates the perception of a total 155 persons (having sound knowledge in this new technology e.g., central bankers, bankers and finance and accounting graduates) behind the intended use of cryptocurrency using structural equation modelling. The study has four observed variables (perceived ease of use, perceived usefulness, trust and perceived risk) and one latent variable (behavioral intention to use cryptocurrency). Finally, the result demonstrates that perceived usefulness and trust have a significant impact, but perceived ease of use and perceived risk have no significant impact on the intention to use cryptocurrency. The paper enlightens the unexplored perception of the people of Bangladesh towards cryptocurrency. The findings recommend that the Bangladesh Bank may reconsider its decision regarding fintech innovation considering cryptocurrency’s positivity and minimize the dilemma keeping the deleterious sides under strict monitoring. Keywords: Bangladesh Bank, Block chain, Cryptocurrency, Perceived Ease of Use, Perceived Usefulness JEL Classification: C51, C59, D40, G12
... Decker and Wattenhofer (2013); Neudecker and Hartenstein (2019) study block propagation and temporary forks in Bitcoin. Carlsten et al. (2016); Tsabary and Eyal (2018) anticipated the logic of my activity constraint, arguing that fee stochasticity creates security breaches. A solid research line on Nakamoto consensus points out that block times have to be long relative to transmission delays in order to safeguard the blockchain against attacks. ...
Preprint
Full-text available
I study the optimal design of transaction fees and seigniorage for a Proof-of-Work cryptocurrency. Commodity merchants need blockchain miners to record their payments and secure the blockchain by remaining active. Fees make miners willing to process merchants' transactions by compensating for the risk that doing so slows down block transmissions making blocks invalid. Seigniorage convinces miners to operate when pending transactions are scarce. Both seigniorage and fees are necessary. As fees are distortionary for merchants, an optimal design uses them only as required by incentive-compatibility. JEL Codes: C73, D47, E42, G11.
... Selfish mining is another type of attack in PoW blockchain systems to get more revenue. Researchers have evaluated selfish mining in Bitcoin and Ethereum systems using analytical models and/or simulation experiments [5,[20][21][22][23][24]. ...
Article
Full-text available
Malicious miners in a Proof-of-Work (PoW) blockchain can apply less computing power to perform fork-after-withholding (FAW) attack than that to selfish mining and other withholding attacks. Quantitative study of FAW attack enables an in-depth understanding of the attack and then helps design countermeasures. The existing quantification studies of FAW attack only considered a perfect Bitcoin blockchain, where there is no block propagation delay. This paper aims to quantitatively investigate FAW attack in imperfect Bitcoin and Ethereum systems. We first establish an analytic model to capture the chain dynamics under FAW attack in a PoW system where the longest-chain protocol is used. Then the model is explored to derive closed-formed metric formulas for Bitcoin and Ethereum, respectively. These closed-formed formulas enable the evaluation of both the profitability of FAW adversaries and the impact of FAW attack on system throughput. Experimental results reveal that FAW adversaries can get more revenue in the network with propagation delay than without delay. FAW attack can reduce the blockchain throughput, especially in Bitcoin.
... Research suggests that swift surges in transaction fees might deter cryptocurrency usage and prompt regular users (i.e., transaction senders) to abandon this technology (Easleyet al., 2019), and that, conversely, the sharp and unpredictable drops in fees paid to "miners"-i.e., a special type of users who contribute computing power to verify the transactions-might discourage miner participation, leading to security and stability concerns (Carlsten et al., 2016). Unfortunately, recent drastic turbulences in transaction fees and processing times have revived concerns about the stability of cryptocurrencies while propelling businesses to back away from cryptocurrency adoption and leading to the so called "transaction fee crisis" (Huo, 2017). ...
Chapter
Full-text available
In recent years, the Indian Government has adopted potent measures to expedite the transition from the cash-dependent to the cashless economy. The introduction of ATMs enhanced the banking operations’ efficiency and allowed the customers more convenient access to their money. Similarly, funds transfer systems such as NEFT, RTGS and IMPS have enabled more reliable and faster transfers. However, the next revolution has been unleashed by applying transaction systems such as UPI (Unified Payment Interface). India has been scaled by the 4G network, which has ensured the availability of internet services in every part of the country. Hence the UPI applications can be easily accessed and used by people. The sudden announcement of demonetization has also provided an impetus to adopting e-money as the mode of payment. The government has rightly sensed this as an excellent opportunity to propagate Fintech tools among the citizens to decrease the dependence on cash. This paper explores the need for reducing the reliance on cash for the day-to-day transactions, prospects and the challenges associated with initiatives adopted for India’s drive in the direction of a Cashless economy
... • The block reward is reduced every 4 years (epochs). This means a portion of the mining reward is trending to zero, and nobody knows what effect this will have on the incentives for securing the network through proof of work [64]. It is increasingly being discussed as the major eventual problem for the network. ...
Preprint
Full-text available
We present a state of the art and positioning book, about Web3, Bitcoin, and Metaverse'; describing the intersections and synergies. A high level overview of Web3 technologies leads to a description of blockchain, and the Bitcoin network is specifically selected for detailed examination. Suitable components of the extended Bitcoin ecosystem are described in more depth. Other mechanisms for native digital value transfer are described, with a focus on money'. Metaverse technology is over-viewed, primarily from the perspective of Bitcoin and extended reality.\par Bitcoin is selected as the best contender for value transfer in metaverses because of it's free and open source nature, and network effect. Challenges and risks of this approach are identified. A cloud deployable virtual machine based technology stack deployment guide with a focus on cybersecurity best practice can be downloaded from GitHub to experiment with the technologies. This deployable lab is designed to inform development of secure value transaction, for small and medium sized companies.
... The protocol is resilient to reorgs, meaning that whenever there is an honest leader, its proposal will eventually make it into the protocol's output ledger, with a prefix ledger that can be determined at the time of block production. This property is broadly important for incentive alignment, e.g., it reduces the risk of undercutting [30,9], time-bandit [14], or selfish mining [16] attacks. ...
Preprint
The latest message driven (LMD) greedy heaviest observed sub-tree (GHOST) consensus protocol is a critical component of future proof-of-stake (PoS) Ethereum. In its current form, the protocol is brittle and intricate to reason about, as evidenced by recent attacks, patching attempts, and G\"orli testnet reorgs. We present Goldfish, which can be seen as a considerably simplified variant of the current protocol, and prove that it is secure and reorg resilient in synchronous networks with dynamic participation, assuming a majority of the nodes (called validators) follows the protocol honestly. Furthermore, we show that subsampling validators can improve the communication efficiency of Goldfish, and that Goldfish is composable with finality gadgets and accountability gadgets. The aforementioned properties make Goldfish a credible candidate for a future protocol upgrade of PoS Ethereum, as well as a versatile pedagogical example. Akin to traditional propose-and-vote-style consensus protocols, Goldfish is organized into slots, at the beginning of which a leader proposes a block containing new transactions, and subsequently members of a committee take a vote towards block confirmation. But instead of using quorums, Goldfish is powered by a new mechanism that carefully synchronizes the inclusion and exclusion of votes in honest validators' views.
... Incentive analysis in blockchain consensus often assumes a constant reward per block [23,25,29,40,20]. Carlsten et al. [14], on the other hand, argue that transaction fees, when larger than block rewards, introduce a high variance in the revenue per block and can pose a risk to blockchain security. Qin et al. [38] argue that DeFi applications can also disrupt miner incentives. ...
Preprint
Trading on decentralized exchanges has been one of the primary use cases for permissionless blockchains with daily trading volume exceeding billions of U.S.~dollars. In the status quo, users broadcast transactions and miners are responsible for composing a block of transactions and picking an execution ordering -- the order in which transactions execute in the exchange. Due to the lack of a regulatory framework, it is common to observe miners exploiting their privileged position by front-running transactions and obtaining risk-fee profits. In this work, we propose to modify the interaction between miners and users and initiate the study of {\em verifiable sequencing rules}. As in the status quo, miners can determine the content of a block; however, they commit to respecting a sequencing rule that constrains the execution ordering and is verifiable (there is a polynomial time algorithm that can verify if the execution ordering satisfies such constraints). Thus in the event a miner deviates from the sequencing rule, anyone can generate a proof of non-compliance. We ask if there are sequencing rules that limit price manipulation from miners in a two-token liquidity pool exchange. Our first result is an impossibility theorem: for any sequencing rule, there is an instance of user transactions where the miner can obtain non-zero risk-free profits. In light of this impossibility result, our main result is a verifiable sequencing rule that provides execution price guarantees for users. In particular, for any user transaction $A$, it ensures that either (1) the execution price of $A$ is at least as good as if $A$ was the only transaction in the block, or (2) the execution price of $A$ is worse than this standalone'' price and the miner does not gain (or lose) when including $A$ in the block.
... These analysis is bound to the case where miners are incentivised by a block reward. Carlsten et al. [11] studied how different strategies might threaten the efficiency of Bitcoin when transaction fees are the only incentive left to encourage mining. They show that the security of the blockchain is threatened by miners who may undercut blocks of other miners, by including less transactions in their own blocks. ...
Conference Paper
Full-text available
Trust is key to the efficient functioning of any fiat or crypto-currency and so is for the consensus algorithm behind the functioning of blockchain systems. By an arbitrary design choice, Bitcoin and most Proof-of-Work (PoW) blockchains have a limited supply. Once block rewards vanish, only transaction fees will remain as an incentive for miners to partake in the verification process. In this paper, we analyse the impact that miners bargaining over block composition has on consensus in the absence of block rewards: in this situation, competing blocks at the same height may be more attractive to peers by including less transactions (i.e. sharing the mempool). The mining and acceptance of blocks can be modelled as an Ultimatum Game, where miners' strategies represent their fairness sentiment. Extending previous Literature, our study focuses on the effect of the transaction arrival rate on global consensus in the system and whether local consensus is formed under certain assumptions about the strategies of miners. We find that consensus is threatened when the supply of transactions is low and stable consensus only emerges when the amount of unconfirmed transactions remains sufficient. In addition, when miners are set with randomised strategies, it is more difficult for the system to achieve consensus. Our research suggests that transitioning from a block reward incentive to a transaction fee incentive may weaken and even destroy the consensus of PoW-based systems.
... Bitcoin's future block reward halving will decrease both the threshold to launch profitable DPC attacks and the safe transaction value, which confirms Carlsten et al.'s previous observation [32]. ...
Preprint
Full-text available
We describe and analyze perishing mining, a novel block-withholding mining strategy that lures profit-driven miners away from doing useful work on the public chain by releasing block headers from a privately maintained chain. We then introduce the dual private chain (DPC) attack, where an adversary that aims at double spending increases its success rate by intermittently dedicating part of its hash power to perishing mining. We detail the DPC attack's Markov decision process, evaluate its double spending success rate using Monte Carlo simulations. We show that the DPC attack lowers Bitcoin's security bound in the presence of profit-driven miners that do not wait to validate the transactions of a block before mining on it.
... To achieve this, game theoretic analyses in Blockchain systems have been used over many years, starting with the original Bitcoin whitepaper [26]. Since the discovery of the selfish mining attack [16], game theoretic methods have been used to investigate rational deviations [12], mining pools [15], and more recently transaction fee auctions in Ethereum like Blockchains [31,13]. Our work differs from existing literature as we focus on the effects of rational behavior on buy-back and pay strategies used to stabilize token prices, and not necessarily on modeling the effects on an underlying Blockchain protocol. ...
Preprint
Full-text available
There are a multitude of Blockchain-based physical infrastructure systems, operating on a crypto-currency enabled token economy, where infrastructure suppliers are rewarded with tokens for enabling, validating, managing and/or securing the system. However, today's token economies are largely designed without infrastructure systems in mind, and often operate with a fixed token supply (e.g., Bitcoin). This paper argues that token economies for infrastructure networks should be structured differently - they should continually incentivize new suppliers to join the network to provide services and support to the ecosystem. As such, the associated token rewards should gracefully scale with the size of the decentralized system, but should be carefully balanced with consumer demand to manage inflation and be designed to ultimately reach an equilibrium. To achieve such an equilibrium, the decentralized token economy should be adaptable and controllable so that it maximizes the total utility of all users, such as achieving stable (overall non-inflationary) token economies. Our main contribution is to model infrastructure token economies as dynamical systems - the circulating token supply, price, and consumer demand change as a function of the payment to nodes and costs to consumers for infrastructure services. Crucially, this dynamical systems view enables us to leverage tools from mathematical control theory to optimize the overall decentralized network's performance. Moreover, our model extends easily to a Stackelberg game between the controller and the nodes, which we use for robust, strategic pricing. In short, we develop predictive, optimization-based controllers that outperform traditional algorithmic stablecoin heuristics by up to $2.4 \times$ in simulations based on real demand data from existing decentralized wireless networks.
Article
This paper proposes a conceptual framework for the analysis of reward sharing schemes in mining pools, such as those associated with Bitcoin. The framework is centered around the reported shares in a pool instead of agents and introduces two new fairness criteria: absolute and relative redistribution. These criteria impose that the addition of a share to a round affects all previous shares of the round in the same way, either in absolute amount or in relative ratio. We characterize two large classes of reward sharing schemes corresponding to each of these fairness criteria in turn. We further show that the intersection of these classes brings about a generalization of the well-known proportional scheme, which in turn leads to a new characterization of the proportional scheme itself.
Chapter
Mining processes of Bitcoin and similar cryptocurrencies are currently incentivized with voluntary transaction fees and fixed block rewards which will halve gradually to zero. In the setting where optional and arbitrary transaction fee becomes the prominent/remaining incentive, Carlsten et al. [CCS 2016] find that an undercutting attack can become the equilibrium strategy for miners. In undercutting, the attacker deliberately forks an existing chain by leaving wealthy transactions unclaimed to attract petty complaint miners to its fork. We observe that two simplifying assumptions in [CCS 2016] of fees arriving at fixed rates and miners collecting all accumulated fees regardless of block size limit are often infeasible in practice and find that they are inaccurately inflating the profitability of undercutting. Studying Bitcoin and Monero blockchain data, we find that the fees deliberately left out by an undercutter may not be attractive to other miners (hence to the attacker itself): the deliberately left out transactions may not fit into a new block without “squeezing out” some other to-be transactions, and thus claimable fees in the next round cannot be raised arbitrarily.This work views undercutting and shifting among chains rationally as mining strategies of rational miners. We model profitability of undercutting strategy with block size limit present, which bounds the claimable fees in a round and gives rise to a pending (cushion) transaction set. In the proposed model, we first identify the conditions necessary to make undercutting profitable. We then present an easy-to-deploy defense against undercutting by selectively assembling transactions into the new block to invalidate the identified conditions. Indeed, under a typical setting with undercutters present, applying this avoidance technique is a Nash Equilibrium. Finally, we complement the above analytical results with an experimental analysis using both artificial data of normally distributed fee rates and actual transactions in Bitcoin and Monero.KeywordsBitcoin incentiveTransaction feeUndercuttingUndercutting avoidance
Chapter
Recently, two attacks were presented against Proof-of-Stake (PoS) Ethereum: one where short-range reorganizations of the underlying consensus chain are used to increase individual validators’ profits and delay consensus decisions, and one where adversarial network delay is leveraged to stall consensus decisions indefinitely. We provide refined variants of these attacks, considerably relaxing the requirements on adversarial stake and network timing, and thus rendering the attacks more severe. Combining techniques from both refined attacks, we obtain a third attack which allows an adversary with vanishingly small fraction of stake and no control over network message propagation (assuming instead probabilistic message propagation) to cause even long-range consensus chain reorganizations. Honest-but-rational or ideologically motivated validators could use this attack to increase their profits or stall the protocol, threatening incentive alignment and security of PoS Ethereum. The attack can also lead to destabilization of consensus from congestion in vote processing.
Article
The longest-chain and Greedy Heaviest Observed Subtree (GHOST) protocols are the two most famous chain-selection protocols to address forking in Proof-of-Work (PoW) blockchain systems. Inclusive protocol was proposed to lower the loss of miners who produce stale blocks and increase the blockchain throughput. This paper aims to make an analytical-model-based quantitative comparison of their capabilities against selfish mining attack. Analytical models have been developed for the longest-chain protocol but less to the GHOST protocol. However, the blockchain dynamics and evolution are different when adopting different chain-selection protocols. Therefore, the corresponding analytical models and/or the formulas of calculating metrics (such as miner profitability and system throughput) may be different. To address these challenges, this paper first develops a novel Markov model and the formulas of evaluation metrics, in order to analyze a GHOST-based blockchain system under selfish mining attack. Then extensive experiments are conducted for comparison and we observe that: (i) The GHOST protocol is more resistant to selfish mining attack than the longest-chain protocol from the aspect of relative revenue of selfish miners. (ii) Inclusive protocol can promote the security (evaluated in terms of miner profitability) improvement of the system which has little total computational power or a high forking probability. Additionally, the longest-chain protocol is more sensitive to inclusive protocol than GHOST protocol. (iii) It is hard for each of the two common-used difficulty adjustment algorithms to achieve higher system throughput and security.
Article
Every organization relies on a designed contract to manage the rules that guide and coordinate the activities within each organization. However, traditional and contracts have many challenges. This has created the need for automated digital contracts, which are largely used within organizations. Although these contracts provide their own sets of advantages, they still have a single point of failure and still rely on trusted parties that cannot enforce rules. This has caused the introduction of blockchain smart contracts to help organizations collaborate in a decentralized manner. However, most contracting approaches are still influenced by traditional contracting schemes and cannot leverage the blockchain’s features. This has made contracts designed over the blockchain network inefficient and difficult to manage. Existing contractual approaches also do not account for the full advantages of blockchain smart contracts due to a lack of focus in this area. The blockchain and its contracting mechanism are unique, and thus, a unique perspective must be brought in designing a contracting scheme that works efficiently with the blockchain and its inherent smart contracts. In this work, we develop a unique contractual approach that is adaptive to the blockchain and leverages its features in ensuring an efficient contracting scheme that is able to solve the major operations within organizations. We introduce a novel concept of contracting among blockchain networks using existing contract theory concepts to understand better how participants can work together across multiple organizations. We create a novel multi-contracting scheme for multiple parties to collaborate and work together efficiently between multiple organizations, ensuring the completion of projects and contract solidification. We develop a complex interlinked system of contracts to make contacts among multiple organizations easily traceable and manageable. We enhance this with a unique contract consolidation scheme to avoid redundancy. We utilize our proposed scheme to develop a uniquely transparent and fair workflow within organizations such as recruitment and employment leveraging blockchain-based oracle nodes. We extend this work to outsourced and sub-outsourced projects on the blockchain where an arbitration scheme is developed in multi-arbitration and multi-contracting scenarios. We also consider in our case in ex-facto situations. We tested our proposed blockchain-based idea over existing blockchain networks. Our results prove the feasibility and efficiency of our proposed idea.
Article
Since inception, blockchain has earned significant attention due to its exclusive characteristics and advantages. It has changed the way the transactions are conducted by eradicating the role of third parties and promises to ensure trust among the participants. This technology is emerging as a potential solution to several issues but not without certain security vulnerabilities. In particular, protection of sensitive data is a more critical issue in the absence of a third party. This paper is aimed to report and share the state of the art of sensitive data protection in blockchain applications. The covered aspects include identification of sensitive data, existing techniques to protect sensitive data and to know how real time data compromised by security risks, attacks, threats and vulnerabilities concerning blockchain applications. This paper analysis the tools and techniques used in the past for protecting sensitive data and categorized them. On the basis of research and intuitive findings, methods and techniques are elaborated which can contribute in future in the designing a framework for protection of sensitive data in blockchain applications.
Thesis
Die Digitalisierung des Geldes durch die Einführung des elektronischen Zahlungsverkehrs in diesem Jahrhundert bildet die Grundlage des heutigen unkörperlichen Geldverkehrs. Das Aufkommen neuer rein digitaler Zahlungsarten wie Kryptowährungen setzen diesen Trend der Entmaterialisierung des Geldverkehrs fort. Insofern ist auch das Recht der Zwangsvollstreckung der Frage ausgesetzt, inwieweit die Vollstreckung in solche Werte zur Befriedigung des Gläubigers möglich ist. Dieser Frage geht die vorliegende Dissertation auf Basis des deutschen Vollstreckungsrecht am Beispiel der Kryptowährung Bitcoins nach.
Article
The Bitcoin payment system involves two agent types: users that transact with the currency and pay fees and miners in charge of authorizing transactions and securing the system in return for these fees. Two of Bitcoin’s challenges are (i) securing sufficient miner revenues as block rewards decrease, and (ii) alleviating the throughput limitation due to a small maximal block size cap. These issues are strongly related as increasing the maximal block size may decrease revenue due to Bitcoin’s pay-your-bid approach. To decouple them, we analyze the “monopolistic auction” [ 16 ], showing (i) its revenue does not decrease as the maximal block size increases, (ii) it is resilient to an untrusted auctioneer (the miner), and (iii) simplicity for transaction issuers (bidders), as the average gain from strategic bid shading (relative to bidding one’s value) diminishes as the number of bids increases.
Chapter
Blockchain has attracted the public’s attention in recent years as a decentralized system. But it suffers from low transaction throughput and poor scalability. Sharding technology is proposed to improve blockchain’s efficiency and performance using parallel processing. The key idea is to divide the miners into different shards or committees to process disjoint transaction sets. There are two kinds of committees in the sharding blockchain which bring miners different costs and rewards. One is dedicated to membership management and cross-shard transaction routing while the other is responsible for transaction validation. Miners have to decide which committee to participate in before they start working. In this paper, we study the problem of how much computational power would miners contribute to different kinds of committees in the view of game theory. We model the game as a two-stage hierarchical game and obtain the Nash equilibrium of this game. The experimental results show that both computational power limitation and system’s parameters have effects on the final equilibrium.
Article
Since its launch in 2009 much has been written about Bitcoin, cryptocurrencies, and blockchains. While the discussions initially took place mostly on blogs and other popular media, we now are witnessing the emergence of a growing body of rigorous academic research on these topics. By the nature of the phenomenon analyzed, this research spans many academic disciplines including macroeconomics, law and economics, and computer science. This survey focuses on the microeconomics of crypto-currencies themselves. What drives their supply, demand, trading price, and competition amongst them? This literature has been emerging over the past decade and the purpose of this paper is to summarize its main findings so as to establish a base upon which future research can be conducted. (JEL D82, E42, G12)
Bitcoin is the largest blockchain, and provides the underlying UTXO architecture used by many other cryptocurrencies. We identify an inherent bias embedded in this architecture (the Notebreaker mechanism) which forces users to ‘spend’ the entire content of a wallet address in order to make a payment, receiving ‘change’ into a unique new address. This inflates both the apparent volume transacted and network users, as well as minimizing the apparent fees of transacting. We develop an innovative Transaction Identification Methodology (TIM) to quantify the economic value of transactions from raw blockchain data. Using four different algorithms across three stages, we achieve 95% accuracy in quantifying the degree of bias in these measures. Validated across more than 430 million Bitcoin transactions involving 600 million wallet addresses, our methodology reveals that the Notebreaker mechanism inflates transaction volumes 8 times, makes the actual costs of blockchain transactions appear 3-7 times more expensive than what is commonly reported, and inflates wallet counts – a common heuristic of unique adopter counts. We provide a remediation strategy to make Bitcoin blockchain data a more accurate representation of reality, and provide a daily data set of these remediated volumes and transaction fees.
Article
In a blockchain-based system, the lack of centralized control requires active participation and cooperative behaviors of system entities to ensure system security and sustainability. However, dynamic environments and unpredictable entity behaviors challenge the performances of such systems in practice. Therefore, designing a feasible incentive mechanism to regulate entity behaviors becomes essential to improve blockchain system performance. The prosperous characteristics of blockchain can also contribute to an effective incentive mechanism. Unfortunately, current literature still lacks a thorough survey on incentive mechanisms related to the blockchain to understand how incentive mechanisms and blockchain make each other better. To this end, we propose evaluation requirements in terms of the properties and costs of incentive mechanisms. On one hand, we provide a taxonomy of the incentive mechanisms of blockchain systems according to blockchain versions, incentive forms and incentive goals. On the other hand, we categorize blockchain-based incentive mechanisms according to application scenarios and incentive goals. During the review, we discuss the advantages and disadvantages of state-of-art incentive mechanisms based on the proposed evaluation requirements. Through careful review, we present how incentive mechanisms and blockchain benefit with each other, discover a number of unresolved issues, and point out corresponding potential directions for future research.
Article
The growing popularity of blockchain‐based cryptocurrencies is driven by the flexibility in transaction fee offerings, among other factors. To achieve service‐level differentiation among their users, many cryptocurrencies allow users to “name your own price,” giving rise to a large variation in fee offerings and hence, variation in confirmation times. Yet, the time it takes a cryptocurrency transaction to be confirmed in the blockchain is not only affected by the fee offered, but also by the contemporaneous congestion level and the inherent randomness in the verification process. Although it is generally expected that higher fees lead to quicker confirmation, the uniqueness of the cryptocurrency setting adds important nuances to the fee‐speed relationship. Using Bitcoin—the original and most heavily used cryptocurrency by far—as our empirical context, we stylize the transaction confirmation processes, propose a theoretical framework that maps the causal path from fee to speed, and estimate this framework using Bitcoin transaction data under periods of high volatility. Our results show strong evidence for two characteristics of fee's impact: congestion dependence and tail shrinkage. Our finding that the speed acceleration effect of fee is particularly strong on the tail of the confirmation time distribution motivates a target service level approach to fee recommendation. To put this finding into practice, we develop an efficient computational procedure that helps Bitcoin users accurately estimate fees based on their confirmation delay preferences. We discuss the implications of our analyses on future cryptocurrency development and the long‐term adoption of this revolutionary technology. We describe the institutional background of the Bitcoin transaction fee market, contrast it with other fee‐for‐speed service systems, and propose a framework to map the causal path from transaction fee to confirmation speed. Two waves of data are collected from the Bitcoin blockchain, from November 11, 2017 to March 10, 2018 and from January 1, 2021 to April 30, 2021, analysis of which shows strong evidence for two characteristics of fee's impact: congestion dependence and tail shrinkage. We develop an efficient computational procedure that recommends Bitcoin users a fee to achieve a desired service level: “I need my transaction confirmed in the next 60 minutes with a 90% likelihood, what's the fee”?
Article
Full-text available
The security and fairness of blockchain are always threatened by selfish mining attacks. To study such selfish mining attacks, some necessary and useful methods need to be developed sufficiently. In this paper, we provide an interesting method for analyzing dynamic decision of blockchain selfish mining by applying the sensitivity-based optimization. Our goal is to find the optimal dynamic blockchain-pegged mining policy of the dishonest mining pool. To this end, we consider a blockchain system with two mining pools: the honest and the dishonest mining pools, where the honest mining pool follows a two-block leading competitive criterion, while the dishonest mining pool follows a modification of two-block leading competitive criterion. To find the optimal blockchain-pegged mining policy, we develop the sensitivity-based optimization to study dynamic decision of blockchain system through setting up a policy-based Poisson equation, and provide an expression for the unique solution of performance potentials. Based on this, we can characterize monotonicity and optimality of the long-run average profit with respect to the blockchain-pegged mining reward. Also, we prove the structure of the optimal blockchain-pegged mining policy. The methodology and results derived in this paper significantly reduce the large search space of finding the optimal policy, thus they can shed light on the optimal dynamic decision research on the selfish mining attacks of blockchain systems.
Chapter
In this paper, we outline a novel form of attack we refer to as Opportunistic Algorithmic Double-Spending (OpAl). OpAl attacks avoid equivocation, i.e., do not require conflicting transactions, and are carried out automatically in case of a fork. Algorithmic double-spending is facilitated through transaction semantics that dynamically depend on the context and ledger state at the time of execution. Hence, OpAl evades common double-spending detection mechanisms and can opportunistically leverage forks, even if the malicious sender themselves is not responsible for, or even actively aware of, any fork. Forkable ledger designs with expressive transaction semantics, especially stateful EVM-based smart contract platforms such as Ethereum, are particularly vulnerable. Hereby, the cost of modifying a regular transaction to opportunistically perform an OpAl attack is low enough to consider it a viable default strategy. While Bitcoin’s stateless UTXO model, or Cardano’s EUTXO model, appear more robust against OpAl, we nevertheless demonstrate scenarios where transactions are semantically malleable and thus vulnerable. To determine whether OpAl-like semantics can be observed in practice, we analyze the execution traces of 922562 transactions on the Ethereum blockchain. Hereby, we are able to identify transactions, which may be associated with frontrunning and MEV bots, that exhibit some of the design patterns also employed as part of the herein presented attack.
Article
Full-text available
Blockchain systems allow for securely keeping shared records of transactions in a decentralized way. This is enabled by algorithms called consensus mechanisms. Proof-of-work is the most prominent consensus mechanism, but environmentally unsustainable. Here, we focus on proof-of-stake, its best-known alternative. Importantly, decentralized decision-making power is not an inherent feature of blockchain systems, but a technological possibility. Numerous security incidents illustrate that decentralized control cannot be taken for granted. We therefore study how key parameters affect the degree of decentralization in proof-of-stake blockchain systems. Based on a real-world implementation of a proof-of-stake blockchain system, we conduct agent-based simulations to study how a range of parameters impact decentralization. The results suggest that high numbers of initial potential validator nodes, large transactions, a high number of transactions, and a very high or very low positive validator network growth rate increase decentralization. We find weak support for an impact of changes in transaction fees and initial stake distributions. Our study highlights how blockchain challenges our understanding of decentralization in information systems research, and contributes to understanding the governance mechanisms that lead to decentralization in proof-of-stake blockchain systems as well as to designing proof-of-stake blockchain systems that are prone to decentralization and therefore more secure.
Chapter
Cryptocurrency is replacing the centralized system with a decentralized network of Internet-based miners who generate and handle foreign currency and transactions in a more secure manner. They use blockchain as decentralized ledger and tightly close them with proof of work. Bitcoin’s rule for attaining consensus is deciding on the longest chains and discarding the different chains as orphan and stale. It is observed that this rule has a weak point toward selfish mining in which the egocentric miner exploits the variance in the blockchain technology through party retaining blocks. The paper explains the different methods that can be used to minimize the orphan risk in blockchain like Bitcoin and other different methods that can be used to resolve the issue if they are still being formed.KeywordsBitcoinBlockchainOrphan BlockSelfish miningCryptocurrency
Chapter
Due to complex blockchain programs and numerous blockchain nodes, it takes a huge amount of time and economic cost to conduct blockchain experiments. Existing open source projects do not support modifications to the underlying blockchain, and existing blockchain simulators only focus on a single blockchain system and cannot flexibly extend or replace models. Regarding the issues above, this paper proposes a prototype system for blockchain performance evaluation, including real deployment test and simulation test. In real deployment test, a five-layer architecture for building a lightweight and efficient testing system is proposed. And in simulation test, a general scheme for building blockchain simulator is proposed, which can realize the test of throughput, storage allocation and reputation management. Experiments show that the prototype system proposed in this paper can effectively improve the efficiency of blockchain performance evaluation.
Article
Full-text available
Bitcoin is a decentralized crypto-currency, and an accompanying protocol, created in 2008. Bitcoin nodes continuously generate and propagate blocks---collections of newly approved transactions that are added to Bitcoin's ledger. Block creation requires nodes to invest computational resources, but also carries a reward in the form of bitcoins that are paid to the creator. While the protocol requires nodes to quickly distribute newly created blocks, strong nodes can in fact gain higher payoffs by withholding blocks they create and selectively postponing their publication. The existence of such selfish mining attacks was first reported by Eyal and Sirer, who have demonstrated a specific deviation from the standard protocol (a strategy that we name SM1). In this paper we extend the underlying model for selfish mining attacks, and provide an algorithm to find $\epsilon$-optimal policies for attackers within the model, as well as tight upper bounds on the revenue of optimal policies. As a consequence, we are able to provide lower bounds on the computational power an attacker needs in order to benefit from selfish mining. We find that the profit threshold -- the minimal fraction of resources required for a profitable attack -- is strictly lower than the one induced by the SM1 scheme. Indeed, the policies given by our algorithm dominate SM1, by better regulating attack-withdrawals. Using our algorithm, we show that Eyal and Sirer's suggested countermeasure to selfish mining is slightly less effective than previously conjectured. Next, we gain insight into selfish mining in the presence of communication delays, and show that, under a model that accounts for delays, the profit threshold vanishes, and even small attackers have incentive to occasionally deviate from the protocol. We conclude with observations regarding the combined power of selfish mining and double spending attacks.
Conference Paper
Full-text available
Conference Paper
Full-text available
One of the unique features of the digital currency Bitcoin is that new cash is introduced by so-called miners carrying out resource-intensive proof-of-work operations. To increase their chances of obtaining freshly minted bitcoins, miners typically join pools to collaborate on the computations. However, intense competition among mining pools has recently manifested in two ways. Miners may invest in additional computing resources to increase the likelihood of winning the next mining race. But, at times, a more sinister tactic is also employed: a mining pool may trigger a costly distributed denial-of-service (DDoS) attack to lower the expected success outlook of a competing mining pool. We explore the trade-off between these strategies with a series of game-theoretical models of competition between two pools of varying sizes. We consider differences in costs of investment and attack, as well as uncertainty over whether a DDoS attack will succeed. By characterizing the game’s equilibria, we can draw a number of conclusions. In particular, we find that pools have a greater incentive to attack large pools than small ones. We also observe that larger mining pools have a greater incentive to attack than smaller ones.
Article
Full-text available
Bitcoin is a "crypto currency", a decentralized electronic payment scheme based on cryptography. Bitcoin economy grows at an incredibly fast rate and is now worth some 10 billions of dollars. Bitcoin mining is an activity which consists of creating (minting) the new coins which are later put into circulation. Miners spend electricity on solving cryptographic puzzles and they are also gatekeepers which validate bitcoin transactions of other people. Miners are expected to be honest and have some incentives to behave well. However. In this paper we look at the miner strategies with particular attention paid to subversive and dishonest strategies or those which could put bitcoin and its reputation in danger. We study in details several recent attacks in which dishonest miners obtain a higher reward than their relative contribution to the network. In particular we revisit the concept of block withholding attacks and propose a new concrete and practical block withholding attack which we show to maximize the advantage gained by rogue miners.
Conference Paper
Full-text available
The Bitcoin cryptocurrency records its transactions in a public log called the blockchain. Its security rests critically on the distributed protocol that maintains the blockchain, run by participants called miners. Conventional wisdom asserts that the mining protocol is incentive-compatible and secure against colluding minority groups, that is, it incentivizes miners to follow the protocol as prescribed. We show that the Bitcoin mining protocol is not incentive-compatible. We present an attack with which colluding miners obtain a revenue larger than their fair share. This attack can have significant consequences for Bitcoin: Rational miners will prefer to join the selfish miners, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency. Unless certain assumptions are made, selfish mining may be feasible for any group size of colluding miners. We propose a practical modification to the Bitcoin protocol that protects Bitcoin in the general case. It prohibits selfish mining by pools that command less than $$1/4$$ of the resources. This threshold is lower than the wrongly assumed $$1/2$$ bound, but better than the current reality where a group of any size can compromise the system.
Article
Full-text available
Algorithms in varied fields use the idea of maintaining a distribution over a certain set and use the multiplicative update rule to iteratively change these weights. Their analyses are usually very similar and rely on an exponential potential function. In this survey we present a simple meta-algorithm that unifies many of these disparate algorithms and derives them as simple instantiations of the meta-algorithm. We feel that since this meta-algorithm and its analysis are so simple, and its applications so broad, it should be a standard part of algorithms courses, like “divide and conquer.”
Conference Paper
The Bitcoin protocol requires nodes to quickly distribute newly created blocks. Strong nodes can, however, gain higher payoffs by withholding blocks they create and selectively postponing their publication. The existence of such selfish mining attacks was first reported by Eyal and Sirer, who have demonstrated a specific deviation from the standard protocol (a strategy that we name SM1). In this paper we investigate the profit threshold – the minimal fraction of resources required for a profitable attack. Our analysis provides a bound under which the system can be considered secure against such attacks. Our techniques can be adapted to protocol modifications to assess their susceptibility to selfish mining, by computing the optimal attack under different variants. We find that the profit threshold is strictly lower than the one induced by the SM1 scheme. The policies given by our algorithm dominate SM1 by better regulating attack-withdrawals. We further evaluate the impact of some previously suggested countermeasures, and show that they are less effective than previously conjectured. We then gain insight into selfish mining in the presence of communication delays, and show that, under a model that accounts for delays, the profit threshold vanishes, and even small attackers have incentive to occasionally deviate from the protocol. We conclude with observations regarding the combined power of selfish mining and double spending attacks.
Conference Paper
Conference Paper
Cryptocurrencies like Bitcoin and the more recent Ethereum system allow users to specify scripts in transactions and contracts to support applications beyond simple cash transactions. In this work, we analyze the extent to which these systems can enforce the correct semantics of scripts. We show that when a script execution requires nontrivial computation effort, practical attacks exist which either waste miners' computational resources or lead miners to accept incorrect script results. These attacks drive miners to an ill-fated choice, which we call the verifier's dilemma, whereby rational miners are well-incentivized to accept unvalidated blockchains. We call the framework of computation through a scriptable cryptocurrency a consensus computer and develop a model that captures incentives for verifying computation in it. We propose a resolution to the verifier's dilemma which incentivizes correct execution of certain applications, including outsourced computation, where scripts require minimal time to verify. Finally we discuss two distinct, practical implementations of our consensus computer in real cryptocurrency networks like Ethereum.
Conference Paper
The Bitcoin protocol supports optional direct payments from transaction partners to miners. These “fees” are supposed to substitute miners’ minting rewards in the long run. Acknowledging their role for the stability of the system, the right level of transaction fees is a hot topic of normative debates. This paper contributes empirical evidence from a historical analysis of agents’ revealed behavior concerning their payment of transaction fees. We identify several regime shifts, which can be largely explained by changes in the default client software or actions of big intermediaries in the ecosystem. Overall, it seems that rules dominate ratio, a state that is sustainable only if fees remain negligible.
Article
In the multiarmed bandit problem, a gambler must decide which arm of K non-identical slot machines to play in a sequence of trials so as to maximize his reward. This classical problem has received much attention because of the simple model it provides of the trade-off between exploration (trying out each arm to find the best one) and exploitation (playing the arm believed to give the best payoff). Past solutions for the bandit problem have almost always relied on assumptions about the statistics of the slot machines. In this work, we make no statistical assumptions whatsoever about the nature of the process generating the payoffs of the slot machines. We give a solution to the bandit problem in which an adversary, rather than a well-behaved stochastic process, has complete control over the payoffs. In a sequence of T plays, we prove that the per-round payo of our algorithm approaches that of the best arm at the rate O(T-1/2). We show by a matching lower bound that this is the best possible. We also prove that our algorithm approaches the per-round payo of any set of strategies at a similar rate: if the best strategy is chosen from a pool of N strategies, then our algorithm approaches the per-round payo of the strategy at the rate O((log N)T-1/2(-1/2)). Finally, we apply our results to the problem of playing an unknown repeated matrix game. We show that our algorithm approaches the minimax payo of the unknown game at the rate O(T-1/2).
Conference Paper
We present an empirical investigation into the prevalence and impact of distributed denial-of-service (DDoS) attacks on operators in the Bitcoin economy. To that end, we gather and analyze posts mentioning “DDoS” on the popular Bitcoin forum bitcointalk.org. Starting from around 3 000 different posts made between May 2011 and October 2013, we document 142 unique DDoS attacks on 40 Bitcoin services. We find that 7% of all known operators have been attacked, but that currency exchanges, mining pools, gambling operators, eWallets, and financial services are much more likely to be attacked than other services. Not coincidentally, we find currency exchanges and mining pools are much more likely to have DDoS protection such as CloudFlare, Incapsula, or Amazon Cloud. We show that those services that have been attacked are more than three times as likely to buy anti-DDoS services than operators who have not been attacked. We find that big mining pools (those with historical hashrate shares of at least 5%) are much more likely to be DDoSed than small pools. We investigate Mt. Gox as a case study for DDoS attacks on currency exchanges and find a disproportionate amount of DDoS reports made during the large spike in trading volume and exchange rates in spring 2013. We conclude by outlining future opportunities for researching DDoS attacks on Bitcoin.
Conference Paper
Bitcoin is quickly emerging as a popular digital payment system. However, in spite of its reliance on pseudonyms, Bitcoin raises a number of privacy concerns due to the fact that all of the transactions that take place are publicly announced in the system. In this paper, we investigate the privacy provisions in Bitcoin when it is used as a primary currency to support the daily transactions of individuals in a university setting. More specifically, we evaluate the privacy that is provided by Bitcoin (i) by analyzing the genuine Bitcoin system and (ii) through a simulator that faithfully mimics the use of Bitcoin within a university. In this setting, our results show that the profiles of almost 40% of the users can be, to a large extent, recovered even when users adopt privacy measures recommended by Bitcoin. To the best of our knowledge, this is the first work that comprehensively analyzes, and evaluates the privacy implications of Bitcoin.
Article
We study the economics of Bitcoin transaction fees in a simple static partial equilibrium model with the specificity that the system security is directly linked to the total computational power of miners. We show that any situation with a fixed fee is equivalent to another situation with a limited block size. In both cases, we give the optimal value of the transaction fee or of the block size. We also show that making the block size a non binding constraint and, in the same time, letting the fee be fixed as the outcome of a decentralized competitive market cannot guarantee the very existence of Bitcoin in the long-term.
Article
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
Article
In the multiarmed bandit problem, a gambler must decide which arm of K non- identical slot machines to play in a sequence of trials so as to maximize his reward. This classical problem has received much attention because of the simple model it provides of the trade-off between exploration (trying out each arm to find the best one) and exploitation (playing the arm believed to give the best payoff). Past solutions for the bandit problem have almost always relied on assumptions about the statistics of the slot machines. In this work, we make no statistical assumptions whatsoever about the nature of the process generating the payoffs of the slot machines. We give a solution to the bandit problem in which an adversary, rather than a well-behaved stochastic process, has complete control over the payoffs. In a sequence of T plays, we prove that the per-round payoff of our algorithm approaches that of the best arm at the rate O(T −1/2). We show by a matching lowerbound that this is the best possible. We also prove that our algorithm approaches the per-round payoff of any set of strategies at a similar rate: if the best strategy is chosen from a pool of N strategies, then our algorithm approaches the per-round payoff of the strategy at the rate O((log N )1/2T −1/2). Finally, we apply ourr esults to the problem of playing an unknown repeated matrix game. We show that our algorithm approaches the minimax payoff of the unknown game at the rate O(T −1/2).
Article
In this paper we describe the various scoring systems used to calculate rewards of participants in Bitcoin pooled mining, explain the problems each were designed to solve and analyze their respective advantages and disadvantages.
Article
We develop and implement a collocation method to solve for an equilibrium in the dynamic legislative bargaining game of Duggan and Kalandrakis (2008). We formulate the collocation equations in a quasi-discrete version of the model, and we show that the collocation equations are locally Lipchitz continuous and directionally differentiable. In numerical experiments, we successfully implement a globally convergent variant of Broyden's method on a preconditioned version of the collocation equations, and the method economizes on computation cost by more than 50% compared to the value iteration method. We rely on a continuity property of the equilibrium set to obtain increasingly precise approximations of solutions to the continuum model. We showcase these techniques with an illustration of the dynamic core convergence theorem of Duggan and Kalandrakis (2008) in a nine-player, two-dimensional model with negative quadratic preferences.
Conference Paper
External regret compares the performance of an online algorithm, selecting among N actions, to the performance of the best of those actions in hindsight. Internal regret compares the loss of an online algorithm to the loss of a modified online algorithm, which consistently replaces one action by another. In this paper, we give a simple generic reduction that, given an algorithm for the external regret problem, converts it to an efficient online algorithm for the internal regret problem. We provide methods that work both in the full information model, in which the loss of every action is observed at each time step, and the partial information (bandit) model, where at each time step only the loss of the selected action is observed. The importance of internal regret in game theory is due to the fact that in a general game, if each player has sublinear internal regret, then the empirical frequencies converge to a correlated equilibrium. For external regret we also derive a quantitative regret bound for a very general setting of regret, which includes an arbitrary set of modification rules (that possibly modify the online algorithm) and an arbitrary set of time selection functions (each giving different weight to each time step). The regret for a given time selection and modification rule is the difference between the cost of the online algorithm and the cost of the modified online algorithm, where the costs are weighted by the time selection function. This can be viewed as a generalization of the previously-studied sleeping experts setting.
Article
We study the construction of prediction algorithms in a situation in which a learner faces a sequence of trials, with a prediction to be made in each, and the goal of the learner is to make few mistakes. We are interested in the case that the learner has reason to believe that one of some pool of known algorithms will perform well, but the learner does not know which one. A simple and effective method, based on weighted voting, is introduced for constructing a compound algorithm in such a circumstance. We call this method the Weighted Majority Algorithm. We show that this algorithm is robust in the presence of errors in the data. We discuss various versions of the Weighted Majority Algorithm and prove mistake bounds for them that are closely related to the mistake bounds of the best algorithms of the pool. For example, given a sequence of trials, if there is an algorithm in the pool A that makes at most m mistakes then the Weighted Majority Algorithm will make at most c(log jAj + m) mi...
A transaction fee market exists without a block size limit. 2015. R. Peter. A transaction fee market exists without a block size limit
• R Peter
Bitcoin is not broken
• K Hill
The economics of bitcoin mining, or bitcoin in the presence of adversaries
• J A Kroll
• I C Davey
• E W Felten
The economics of bitcoin transaction fees. Working Paper GATE 2014-07. halshs-00951358
• N Houy