Several dozen cryptocurrencies have followed Bitcoin’s
success. 24 These currencies are based on a global log, which
is extended by the users’ efforts. We conjecture that the
essential technique of withholding blocks for selfish mining
can be directly applied to all such systems.
It was commonly believed that the Bitcoin system is sound
as long as a majority of the participants honestly follow the
protocol, and the “51% attack” was the chief concern. 13, 15 The
notion of soundness for a nascent, distributed, Internet-wide,
decentralized system implies the presence of incentives for
adoption of the prescribed protocol, for such incentives ensure
a robust system comprised of participants other than enthusiastic and altruistic early adopters. Felten10 notes that “there
was a folk theorem that the Bitcoin system was stable, in the
sense that if everyone acted according to their incentives, the
inevitable result would be that everyone followed the rules of
Bitcoin as written.” Others17 have claimed that “the well-known
argument – never proven, but taken on intuitive faith – that a
minority of miners can’t control the network is a special case
of a more general assumption: that a coalition of miners with
X of the network’s hash power can make no more than X%
of total mining revenues.” A survey3 on the technical features
responsible for Bitcoin’s success notes that the Bitcoin design
“addresses the incentive problems most expeditiously,” while
Bitcoin tutorials for the general public hint at incentives
designed to align participants’ and the system’s goals. 19 More
formally, Kroll, Davey and Felten’s work12 provides a game-theoretic analysis of Bitcoin, without taking into account block
withholding attacks such as selfish mining, and argues that
the honest strategy constitutes a Nash equilibrium, implying
Our work shows that the real Bitcoin protocol, which
permits block withholding and thereby enables selfish min-ingstyle attacks, does not constitute an equilibrium. It demonstrates that the Bitcoin mining system is not incentive
compatible even in the presence of an honest majority. Over
2/3 of the participants need to be honest to protect against
selfish mining, under the most optimistic of assumptions.
A distinct exception from this common wisdom is a discussion of maintaining a secret fork in the Bitcoin forums, mostly by
usersc btchris, ByteCoin, mtgox, and RHorning. 20 The approach,
dubbed the Mining Cartel Attack, is inferior to selfish mining in
that the cartel publishes two blocks for every block published
by the honest nodes. This discussion does not include an analysis of the attack (apart from a brief note on simulation results),
does not explore the danger of the resulting pool dynamics, and
does not suggest a solution to the problem.
The influential work of Rosenfeld21 addresses the behavior of miners in the presence of different pools with different rewards. Although it addresses revenue maximization for
miners with a set mining power, this work is orthogonal to
the discussion of Selfish Mining, as it centers around the pool
reward system. Both selfish pools and honest pools should
carefully choose their reward method. Since a large-enough
selfish pool would earn more than its mining power, any fair
reward method would provide more reward to its miners, so
rational miners would choose it over an honest pool.
Recent work2 addresses the lack of incentives for disseminating transactions between miners, since each of them prefers to collect the transaction fee himself. This is unrelated
to the mining incentive mechanism we discuss.
The Bitcoin blockchain had one significant bifurcation
in March 2013 due to a bug. 1 It was solved when the two largest pools at the time manually pruned one branch. This bug-induced fork, and the one-off mechanism used to resolve it,
are fundamentally different from the intentional forks that
In a block withholding attack, a pool member decreases the
pool revenue by never publishing blocks it finds. Although
it sounds similar to the strategy of Selfish-Mine, the two are
unrelated, as our work that deals with an attack by the pool
on the system.
Various systems build services on top of the Bitcoin global
log, for example, improved coin anonymity, 14 namespace
maintenance16 and virtual notaries. 11 These services that rely
on Bitcoin are at risk in case of a Bitcoin collapse.
We briefly discuss below several points at the periphery of
8. 1. System collapse
The Bitcoin protocol is designed explicitly to be decentralized. We therefore refer to a state in which a single entity
controls the entire currency system as a collapse of Bitcoin.
Note that such a collapse does not immediately imply
that the value of a Bitcoin drops to 0. The controlling entity
will have an incentive to accept most transactions, if only to
reap their fees, and because if it mines all Bitcoins, it has
strong motivation that they maintain their value. It may also
choose to remain covert, and hide the fact that it can control
the entire currency. An analysis of a Bitcoin monopolist’s
behavior is beyond the scope of this paper, but we believe
that a currency that is de facto or potentially controlled by a
single entity may deter many of Bitcoin’s clients.
8. 2. Detecting selfish mining
There are two telltale network signatures of selfish mining
that can be used to detect when selfish mining is taking
place, but neither are easy to measure definitively.
The first and strongest sign is that of abandoned (orphaned)
chains, where the block race that takes place as part of selfish
mining leaves behind blocks that were not incorporated into
the blockchain. Unfortunately, it is difficult to definitively
account for abandoned blocks, as the current protocol prunes
and discards such blocks inside the network. A measurement
tool that connects to the network from a small number of
vantage points may miss abandoned blocks.
The second indicator of selfish mining activity is the timing
gap between successive blocks. A selfish miner who squelches
an honest chain of length N with a chain of length N+ 1 will
reveal a block very soon after its predecessor. Since normal
mining events should be independent, one would expect block
discovery times to be exponentially distributed. A deviation
from this distribution would be suggestive of mining activity. The problems with this approach are that it detects only c In alphabetical order.