4. A simple backward-compatible progressive modification to the Bitcoin protocol that would raise the threshold from zero to 1/4 (Section 6).
We provide an overview of related work in Section 7, and
discuss the implications of our results in Section 8.
Bitcoin is a distributed, decentralized cryptocurrency. 15
The users of Bitcoin are called clients, each of whom can
command accounts, known as addresses. A client can send
Bitcoins to another client by forming a transaction and
committing it into a global append-only log called the
blockchain. The blockchain is maintained by a network of miners,
which are compensated for their effort in Bitcoins. Bitcoin
transactions are protected with cryptographic techniques
that ensure only the rightful owner of a Bitcoin address can
transfer funds from it.
The miners are in charge of recording the transactions in
the blockchain, which determines the ownership of Bitcoins.
A client owns x Bitcoins at time t if, in the prefix of the blockchain up to time t, the aggregate of transactions involving
that client’s address amounts to x. Miners only accept transactions if their inputs are unspent.
2. 1. Blockchain and mining
The blockchain records the transactions in units of blocks.
Each block includes a unique ID, and the ID of the preceding
block. The first block, dubbed the genesis block, is defined as
part of the protocol. A valid block contains a solution to a cryptopuzzle involving the hash of the previous block, the hash of
the transactions in the current block, and a Bitcoin address
which is to be credited with a reward for solving the cryptopuzzle. This process is called Bitcoin mining, and, by slight abuse of
terminology, we refer to the creation of blocks as block mining.
The specific cryptopuzzle is a double-hash whose result has to
be smaller than a set value. The problem difficulty, set by this
value, is dynamically adjusted such that blocks are generated
at an average rate of one every ten minutes.
Any miner may add a valid block to the chain by simply
publishing it over an overlay network to all other miners.
If two miners create two blocks with the same preceding
block, the chain is forked into two branches, forming a tree.
Other miners may subsequently add new valid blocks to
either branch. When a miner tries to add a new block after
an existing block, we say it mines on the existing block. This
existing block may be the head of a branch, in which case we
say the miner mines on the head of the branch, or simply on
The formation of branches is undesirable since the min-
ers have to maintain a globally-agreed totally ordered set of
transactions. To resolve forks, the protocol prescribes min-
ers to adopt and mine on the longest chain.a All miners add
selfish pool’s rewards exceed its share of the network’s min-
ing power, conferring it a competitive advantage and incen-
tivizing rational miners to join the selfish mining pool.
We show that, above a certain threshold size, the revenue of
a selfish pool rises superlinearly with pool size above its revenue with the honest strategy. This fact has critical implications
for the resulting system dynamics. Once a selfish mining pool
reaches the threshold, rational miners will preferentially join
selfish miners to reap the higher revenues compared to other
pools. Such a selfish mining pool can quickly grow towards
a majority. If the pool tips the majority threshold (due to the
addition of malicious actors aimed at undermining the system, rational actors wishing to usurp the currency, perhaps
covertly, or due to momentum in pool popularity), it can switch
to a modified protocol that ignores blocks generated outside
the pool, to become the only creator of blocks and reap all the
mining revenue. A majority pool wishing to remain covert may
remain a benign monopolist, accepting blocks from third-parties on occasion to provide the illusion of decentralization,
while retaining the ability to reap full revenue when needed,
as well as the ability to launch double-expenditure attacks
against merchants. Either way, the decentralized nature of the
currency will have collapsed, and a single entity, the selfish
pool manager, will control the system.
Since a selfish mining pool that exceeds threshold size
poses a threat to the Bitcoin system, we characterize how the
threshold varies as a function of message propagation speed
in the network. We show that, for a mining pool with high connectivity and good control on information flow, the threshold
is close to zero. This implies that, if less than 100% of the miners are honest, the system may not be incentive compatible:
The first selfish miner will earn proportionally higher revenues than its honest counterparts, and the revenue of the selfish mining pool will increase superlinearly with pool size.
We further show that the Bitcoin mining protocol will
never be safe against attacks by a selfish mining pool that
commands more than 1/3 of the total mining power of the
network. Such a pool will always be able to collect mining
rewards that exceed its proportion of mining power, even
if it loses every single block race in the network. The resulting bound of 2/3 for the fraction of Bitcoin mining power
that needs to follow the honest protocol to ensure that the
protocol remains resistant to being gamed is substantially
lower than the 50% figure currently assumed, and difficult
to achieve in practice. Finally, we suggest a simple modification to the Bitcoin protocol that achieves a threshold of 1/4.
This change is backwards-compatible and progressive; that
is, it can be adopted by current clients with modest changes,
does not require full adoption to provide a benefit, and partial adoption will proportionally increase the threshold.
In summary, the contributions of this work are:
1. Introduction of the Selfish-Mine strategy, which demonstrates that Bitcoin mining is not incentive compatible (Section 3).
2. Analysis of Selfish-Mine, and when it can benefit a pool
3. Analysis of majority-pool formation in face of selfish
mining (Section 5).
a The criterion is actually the most difficult chain in the block tree, that is,
the one that required (in expectancy) the most mining power to create.
To simplify presentation, and because it is usually the case, we assume
the set difficulty at the different branches is the same, and so the longest
chain is also the most difficult one.