empty blocks will also lower the incentive to engage in such behavior.
Transaction propagation. A second
important aspect of the Bitcoin protocol pertains to information propagation: new transactions and blocks
should be sent to all peers in the network. Here the incentive to comply
with the protocol is not so clear. Miners
may even have a disincentive to share
unconfirmed transactions that have
yet to be included in blocks, especially
transactions that offer high fees. 1 Miners have strong incentive to keep such
transactions to themselves until they
manage to create a block. Sending a
transaction to others allows them to
snatch the reward it offers first. Thus
far, most transaction fees have been
relatively low, and there is no evidence
that transactions with high fees are being withheld in this way.
Next, let’s turn our attention to deviations from the mining protocol intended
explicitly to manipulate the blockchain.
Selfish mining. Whenever a miner
creates a new block, the protocol says it
should be created on top of the longest
chain the miner observes (that is, to
reference the tip of the longest chain
as its predecessor) and that the miner
should send the new block immediately to network peers.
Unfortunately, a miner can benefit
by deviating from these rules and acting strategically. 5, 11 The miner’s general strategy is to withhold the blocks’
publication and keep the extension of
the public chain secret. Meanwhile,
the public chain is extended by other
(honest) nodes. The strategic miner
publishes the chain only when the risk
that it will not prevail as the longest
chain is too high. When the miner does
so, all nodes adopt the longer extension that the miner suddenly released,
as dictated by the protocol, and they
discard the previous public extension.
Importantly, this behavior increases the miner’s share in the longest
chain—meaning, it increases the
percentage of blocks on the eventual longest chain that the miner generates.
Recall that Bitcoin automatically adjusts the difficulty of the proof-of-work
so as to keep the block creation rate
constant. Thus, in the long run, a larger relative share of blocks in the chain
translates to an increase in the miner’s
There is no definite method to verify
whether miners are engaging in selfish mining or not. Given that very few
blocks are orphaned, it seems like this
practice has not been taken up, at least
not by large miners (who would also
have the most to gain from it). One way
to explain this is that miners who attempt such manipulation over the long
term may suffer loss to their reputation
and provoke outrage by the community. Another explanation is that this
scheme initially requires losing some
of the selfish miner’s own blocks, and
it becomes profitable only in the long
run (it takes around two weeks for the
protocol to readjust the difficulty level).
Double spending is the basic attack
against Bitcoin users: the attacker pub-
lishes a legitimate payment to the net-
work, waits for it to be embedded in the
blockchain and for the victim to confirm
it, and then publishes a longer chain of
blocks mined in secret that do not con-
tain this payment. The payment is then
no longer part of the longest chain and,
effectively, “never happened.”
This attack incurs a risk: the attack-
er could lose the rewards for his or her
blocks if they do not end up in the longest
chain. Surprisingly, and unfortunately,
a persistent attacker can eliminate this
risk by following more sophisticated at-
tack schemes. 12 The idea is to abandon
the attack frequently, publish the secret
attack chain, and collect rewards for its
blocks. By resetting the attack whenever
the risk of losing block rewards is too
high, the attacker can eliminate the at-
tack cost and even be profitable in the
long term. These schemes are in essence
a combination of selfish mining and
Currently, double spending is not
observed often in the network. This
could be because executing a successful double spend is difficult, or because
the very miners who could execute
such attacks successfully also have a
heavy stake in the system’s reputation.
Incentives do indeed play a big role in
the Bitcoin protocol. They are crucial
for its security and effectively drive its
daily operation. As argued here, miners go to extreme lengths to maximize
their revenue and often find creative
ways to do so that are sometimes at
odds with the protocol.
Cryptocurrency protocols should be
placed on stronger foundations of incentives. There are many areas left to
improve, ranging from the very basics
of mining rewards and how they interact with the consensus mechanism,
through the rewards in mining pools,
and all the way to the transaction fee
Research for Practice: Cryptocurrencies,
Blockchains, and Smart Contracts
Arvind Narayanan and Andrew Miller
Bitcoin’s Academic Pedigree
Arvind Narayanan and Jeremy Clark
1. Babaioff, M. et al. On Bitcoin and red balloons. In
Proceedings of the 13th ACM Conference on Electronic
Commerce, 2012, 56–73.
2. Ball, M. et al. Proofs of Useful Work. IACR Cryptology
ePrint Archive, 2017, 203.
3. Carlsten, M. et al. On the instability of Bitcoin without
the block reward. In Proceedings of the ACM SIGSAC
Conference on Computer and Communications
Security, 2016, 154–167.
4. Eyal, I. The Miner’s dilemma. In Proceedings of the
IEEE Symposium on Security and Privacy, 2015.
5. Eyal, I. and Sirer, E.G. Majority is not Enough:
Bitcoin mining is vulnerable. In Proceedings of the
International Conference on Financial Cryptography
and Data Security. Springer, Berlin, 2014.
6. Fisch, B.A., Pass, R., Shelat, A. Socially Optimal Mining
Pools. arXiv preprint, 2017.
7. Miller, A. et al. Nonoutsourceable scratch-off puzzles
to discourage Bitcoin mining coalitions. In Proceedings
of the 22nd ACM SIGSAC Conference on Computer and
Communications Security. 2015.
8. Miller, A. et al. Permacoin: Repurposing Bitcoin work
for data preservation. In Proceedings of the IEEE
Symposium on Security and Privacy, 2014.
9. Nakamoto, S. Bitcoin: A peer-to-peer electronic cash
system. Bitcoin.org, 2008; https://bitcoin.org/bitcoin.pdf.
10. Rosenfeld, M. Analysis of Bitcoin Pooled Mining
Reward Systems. arXiv preprint, 2011.
11. Sapirshtein, A., Sompolinsky, Y. and Zohar, A. Optimal
selfish mining strategies in Bitcoin. In Proceedings
of the International Conference on Financial
Cryptography and Data Security. Springer, Berlin, 2016.
12. Sompolinsky, Y. and Zohar, A. Bitcoin’s security model
revisited. In Proceedings of the International Joint
Conference on Artificial Intelligence, Workshop on A. I.
in Security, 2017. Melbourne.
13. Zhang, F. et al. REM: Resource-Efficient Mining for
Blockchains. Cryptology ePrint Archive. https://eprint.
Yonatan Sompolinsky is a Ph.D. student at
the School of Computer Science and Engineering at
the Hebrew University of Jerusalem. He is founding
scientist of DAGlabs.
Aviv Zohar is a faculty member at the School of
Computer Science and Engineering at the Hebrew
University of Jerusalem, and a cofounder and
chief scientist of QED-it. He has been researching
the scalability, security, and underlying incentives
of cryptocurrencies for several years.
Copyright held by authors/owners.
Publication rights licensed to ACM. $15.00.