Double-Spend Counterattacks: Threat of Retaliation in Proof-of-Work Systems

02/25/2020 ∙ by Daniel J. Moroz, et al. ∙ MIT Harvard University 0

Proof-of-Work mining is intended to provide blockchains with robustness against double-spend attacks. However, an economic analysis that follows from Budish (2018), which considers free entry conditions together with the ability to rent sufficient hashrate to conduct an attack, suggests that the resulting block rewards can make an attack cheap. We formalize a defense to double-spend attacks. We show that when the victim can counterattack in the same way as the attacker, this leads to a variation on the classic game-theoretic War of Attrition model. The threat of this kind of counterattack induces a subgame perfect equilibrium in which no attack occurs in the first place.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Bitcoin is designed to solve the challenge of reaching agreement (consensus) over an ordered list of transactions (a blockchain) in a permissionless, peer-to-peer electronic cash system [Nakamoto]

. It does so by requiring participants to demonstrate computational activity, Proof-of-Work (PoW), and to build on the valid blockchain with the most work (heaviest-chain rule).

111This is sometimes referred to as the longest chain rule, but it is in fact the chain with the most Proof-of-Work as measured by the software, hence heaviest-chain rule, and not the chain with the most blocks. In Bitcoin and other PoW-based cryptocurrencies, miners perform expensive computational work committing to a particular transaction history. Miners are incentivized to do so because they receive rewards that are only valid if the chain on which they mine is the chain accepted by other participants.

In the course of a double-spend attack, an attacker rewrites a portion of the blockchain transaction history, spending the same token in two different ways. In this work we focus on the subset of double-spend attacks caused by obtaining a majority of the hashpower, known as 51% attacks.222We do not consider zero-confirmation attacks or attacks due to software version incompatibility. To conduct a double-spend attack, an attacker would create a blockchain transaction giving tokens to a victim, for example a cryptocurrency exchange. After an escrow waiting period, would exchange the tokens for a good, for example by selling the tokens for USD on the exchange. Meanwhile, would privately work to create an alternate chain history (a chain reorganization, or reorg) in which the original transaction is replaced by a self-payment, rendering the original transaction invalid (to do this, would need to complete more PoW on the alternate chain than the network had completed on the original chain). Upon receiving the USD, would reveal this new chain to the network, and all other participants faithfully following the heaviest-chain rule would switch to this rewritten history of transactions.

In fact, an economic analysis provided by Budish (2018) [Budish] suggests that, given a liquid market for hashrate, the cost of acquiring a majority of mining power on a chain for long enough to execute a double-spend attack would be small or negligible (see Section 2 for a modified version of this argument) because the attacker recoups the cost of attack in block rewards. The implication is that, with sufficient liquidity, many transactions completed on current PoW systems would be insecure against double-spend attacks. Moreover, markets for hashrate do exist. Nicehash is a marketplace that connects sellers and buyers of hashrate for different algorithms, and the website Crypto51 shows to what extent various chains are vulnerable to 51% attacks through NiceHash [NiceHash, crypto51].

Our Contributions.

We investigate the question of double-spend attacks through theoretical modeling and analysis, while also seeking support from empirical evidence.

As our primary contribution, we provide a formal model of a Retaliation game, extending Budish’s model [Budish] with a novel action (the victim’s counterattack). We show in this model, where both the attacker and defender can procure hashrate, that double-spending is not profitable. We consider a variation on the widely studied War of Attrition

model from game theory, and show a subgame perfect equilibrium in which no double-spend attack occurs even if a single attack is cheap relative to the contested transaction. Our result is achieved under mild assumptions, namely that the net cost of each successive attack increases over time, and the victim, for example an exchange, pays a reputation cost for being double-spent.

Second, we modify Budish’s model to show that, without considering counterattacks, double-spend attacks may be either free, cheap or impossible, depending on the market availability of hashrate and the price impact of an attack.333Auer [Auer] shows a similar result, independently and contemporaneously, though without connecting directly to the Budish model.

Third, we compile known data on double-spend attacks to show that attacks have occurred on low-PoW chains such as Bitcoin Gold but not high-PoW chains such as Bitcoin. As of February 2020, we also identify preliminary evidence of retaliations to double-spend attacks on Bitcoin Gold.

The rest of this paper is organized as follows: In Section 2 we introduce a modified version of the economic model introduced in Budish, adopting a different duration of attack, which changes the rental cost of attack and the block rewards that accrue from an attack. In Section 3, we introduce the Retaliation game, which considers the possibility of retaliation by the victim, and develop a subgame perfect equilibrium analysis of no-attack. In Section 4, we present empirical results that show the existence of double-spend attacks on low-PoW chains but not high-PoW chains. In Section 5 we provide a discussion of the empirical results we see and their connection with our models. In Section 6 we conclude, and discuss directions for future work.

1.1 Related Work

1.1.1 Game-Theoretic Analyses of PoW Systems

There are several studies analyzing game-theoretic models of PoW mining and double-spending specifically, with early work assuming that the attacker would never achieve a majority of the hashrate. In the original Bitcoin paper, Nakamoto (2008) [Nakamoto]

shows that the probability that a minority attacker would be able to double-spend the Bitcoin network decreases as the number of blocks found since a transaction increases. Rosenfeld (2012)

[Rosenfeld-DS] expands on these calculations, producing tables of the probability of successful attack and largest safe transaction size (in BTC), both as function of a potential attacker’s hashrate () and the number of blocks already mined on top of the transaction in question.

As we elaborate on in Section 2, our work is related to Budish (2018) [Budish], which considers a double-spend attack achieved through a hashrate rental market, and introduces a model where, in equilibrium, such an attack is relatively cheap. We first modify this model to show that, without considering counterattacks, double-spend attacks may be either free, cheap or impossible, depending on the market availability of rental hashrate and the price impact of an attack. We then extend Budish’s model by also allowing the victim to have access to the same hashrate market as the attacker. This leads to the War of Attrition model and the Retaliation game.

A number of other papers have also taken inspiration from Budish. Among them, Auer (2019) [Auer] analyzes payment security for PoW cryptocurrencies and, independently and contemporaneously, derives a safety condition similar to our Corollary 2.2.1. Auer shows that, taking the long term view (at some point, the block reward will be low), PoW security will come largely from transaction fees, which are only high when congestion is high. Auer shows that fees suffer from a free-rider problem, suggesting that in the long-term the security on any PoW chain will be low, giving a similar result to Carlsten et al. (2016) [Instability]. In future work, it will be interesting to examine whether our theoretical analysis of counterattacks may mitigate this observation about the role of fees.

Following Auer, a white paper provides a similar safety condition, but without considering hashrate market impact (Hasu et al., 2019) [Hasu]. These authors emphasize that miners typically have high upfront costs (e.g., purchasing mining hardware and prepaying electricity costs), and that an attack that reduces the price of the mined asset will reduce the value of their mining hardware. Thus, miners are incentivized not to lease hashpower to potential attackers, making an attack more difficult.

The notion that a victim might be able to launch a counterattack has been raised before, but largely dismissed as difficult to implement and ineffective. As we show in our model, the mere ability of recipients or some service they employ to counterattack may be sufficient to discourage attacks from happening in the first place. Bonneau (2016) [Bonneau] briefly discusses the possibility of counterattacks, but suggests that this would place undue burden on the recipient of a transaction to monitor the chain and be willing to counterattack.444As we discuss in Section 5, we agree that the requirement to monitor the chain and be ready to counterattack is, at present, a somewhat difficult task and that this changes the security model of PoW systems. However, it seems reasonable to study a system with this capability in place, especially given that our model shows that attacking is unprofitable when the victim is able to counterattack. Bonneau situates this discussion in the context of an attacker who can rent hashrate by bribing miners, raising the concern that the net cost of a double-spend attack can be low. Judmayer et al. (2019) [Pay-To-Win] also briefly consider the possibility of counterattacks, saying simply that if a defender counterattacks that this results in a “bidding game”. They also show how to efficiently implement various bribing-style attacks on Bitcoin, by guaranteeing payments through smart-contracts on Ethereum. Lastly, Vorick (2019) [Vorick] informally analyzes a game with retaliation, but without the assumption of decreasing profit from attack over time, and concludes that counterattacks would not deter attackers.

Without considering counterattacks, Liao and Katz (2017) [Whale] analyze a specific form of Bonneau’s bribing attack in which an attacker, lacking a majority of hashpower, incentivizes other miners to mine on the shorter attack chain by issuing large-fee transactions on that chain. Other miners can collect the large fees only if they join the attacker in mining on the attacking chain. Thus the attacking chain can gain majority support, making the 51% attack successful, and the attacker only has to pay if the attack is successful. Our model considers that the attacker rents hashrate from a marketplace, but it can be abstracted to be equivalent to this model. Thus our retaliation argument applies to this attack as well.

There have also been attempts to compare the economic security (that is, the difficulty of double-spending) on different PoW chains. A well-known but sometimes unreliable source for this information is Crypto51.app [crypto51], which reports the hashing algorithm and hashrate of each cryptocurrency. Using values from the NiceHash hashrate marketplace [NiceHash]

, it also estimates the cost of renting the equivalent of one hour’s worth of that network’s PoW, as well as the availability of that amount of hashrate in the marketplace. In a blog post, Carter (2019)

[Carter-Settlement] also ranks the security of cryptocurrencies in order of how much is paid to miners per unit time.

Broadening out from double-spending attacks, while still appealing to decision-theoretic and game-theoretic models, Eyal and Gun Sirer (2013) [Selfish] consider a miner who deviates from the default protocol in order to earn more block rewards. In this model of selfish mining, they show that a miner with a significant but non-majority fraction of the mining power can earn more block rewards in expectation by mining in secret and following a carefully designed, alternate mining policy. This has in turn inspired a series of follow-up work. Among these, Sapirshtein et al. (2015) [Opt-Selfish]

encapsulates some features of the mining game into a Markov decision process, and solves for the optimal selfish strategy using value iteration. Related to selfish mining, Arnosti and Weinberg (2018)

[Oligopoly] and Leonardos et al. (2019) [Oceanic] provide theoretical analyses that indicate miners may profit from concentrating their power, suggesting that PoW systems will grow increasingly centralized. Lastly, Fiat et al. (2019) [Energy-Equilibria] and Goran and Spiegelman (2019) [Mind-Mining] propose and analyze another profitable deviation from the honest PoW protocol: occasionally turning mining equipment off in order to reduce the difficulty threshold, making mining more profitable later.

1.1.2 Standard Game-Theoretic Models

The double-spending retaliation model that we introduce is related to two well-known game-theoretic models: the War of Attrition and the Volunteer’s Dilemma.

The War of Attrition, first analyzed by Maynard Smith (1974) [Maynard-Smith-74], models two animals fighting for a single resource. The longer the fight goes on, the worse off they both become. The unique symmetric equilibrium is a mixed equilibrium in which each player in each round fights with decreasing probability. This equilibrium is both an evolutionarily stable strategy (ESS) and a subgame perfect equilibrium (SPE), both of which are refinements of a Nash equilibrium. Game-theoretic models in the biology literature [Maynard-Smith-74] more typically use the concept of ESS, while analyses in the economics literature [Fudenberg-Tirole-Book] (Section 4.5.2) more typically use the concept of SPE. If there is some asymmetry between the players, for example if one player is in possession of the resource to begin with, Maynard Smith also shows that no-fighting can be an ESS.

The Volunteer’s Dilemma, introduced in Diekmann (1985) [VOD], models a multi-player game in which one player must volunteer to pay a cost in order to provide all players with a benefit. Weesie (1993) [Weesie] shows that if the value of the benefit is decreasing over time and there is an asymmetry in costs among the players, there is a unique SPE in which the player with the lowest cost volunteers immediately. In our analysis, we take Weesie’s model of decreasing value over time and asymmetric players and couple this with the War of Attrition model, achieving a SPE for PoW security in which there is no attack in equilibrium.

2 A Model of Majority Attack Without Retaliation

We first modify the model and analysis of a double-spend attack from Budish [Budish]. As with Budish, we will assume the availability of a hashrate marketplace, but also allow for some friction, so that the rental cost increases as more hashpower is rented. We also allow for an attack having the effect of changing the price of the cryptocurrency.

Based on this, we determine the cost of a single double-spend attack in terms of the block reward. For now, we assume that the victim of the double-spend will not retaliate. The analysis reveals a safety condition: the size of a transaction must be small enough relative to the size of the block reward in order to make it unprofitable to double-spend the transaction.

2.1 Model

Consider the following elements of our model:

  • Let denote the block reward,555The block reward includes both the block subsidy and transaction fees paid to miners. For simplicity, we assume that is constant over the time we consider, even though transaction fees may vary. This is a reasonable approximation since, as of Febuary 2020, the typical total fee reward for a Bitcoin block is about 0.5% - 2.5% of the block subsidy [fees], so does not vary much block-to-block. measured in dollars.

  • Let denote the amount of honest hashpower in the system, measured in hashes per block.

  • Let denote the marginal cost of renting one unit of hashpower in the absence of attack, in dollars per hash.

  • Let denote the multiple of the total honest hashpower that the attacker acquires.

  • Let denote the escrow period, in blocks on the honest chain, that the victim waits before accepting a transaction as valid.

  • Let denote the size of the transaction being attacked, in dollars.

We allow for two kinds of friction resulting from an attack. The first kind of friction we consider is that the hashrate market may not be perfectly liquid, and the cost of renting one unit of hashpower may increase as an attacker rents hashpower. For this, let denote the market impact on the hashrate market as a function of , the fraction of honest hashrate that is rented. We assume that the function is weakly monotone increasing as increases. For example, the cost of renting one unit of hashrate, meaning , is .

The second kind of friction we consider is that the attack may have an effect on the price of the underlying cryptocurrency. For this, we use to denote the price decrease, relative to dollars, of the underlying cryptocurrency after an attack, so that the price of one dollar’s worth of that cryptocurrency is, after attack, reduced to be worth dollars.666Our analysis of a single double-spend attack would also go through for a price increase (and negative ), just as long as the hashrate market impact , satisfies , so that the net cost of attack remains positive. Later, we will use this same approach to model the ongoing, additional effect on price of a sequence of attacks and counterattacks.

2.2 Analysis

Suppose that anyone with hashpower is free to enter into the mining game of a permissionless network such as Bitcoin. Based on this, competition between miners for block rewards leads to an equilibrium condition, relating the amount of hashpower in a PoW system to the mining reward.

Lemma 2.1 (Free entry, Budish [Budish]).

Free entry into the mining competition and liquid hashpower leads to the equilibrium condition

(1)
Proof.

Suppose that , meaning there exists an for which . In expectation a miner with hashpower who enters the mining competition will earn but pay . By assumption and the miner would be better off entering. Thus this is not an equilibrium. A similar argument shows that the marginal miner whose payments (in expectation) are greater than earnings will drop out. ∎

Lemma 2.1 provides a simple relationship between the amount of honest hashpower , the block reward , and the no attack, marginal cost of renting hashpower .

Based on this, Theorem 2.2 derives the net cost of a single attack as a function of the block reward, , the escrow period, , the market impact of a hashrate purchase of size (majority is needed for attacks that we consider), and the price decrease of the underlying cryptocurrency after an attack, .

Theorem 2.2 modifies an earlier analysis presented in Budish [Budish].777We thank Eric Budish for helpful discussions regarding this formulation. Budish models the net cost of attack, and establishes that the cost of attack can be quite small. In this earlier model, the attacker rents majority hashpower for honest-block-times but only collects block rewards, whereas in our analysis the attacker collects block rewards, reflecting the relative length of the attack chain.888We thank Jacob Leshno for pointing this out. Without further modification, this analysis reveals a (likely unrealistic) zero net cost of attack (see Corollary 2.2.2). By considering one or both of the two different kinds of market frictions, we reintroduce a positive net cost of attack. As discussed above, one possibility is that the attacker’s cost of hashrate is larger than the honest miners’ costs, represented by . A second possibility is that the value of the underlying cryptocurrency declines as a result of the attack, represented by , which is a possibility also discussed by Budish.

Theorem 2.2 (Net Cost of Attack).

The net cost of a single double-spend attack on a proof-of-work system, considering the possibility of hashrate market impact and currency value decrease, is

(2)
Proof.

The cost of renting a majority of mining power to generate blocks is per honest-block-time, but only requires mining for honest-block-times, giving a total cost of . Since an attacker earns block rewards on the attacking chain, but these block rewards are reduced in value by , a successful attack earns . Substituting (1), the net cost of attack is . ∎

Knowing the cost of a single double-spend attack, we can now derive a safety condition, sufficient to protect against double-spend attacks being profitable, as a function of the parameters in the above theorem and the size of the transaction being attacked, .

Corollary 2.2.1 (Safety condition).

It is not profitable to conduct a single double-spend attack on a proof-of-work system, considering the possibility of hashrate market impact and currency value decrease, if and only if

(3)
Proof.

In order for no double-spend attack to be profitable, we need the net cost of attack to be larger than the largest possible benefit from attack, i.e., . ∎

The way to think about Corollary 2.2.1 is that if large transactions are to be safely supported, then needs to be correspondingly large such that if the attacker were to rent the amount of hashrate needed to execute the attack, the attacker would have to pay more than the stolen transaction would be worth. The large block reward thus incentivizes miners not to participate in a double-spend but to mine honestly instead (and at a greater profit). The network becomes safer as increases, and as , and increase. The escrow period is under the control of the potential victim.

As a special case of Theorem 2.2, when for all , that is the hashrate marketplace is liquid enough that the attacker’s purchase does not increase the hashrate price, and , that is the value of the cryptocurrency does not change on news of the attack, the cost of the attack is zero, and no size of block reward or length of escrow period can disincentivize attack.

Corollary 2.2.2 (Zero-Cost Attack).

if and there exists such that , then the net cost of a single double-spend attack is zero, and it is always profitable to attack a transaction of non-zero value.

Proof.

Substitute and into Theorem 2.2. ∎

This corollary implies that, for blockchains for which the hashrate marketplace is very liquid relative to the total amount of work done on the chain, and for which the price does not change upon news of attack, every transaction is susceptible to a double-spend attack no matter the escrow period.

3 The Retaliation Game

Going forward, we make the assumption that at least one of or (for all ) is non-zero, such that we have a (possibly small) positive cost of attack, and we denote this cost of attack as . Our main result is to establish that the possibility of retaliation can amplify this cost of attack until it is no longer profitable in any circumstance (e.g., under any valid , and ).

In the Retaliation game, we allow a victim who has been double-spent to counterattack. Just as the attacker might rent sufficient hashpower to conduct a double-spend from a hashrate marketplace, a victim might rent from the same marketplace at the same cost to retrieve its property. In this way, the interaction between the attacker and the victim takes the shape of a War of Attrition, in which two players compete for a fixed prize by opting to attack each other in turns, where each time they attack this incurs an additional cost.

A

A

A

D

D

()

()

()

()

()

1 Round

next Rounds
Figure 1: An extensive-form description of the Retaliation game. The (A)ttacker has the option to begin the game by fighting, stealing a transaction worth from the (D)efender. has the option to counterattack. Each attack, by either or , costs . Decreasing function models the price decrease of the transaction as a function of the number of attacks completed (starting with ), and models the value of ’s reputation loss if loses. Since each step in this sequence counts a “half-round,” the round number . The game ends when either player quits. Each terminal node lists the payoffs to (, ). The payoff depends on the round, and on which player quits.

Our results crucially rely on the net profit of each successive attack (value of cryptocurrency gained minus cost of attack) falling for at least one of the players, so that it eventually becomes unprofitable to counterattack one more time. This ensures an end to the game because at that point it will be more damaging for a player to counterattack than to quit. We think this is a mild assumption, as it can be achieved in a number of ways. For example, it can arise by assuming that each attack weakens the value of the underlying cryptocurrency, while the cost of attack remains relatively constant. Decreasing profit could also arise if the value of the cryptocurrency stays relatively constant but the cost of attacking increases over time (e.g. because a player’s cost of capital rises as the player borrows more capital to finance the escalating counterattacks).

3.1 The Multi-Round Double-Spending Model

See Figure 1 for an extensive-form description of this multi-round, double-spending game with retaliation (the Retaliation game).

We need a small amount of new notation. We consider two players, an (A)ttacker and a (D)efender. As explained above, we adopt to denote the net cost, in dollars, of conducting a single, double-spend attack. This is the net cost of an attack on the network by the attacker as well as the net cost of an attack on the network by the victim, who can choose to launch a retaliation attack.999The initial attack, due to the escrow period, typically will require a larger reorg than each successive attack, which merely needs to surpass the previously-overtaking chain. For simplicity, we keep constant throughout, though this asymmetry is an additional, initial advantage to the defender. We continue to use to denote the value, in dollars, of the transaction that is in conflict. Attacker

has the initial option to attack. Thereafter, players alternate choosing whether to (f)ight or (q)uit, with q ending the game and leaving the opponent with the reward. The game can, in principle, continue indefinitely. We refer to each moment at which one of the two players has the option to fight or quit as a

time period, with making the first decision at time . We refer to a round as a play of followed by a play of .101010The game could be made more complete by including strategic miners who take a loss when reorgs are revealed and their mining rewards taken from them. This could provide an additional initial asymmetry in favor of the defender, but for simplicity we consider that all miners besides and follow the heaviest chain rule.

We assume the net profit from each successive attack falls until at some point it becomes negative for at least one of the players. For concreteness, we do this through the following two specific assumptions (but as discussed above, there are other reasons why the net cost of attack can fall):

  1. The value of the underlying cryptocurrency decreases with the number of attacks (including counterattacks), making the reward worth after total completed attacks, where makes the first move at , , and is a function that is monotonically decreasing in the number of time periods . For example, we could have , for , referring to the earlier use of to model the multiplicative price decrease of the cryptocurrency after a successful attack. Here, would mean the price decreases by 10% of its contemporaneous value after each attack. Alternatively, we could have for , which would take value for all . Here, would mean the price decreases by 10% of the pre-attack value after each successive attack.

  2. The net cost of attack, , remains constant even as the underlying price of the cryptocurrency falls. Note it is not crucial that that remains constant. If is decreasing, merely needs to decrease more slowly than (or could increase); we assume it remains constant for notational convenience.

In addition, we assume that quitting is free for , but costs reputation cost for . To motivate this, we imagine a typical defender to be an exchange with a public reputation to lose, whereas a typical attacker is anonymous. If an exchange is attacked, customers may be less likely to use the exchange in the future. This introduces an asymmetry into the model. We discuss the assumptions of the model in more detail in Section 3.3.

3.2 Equilibrium Analysis

The strategy of a player defines, for each possible history at which it has an action to choose, the probability with which to fight. A complete strategy profile can be written as , with the probability of fight by if time period is even, and the probability of fight by otherwise. Since each step in this sequence counts a “half-round”, the round number .

We define the break-even time , for each player and , as the first point in time at which quitting is weakly more profitable than continuing.111111The analysis follows some aspects of the analysis of the Volunteers Dilemma [Weesie]. In both cases, we have decreasing , a benefit, and a cost. The principal difference is that in our model just having one actor pay the cost does not make the benefit free for the other actor. This property makes our game similar to the War of Attrition, in which both players pay the cost of escalating the game. These break-even times are continuous quantities, and delineate distinct ranges of time steps that play a role in the theoretical analysis.

For the attacker, satisfies

(4)

so we have . For the defender, satisfies

(5)

so we have .

Due to our restrictions on to be non-negative, if then is undefined, and it is always profitable for to fight. Since is guaranteed to be finite, will surely quit at , and there is no chance of an infinite game.

Suppose without loss of generality that player has , where denotes the other player. Now we recognize that player only needs to consider time steps with . If , player is sure to choose quit, and the game will end. Opponent similarly needs only to consider turns in which the time step satisfies . For this reason, it is without loss of generality to consider a finite strategy profile, defining all actions until one step beyond . Beyond this point, quit is a dominant strategy for at least one of the two players, ending the game surely.

We now provide the main theoretical result, which states that a non-fighting strategy profile is a SPE of the Retaliation game. The proof makes use of the one-deviation principle, i.e., that a strategy profile is a SPE in a finite, extensive-form game, if and only if there is no profitable single deviation. Our game has an equivalent, finite form, because of time , beyond which quit is a dominant strategy for at least one of the two players, which ends the game at that time.

In the following, it will be convenient to let

denote the largest odd integer less than or equal to

, and denote the largest even integer less than or equal to . In particular, denotes the last time step at which has a profitable move and denotes the last time step at which has a profitable move.

Theorem 3.1 (No-attack equilibrium).

In the Retaliation game, if the defender is last to have a profitable move, then the following strategy profile is a subgame perfect equilibrium:

(6)
Proof.

Recall in the following that and play on even and odd turns, respectively. Formally, is last to have a profitable move if .

We proceed by case analysis:

(Odd time step , to play). Following the SPE, ’s utility will be since the SPE necessitates . If deviates and plays , the expected utility will be by assumption that and the definition of . Therefore has no incentive to deviate.

(Odd time step , to play). Similarly, by definition of , we see that reduces utility compared with .

(Even time step , to play). Deviating from the SPE and selecting leads to negative utility in every case while leads to 0 utility.

(Even time step , to play). Since we assumed , , thus by the SPE. Given this, has no chance of winning in this round and therefore ’s utility will be if , with utility if . No deviation is profitable here.

As long as is the last to have a profitable move, then the equilibrium is for to play ‘never fight’ () and to play ‘always fight’ (). The effect of this is a no-attack equilibrium, because does not attack when given the chance, and does not need to counterattack. The main idea is that after a point in time, , it will no longer be in ’s interest to fight because the cost of an attack will be higher than the best possible benefit, while quitting will net zero utility. Meanwhile, has the last profitable move, and is still willing to fight at least in the next turn after . Based on this, in every turn in which it may be profitable for the attacker to fight, the defender is sure to fight back, making it best for the attacker to immediately quit.

We provide a sufficient condition for to be last to have a profitable move, and for this no-attack equilibrium. From the asymmetry provided by reputation cost , we know that has a worse quitting outcome than , and that , for hold-out times and . The hold-out times are continuous, and we need the difference to be large enough to imply . We establish a safety condition on reputation cost for the special case of a linear effect of attack on the value of the cryptocurrency.

Theorem 3.2 (Reputation safety condition).

In the Retaliation game, given of the form , with , then

(7)

is sufficient for the no-attack equilibrium.

Proof.

Concretely, having the last profitable move is equal to condition . This is always satisfied when , since applying the odd function to both sides of this inequality gives us . It can be shown that , thus showing .

We now derive an equivalent condition for involving . Substituting the definitions of and , we seek such that . Applying the monotonically decreasing function to both sides of the inequality, and thus reversing the inequality, we have . Rearranging, this leads to

(8)

We have and . We have (otherwise the game would never start). We have that is defined and non-negative for positive arguments , and is positive for non-negative arguments, so .

Given , with , we have . Note we only consider these two functions on their valid domains in the following argument.

Lemma 3.3.

Given with ,

Proof.

Suppose for the purpose of contradiction we have . Applying the definition of to the inequality, we have . Simplifying, we have . This is a contradiction. ∎

Since is decreasing, we can now substitute the result of Lemma 3.3 into (8), to get .

As an example, if and , is sure to win if ’s loss of reputation from being successfully double-spent is greater than .

3.3 Modeling Assumptions

In this section we will further discuss the specific modeling assumptions we make.

3.3.1 The net profit of each successive attack falls

The net profit of an attack has two parts: net cost of attack, that is the price of renting sufficient hashrate minus the mining rewards earned, and benefit from attack, that is the value of the transaction stolen. For concreteness, we have achieved this assumption by assuming that (1) the price of the asset weakens as attacks increase, and (2) that cost of attack stays constant. However, the model would work equally well assuming, for example, that the price remains constant and the cost of attack increases over time. Here we discuss some explanations for these possible assumptions.

Every double-spend attack further weakens the value of the underlying asset. This is a widely-held assumption, and one formally incorporated into at least one of the models put forward in each of Budish (2018) [Budish], Auer (2019) [Auer], and Hasu et al. (2019) [Hasu].121212An industry commentator has also stated, “A successful 51% attack is likely to have a very negative effect on the market value of a cryptocurrency” [Consensys-Centralization]. That this assumption is so common is perhaps surprising given that, for the few double-spend attacks that have been observed (see Table 1), the price has not always been significantly affected and has not always gone down. The attack on BTG in May 2018 was followed by a decline in price, while the attack on LCC in July 2019 was followed by a relatively stable price, and the attack on BTG in Jan 2020 was followed by a rise in price.

Constant net cost of attack across rounds. We assume that the net cost of attack, , remains constant even as the underlying price of the cryptocurrency falls. In fact, the proof of Theorem 3.1 only requires that the net cost decreases more slowly than the decrease in the value of the cryptocurrency, . This assumption can be justified by recognizing that an attack is likely to throw the mining hashrate market out of equilibrium, keeping price higher than its equilibrium value because mining operators have fixed costs, electricity contracts, and other frictions that can prevent them from acting quickly.

3.3.2 Defender has a higher penalty to losing than the Attacker.

We need this assumption, which encapsulates an asymmetry between the attacker and victim. Businesses such as exchanges, which are typical targets for attack, have large footprints. Since double-spends become public information (see Table 1) and the cryptocurrency addresses of prominent groups are often widely known, if the wallet of a known entity is double-spent, the public would know about this. ’s future customers may be more likely to engage in double-spend attacks against as a result, and others may be less likely to bring their business to the exchange. For these reasons, it is reasonable to assume that ’s value of losing is , for some reputation cost , while cybercriminals who mount double-spend attacks remain anonymous, presumably for fear of prosecution.

4 Empirical Investigation

No hashrate-driven double-spend attacks are known to have occurred against Bitcoin or Ethereum since 2015.131313In 2013, a double-spend attack was successfully executed against Bitcoin. However, the fork was due to a bug in the software that caused the network to split and follow different forks, not because the attacker acquired a majority of the hashpower [BIP50, double-spend-bitcointalk] This is despite the existence of many large transactions that would appear profitable to double-spend if enough hashrate could be acquired (see Figure 5, Figure 5, and Table 3). One reason for this might be that the transactions are between trusted parties (or are actually sent between two wallets owned by the same party) who have a relationship outside the blockchain.

Despite the lack of attacks, mining pool concentration has caused concern in the Bitcoin and Ethereum communities. As of February 2020, the total Bitcoin hashrate was about SHA-256 hashes per second, and four mining pool operators controlled a majority of the hashrate on the Bitcoin network, while two pools controlled a majority of the hashrate on the Ethereum network (see Table 2) [Bitcoin-Difficulty, Bitcoin-Pool-Centralization, Top-ETH-Miners]. One implication of this is that Bitcoin and Ethereum may themselves be vulnerable to majority attacks if mining pools collude. Indeed, when a hacker exploited a software security vulnerability to steal $40M worth of Bitcoin from Binance (a large exchange) in May 2019, the Binance CEO considered (but ultimately abandoned) the idea of recruiting large mining pool operators to double-spend the stolen Bitcoin back to the company [CZ-Reorg].

It should be noted, however, that the operators of mining pools do not always directly control the mining hardware within the pool. Individual miners could leave a pool upon noticing it is participating in an attack. Indeed, in 2014 a Bitcoin mining pool, Ghash.io, obtained more than 51% of the total Bitcoin hashrate. In response, users threatened to leave the pool, leading Ghash.io to commit to never obtaining more than 40% of the Bitcoin hashrate [ghash]. As emphasised in [Hasu], miners may have a long-term stake in a particular chain remaining attack-free.

However, a second implication of the small number of pools is that smaller chains such as Bitcoin Cash (BCH) and Ethereum Classic (ETC) should be vulnerable to attack because they use the same PoW algorithms as chains with a much larger amount of hashrate. In fact, ETC was successfully attacked a dozen times in Jan 2019 [ETC-Attacked]. As of February 2020, the Bitcoin Cash network computed about hashes per second [BCH-Difficulty]. This means that if one of the larger Bitcoin mining pools was to redirect its hashrate (about 16% of the total, see Table 2) towards mining Bitcoin Cash, as it could without significant modification due to a shared hash function, it would provide over triple the entire Bitcoin Cash hashrate. Indeed, several chains have been attacked. This is also likely due to the greater relative availability of their hashrate on marketplaces like Nicehash [crypto51].

4.1 Observed Attacks

A list of known double-spend attacks appear in Table 1, including attacks on the BTG, VTC, LCC and EXP chains that were recently discovered through the Reorg Tracker system [BTG-Attacked], a tool that logs reorgs and makes the data publicly available. The Reorg Tracker has, between July 2019 and February 2020, monitored 20 PoW chains chosen based on their perceived susceptibility to hashrate rental attacks as well as their market capitalization.141414BCH, BSV, BTC, BTG, CLO, DBIX, DOGE, ETC, ETH, EXP, IMG, LCC, LTC, MONA, PAC, PIRL, VTC, ZCL, ZEC, and ZEL Most reorgs are non-malicious and do not contain any double spends (we call these random reorgs). They are typically naturally-occurring, low-depth (1 or 2 block) reorgs that happen when different miners find a block at the same height around the same time. The difference between random reorgs (shallow and frequent) and double-spends (deep and rare) is exemplified in Figure 3 and Figure 3. The Reorg Tracker has observed a total of 18 double-spend attacks on four cryptocurrencies during this time, and as of Feb 2020, four of these attacks on Bitcoin Gold appear to be counterattacks. We now report on the double-spend attacks known publicly.

By far the largest known group of double-spend attacks (totaling over $17 million) occurred on the Bitcoin Gold (BTG) network between May 16 2018 and May 19 2018 [BTG-Verge-Attacked]. On May 18, the BTG Director of Communications advised exchanges to “increase confirmations and carefully review large deposits” [btg_iskra]. One week later, on May 24, the BTG team put out a proposal [btg_iskra_responding] to do a hard-fork (preserve user balances but update the blockchain software in a non-backward-compatible way) to a new hash function, in hope of preventing further double-spends by attackers who could accumulate hashpower of the old hash function. The update was successfully implemented but BTG was still not safe.

In late January 2020, the Reorg Tracker observed two reorgs totalling about $70,000 on Bitcoin Gold (BTG), each about 15 blocks deep. This was larger than the the contemporaneous 12-block BTG withdrawal requirement on Binance, which Binance increased to 20 blocks after the attack [BTG-Attacked]. In early February 2020, the Reorg Tracker also observed preliminary evidence of retaliations to double-spend attacks on Bitcoin Gold.

As of mid February 2020, preliminary evidence from the Reorg Tracker showed eight reorgs totalling about $120,000 on Bitcoin Gold (BTG), some of which appeared to be counterattacks. These appear to include three separate instances of a retaliation game, one of length four (attack, counterattack, and two further moves) and two of length two (attack and counterattack). The identities of the participants are not known.

Beyond BTG, six double-spend attacks were on Litecoin Cash (LCC) [LCC-Attacked]. These comprised a series of six deep reorgs between depth 40-100 over four days. These reorgs were far outside the norm of the frequent random reorgs which occur due to network latency issues and are depth 1 or 2, see Figure 3. All the original transactions were made to the same address and the double spend transactions redirected to a single different address, indicating one attacker and one victim.

One double-spend attack observed by the Reorg Tracker was on the Expanse (EXP) network [EXP-Attacked]. The victim account in this case is linked to a wallet with about 90% of the total EXP supply, suggesting the victim is an exchange, likely Bittrex or Upbit, which host most of the EXP trading.

Figures 3 and 3 depict the reorg-depth of double-spends and random reorgs as observed by the Reorg Tracker on Litecoin Cash (LCC) and Expanse (EXP), respectively. Red dots represent the double-spend attacks, with the y-axis recording the number of blocks removed from the chain during an attack. Blue dots represent naturally-occurring, low-depth (1 or 2 block) reorgs that happen when different miners find a block at the same height around the same time.

The total amount stolen by way of double-spend attacks is far less than the amount estimated to have been stolen by hacking methods involving thefts of private keys, or ransomware for example. The Wall Street Journal, for example, reported that over $1.5 billion USD in cryptocurrency has been stolen between 2014 and 2018 in over 56 prominent attacks [wsj-autonomous]. In contrast to double-spend attacks, stolen-key or ransomware attacks do not require subverting an existing financial transfer between the attacker and victim to succeed. We do not consider these types of attacks here because we seek to investigate the security of the underlying PoW system, not of the software stack it runs on. We are not aware of any other incentive attacks in the underlying PoW systems that enable theft of cryptocurrencies.

Figure 2: 6 LCC Double-Spends, Jul-Sep 2019
Figure 3: An EXP Double-Spend, Jul 2019
Coin Date(s) Victim Attacks USD Source
BTG 02.08.20 - 02.11.20 Unknown 8 RT
BTG 01.23.20 - 1.24.20 Unknown 2 RT [BTG-Attacked]
VTC 12.01.19 Unknown 1 RT [VTC-Attacked]
EXP 07.29.19 Unknown 1 RT [EXP-Attacked]
LCC 07.04.19 - 07.07.19 Unknown 6 RT [LCC-Attacked]
ETC 01.05.19 - 01.08.19 Bitrue 12 [ETC-Attacked]
BTG 05.16.18 Bittrex ? [BTG-Verge-Attacked]
VTC 10.12.18 - 10.18.18 Unknown ? [VTC-Attacked]
Zencash 06.02.18 Unknown ? [Zencash-Attacked]
Table 1: Double-Spend Attacks. The USD column is the USD equivalent size of the theft, in Millions of dollars. The notation ‘RT’ next to the reference indicates that the source of our data is the Reorg Tracker [BTG-Attacked], which has monitored reorgs on 20 PoW chains from July 2019-Feb 2020.

5 Discussion

Both double-spend attacks and counterattacks are technically difficult to implement.

Perhaps a reason that we have seen relatively few double-spend attacks is that they are technically cumbersome to execute. The Nicehash marketplace has a difficult user interface to understand. Furthermore, conducting a double-spend likely requires custom mining pool software, as every existing mining pool is likely to be following the honest protocol. Counterattacking, as Bonneau [Bonneau] wrote, is an even more challenging task because all of this technical work must be prepared ahead of time and set to activate automatically upon the detection of a deep reorg. This may explain why we have only begun to observed counterattacks in the empirical evidence. However, as the market matures (e.g. as new marketplaces like Honey Lemon [honeylemon], a cloud-mining market aggregator, come online) we expect these tasks to become easier.

External trust enables parties to make large transactions without the risk of double-spending.

It is possible that transactions larger than the safety limit (Corollary 2.2.1) only occur between parties who have reasons to trust each other. As an example, most exchanges require their customers to disclose their legal identities and tax ID numbers, especially for significant deposits or withdrawals (see [KYC] for an analysis of the information that exchanges collect on their customers). The threat of legal action by the victim (exchange) against the attacker (double-spending customer) likely incentivizes non-attack in this case.

Market impact, , is high for Bitcoin and Ethereum, protecting them from double spends, and low for other chains.

As of Febuary 2020, NiceHash only has enough SHA-256 hashrate for sale (500 PH/s) to match about 0.5% of Bitcoin’s total SHA-256 hashrate (100,000 PH/s), and only had enough EthHash for sale (3TH/s) to match 2% of Ethereum’s total Ethhash (150TH/s) [crypto51]. So, at the moment, it is not possible to rent sufficient hashrate on NiceHash to attack these networks. However, as the markets mature, we expect to see more liquidity on them. Meanwhile, there are networks such as Expanse for which 70x of its total hashrate is regularly available for purchase on NiceHash [NiceHash]. Indeed, the less hashrate a chain has, and the more common the ability to produce that hashrate, the more likely it is that a hashrate marketplace will form with sufficient volume that a cheap double-spend is possible.

6 Conclusion

In this work, we have shown that the low-cost of a single double-spend attack can be amplified by the threat of retaliation, inducing a no-attack equilibrium. We first modified the economic analysis developed by Budish [Budish], obtaining a similar conclusion as that drawn in this paper, namely that double-spending attacks can be relatively cheap, and in our analysis, even free under certain conditions. We then proposed a defense to such attacks, showing how a small cost of attack can be amplified greatly if the victim has the same capabilities as the attacker, and can counterattack the double spend.

We have also reported on a number of double-spend attacks that have been empirically observed. This empirical evidence suggests that attacks on some chains are in fact quite cheap, as some were done for almost no gain. We have only begun to see any evidence of the counterattack defense, but as the markets for hashrate power continue to mature, we expect sophisticated actors to increase their readiness to defend themselves in the case of a double-spend attack.

We close the paper with a discussion of some future directions for research. First, the disincentives for mining operators to launch double-spend attacks, coming from ownership of specialized equipment and cryptocurrency, could come under threat in the presence of a liquid derivatives market. A mining operator can have a legitimate reason to hedge a highly exposed position through taking a short position. But the larger the short position, the greater the operator’s incentive to attack the network despite being invested. Liquid derivatives markets are an explicit goal of Ethereum’s “decentralized finance” (DeFi) movement, and there are significant Bitcoin lenders such as Genesis [genesis] and Bitcoin derivatives markets such as BitMex [bitmex].

Second, a single attacker (or cartel of attackers) could double-spend several victims at once. This seems to provide a new advantage for the attacker, because the attacker would have more at stake than each individual victim, and thus more to lose by quitting in the War of Attrition (whereas before, the single victim had more to lose). For this reason, it may be useful to study the possibility that multiple victims could coordinate to defend against a single attacker, in addition to the possibility that bystander miners may behave strategically to protect their mining rewards.

We have shown that considering a new kind of behavior in the context of double-spend attacks can give a novel outcome. We anticipate that broader viewpoints in modeling the behavior of agents in the context of other blockchain attacks can similarly lead to new insights.

Acknowledgments

The authors would like to thank James P. Lovejoy, Eric Budish, Jacob Leshno, Mark Nesbitt, Jonathan Zittrain, James Mickens, Yiling Chen, Tadge Dryja, Nic Carter, and David Vorick for helpful discussions. This work is supported by two generous gifts to the Center for Research on Computation and Society at Harvard University, funders of the MIT Digital Currency Initiative, and NSF grant NSF CCF-15-09178. The first author was supported in part by the Ethereum Foundation.

Appendix A Mining Pool Concentration

Table 2 shows the percent of total hashrate owned by the top mining pools on Bitcoin and Ethereum as of February 2020. Note that just a few such pools collectively own over 50% of the hashrate in both Bitcoin and in Ethereum.

BTC ETH
Pool Name Share Pool Name Share
BTC.com 16.4% Spark Pool 32.8%
F2Pool 13.9% Ethermine 21.0%
Poolin 12.9% F2Pool 11.1%
AntPool 11.8% NanoPool 7.9%
SlushPool 7.2% Zhizhu.top 4.1%
Total 62.2% Total 76.9%
Table 2: Bitcoin and Ethereum mining pools, ranked by percent of total BTC (ETH) blocks found Feb 2019 - Feb 2020 [Bitcoin-Pool-Centralization, Top-ETH-Miners].

Appendix B Large Bitcoin and Ethereum Transactions

Figures 5 and 5 show the distribution of Bitcoin and Ethereum transaction sizes, respectively, from Jan 2018 - June 2019. These plots were generated using data acquired by querying the Google BigQuery database that contains full-chain data on both Bitcoin and Ethereum (see Day and Medvedev (2018) [Day]). Estimating the transaction size in Bitcoin is challenging because of Bitcoin’s UTXO model. For each transaction, the quantity plotted is the value of the smallest output, making this a conservative estimate of the value of a transaction. See Table 3 for the largest Bitcoin transactions recorded as of September 2019.

Figure 4: Histogram of BTC Transaction Sizes, Jan 2018 - Jun 2019
Figure 5: Histogram of ETH Transaction Sizes, Jan 2018 - Jun 2019
Block Date BTC (K) USD (B) Fee
578328 05.29.19 157.46 1.37 107
578327 05.29.19 144.08 1.25 19
576358 05.16.19 122.80 1.00 11
593467 09.06.19 94.50 1.02 700
577462 05.23.19 121.80 0.93 10
499773 12.17.17 48.50 0.89 15
503030 01.07.18 51.04 0.85 227
498970 12.12.17 48.50 0.80 178
574898 05.06.19 125.80 0.73 9
575024 05.07.19 124.30 0.72 9
Table 3: The largest Bitcoin transactions as of Sept 06 2019 by USD Value, the data coming from Blockchair [Largest-Bitcoin-Txns]. BTC column is in thousands of Bitcoins, USD column is in Billions of USD, and Fee is in USD