1 Introduction
Bitcoin is designed to solve the challenge of reaching agreement (consensus) over an ordered list of transactions (a blockchain) in a permissionless, peertopeer electronic cash system [Nakamoto]
. It does so by requiring participants to demonstrate computational activity, ProofofWork (PoW), and to build on the valid blockchain with the most work (heaviestchain rule).
^{1}^{1}1This is sometimes referred to as the longest chain rule, but it is in fact the chain with the most ProofofWork as measured by the software, hence heaviestchain rule, and not the chain with the most blocks. In Bitcoin and other PoWbased cryptocurrencies, miners perform expensive computational work committing to a particular transaction history. Miners are incentivized to do so because they receive rewards that are only valid if the chain on which they mine is the chain accepted by other participants.In the course of a doublespend attack, an attacker rewrites a portion of the blockchain transaction history, spending the same token in two different ways. In this work we focus on the subset of doublespend attacks caused by obtaining a majority of the hashpower, known as 51% attacks.^{2}^{2}2We do not consider zeroconfirmation attacks or attacks due to software version incompatibility. To conduct a doublespend attack, an attacker would create a blockchain transaction giving tokens to a victim, for example a cryptocurrency exchange. After an escrow waiting period, would exchange the tokens for a good, for example by selling the tokens for USD on the exchange. Meanwhile, would privately work to create an alternate chain history (a chain reorganization, or reorg) in which the original transaction is replaced by a selfpayment, rendering the original transaction invalid (to do this, would need to complete more PoW on the alternate chain than the network had completed on the original chain). Upon receiving the USD, would reveal this new chain to the network, and all other participants faithfully following the heaviestchain rule would switch to this rewritten history of transactions.
In fact, an economic analysis provided by Budish (2018) [Budish] suggests that, given a liquid market for hashrate, the cost of acquiring a majority of mining power on a chain for long enough to execute a doublespend attack would be small or negligible (see Section 2 for a modified version of this argument) because the attacker recoups the cost of attack in block rewards. The implication is that, with sufficient liquidity, many transactions completed on current PoW systems would be insecure against doublespend attacks. Moreover, markets for hashrate do exist. Nicehash is a marketplace that connects sellers and buyers of hashrate for different algorithms, and the website Crypto51 shows to what extent various chains are vulnerable to 51% attacks through NiceHash [NiceHash, crypto51].
Our Contributions.
We investigate the question of doublespend attacks through theoretical modeling and analysis, while also seeking support from empirical evidence.
As our primary contribution, we provide a formal model of a Retaliation game, extending Budish’s model [Budish] with a novel action (the victim’s counterattack). We show in this model, where both the attacker and defender can procure hashrate, that doublespending is not profitable. We consider a variation on the widely studied War of Attrition
model from game theory, and show a subgame perfect equilibrium in which no doublespend attack occurs even if a single attack is cheap relative to the contested transaction. Our result is achieved under mild assumptions, namely that the net cost of each successive attack increases over time, and the victim, for example an exchange, pays a reputation cost for being doublespent.
Second, we modify Budish’s model to show that, without considering counterattacks, doublespend attacks may be either free, cheap or impossible, depending on the market availability of hashrate and the price impact of an attack.^{3}^{3}3Auer [Auer] shows a similar result, independently and contemporaneously, though without connecting directly to the Budish model.
Third, we compile known data on doublespend attacks to show that attacks have occurred on lowPoW chains such as Bitcoin Gold but not highPoW chains such as Bitcoin. As of February 2020, we also identify preliminary evidence of retaliations to doublespend attacks on Bitcoin Gold.
The rest of this paper is organized as follows: In Section 2 we introduce a modified version of the economic model introduced in Budish, adopting a different duration of attack, which changes the rental cost of attack and the block rewards that accrue from an attack. In Section 3, we introduce the Retaliation game, which considers the possibility of retaliation by the victim, and develop a subgame perfect equilibrium analysis of noattack. In Section 4, we present empirical results that show the existence of doublespend attacks on lowPoW chains but not highPoW chains. In Section 5 we provide a discussion of the empirical results we see and their connection with our models. In Section 6 we conclude, and discuss directions for future work.
1.1 Related Work
1.1.1 GameTheoretic Analyses of PoW Systems
There are several studies analyzing gametheoretic models of PoW mining and doublespending specifically, with early work assuming that the attacker would never achieve a majority of the hashrate. In the original Bitcoin paper, Nakamoto (2008) [Nakamoto]
shows that the probability that a minority attacker would be able to doublespend the Bitcoin network decreases as the number of blocks found since a transaction increases. Rosenfeld (2012)
[RosenfeldDS] expands on these calculations, producing tables of the probability of successful attack and largest safe transaction size (in BTC), both as function of a potential attacker’s hashrate () and the number of blocks already mined on top of the transaction in question.As we elaborate on in Section 2, our work is related to Budish (2018) [Budish], which considers a doublespend attack achieved through a hashrate rental market, and introduces a model where, in equilibrium, such an attack is relatively cheap. We first modify this model to show that, without considering counterattacks, doublespend attacks may be either free, cheap or impossible, depending on the market availability of rental hashrate and the price impact of an attack. We then extend Budish’s model by also allowing the victim to have access to the same hashrate market as the attacker. This leads to the War of Attrition model and the Retaliation game.
A number of other papers have also taken inspiration from Budish. Among them, Auer (2019) [Auer] analyzes payment security for PoW cryptocurrencies and, independently and contemporaneously, derives a safety condition similar to our Corollary 2.2.1. Auer shows that, taking the long term view (at some point, the block reward will be low), PoW security will come largely from transaction fees, which are only high when congestion is high. Auer shows that fees suffer from a freerider problem, suggesting that in the longterm the security on any PoW chain will be low, giving a similar result to Carlsten et al. (2016) [Instability]. In future work, it will be interesting to examine whether our theoretical analysis of counterattacks may mitigate this observation about the role of fees.
Following Auer, a white paper provides a similar safety condition, but without considering hashrate market impact (Hasu et al., 2019) [Hasu]. These authors emphasize that miners typically have high upfront costs (e.g., purchasing mining hardware and prepaying electricity costs), and that an attack that reduces the price of the mined asset will reduce the value of their mining hardware. Thus, miners are incentivized not to lease hashpower to potential attackers, making an attack more difficult.
The notion that a victim might be able to launch a counterattack has been raised before, but largely dismissed as difficult to implement and ineffective. As we show in our model, the mere ability of recipients or some service they employ to counterattack may be sufficient to discourage attacks from happening in the first place. Bonneau (2016) [Bonneau] briefly discusses the possibility of counterattacks, but suggests that this would place undue burden on the recipient of a transaction to monitor the chain and be willing to counterattack.^{4}^{4}4As we discuss in Section 5, we agree that the requirement to monitor the chain and be ready to counterattack is, at present, a somewhat difficult task and that this changes the security model of PoW systems. However, it seems reasonable to study a system with this capability in place, especially given that our model shows that attacking is unprofitable when the victim is able to counterattack. Bonneau situates this discussion in the context of an attacker who can rent hashrate by bribing miners, raising the concern that the net cost of a doublespend attack can be low. Judmayer et al. (2019) [PayToWin] also briefly consider the possibility of counterattacks, saying simply that if a defender counterattacks that this results in a “bidding game”. They also show how to efficiently implement various bribingstyle attacks on Bitcoin, by guaranteeing payments through smartcontracts on Ethereum. Lastly, Vorick (2019) [Vorick] informally analyzes a game with retaliation, but without the assumption of decreasing profit from attack over time, and concludes that counterattacks would not deter attackers.
Without considering counterattacks, Liao and Katz (2017) [Whale] analyze a specific form of Bonneau’s bribing attack in which an attacker, lacking a majority of hashpower, incentivizes other miners to mine on the shorter attack chain by issuing largefee transactions on that chain. Other miners can collect the large fees only if they join the attacker in mining on the attacking chain. Thus the attacking chain can gain majority support, making the 51% attack successful, and the attacker only has to pay if the attack is successful. Our model considers that the attacker rents hashrate from a marketplace, but it can be abstracted to be equivalent to this model. Thus our retaliation argument applies to this attack as well.
There have also been attempts to compare the economic security (that is, the difficulty of doublespending) on different PoW chains. A wellknown but sometimes unreliable source for this information is Crypto51.app [crypto51], which reports the hashing algorithm and hashrate of each cryptocurrency. Using values from the NiceHash hashrate marketplace [NiceHash]
, it also estimates the cost of renting the equivalent of one hour’s worth of that network’s PoW, as well as the availability of that amount of hashrate in the marketplace. In a blog post, Carter (2019)
[CarterSettlement] also ranks the security of cryptocurrencies in order of how much is paid to miners per unit time.Broadening out from doublespending attacks, while still appealing to decisiontheoretic and gametheoretic models, Eyal and Gun Sirer (2013) [Selfish] consider a miner who deviates from the default protocol in order to earn more block rewards. In this model of selfish mining, they show that a miner with a significant but nonmajority fraction of the mining power can earn more block rewards in expectation by mining in secret and following a carefully designed, alternate mining policy. This has in turn inspired a series of followup work. Among these, Sapirshtein et al. (2015) [OptSelfish]
encapsulates some features of the mining game into a Markov decision process, and solves for the optimal selfish strategy using value iteration. Related to selfish mining, Arnosti and Weinberg (2018)
[Oligopoly] and Leonardos et al. (2019) [Oceanic] provide theoretical analyses that indicate miners may profit from concentrating their power, suggesting that PoW systems will grow increasingly centralized. Lastly, Fiat et al. (2019) [EnergyEquilibria] and Goran and Spiegelman (2019) [MindMining] propose and analyze another profitable deviation from the honest PoW protocol: occasionally turning mining equipment off in order to reduce the difficulty threshold, making mining more profitable later.1.1.2 Standard GameTheoretic Models
The doublespending retaliation model that we introduce is related to two wellknown gametheoretic models: the War of Attrition and the Volunteer’s Dilemma.
The War of Attrition, first analyzed by Maynard Smith (1974) [MaynardSmith74], models two animals fighting for a single resource. The longer the fight goes on, the worse off they both become. The unique symmetric equilibrium is a mixed equilibrium in which each player in each round fights with decreasing probability. This equilibrium is both an evolutionarily stable strategy (ESS) and a subgame perfect equilibrium (SPE), both of which are refinements of a Nash equilibrium. Gametheoretic models in the biology literature [MaynardSmith74] more typically use the concept of ESS, while analyses in the economics literature [FudenbergTiroleBook] (Section 4.5.2) more typically use the concept of SPE. If there is some asymmetry between the players, for example if one player is in possession of the resource to begin with, Maynard Smith also shows that nofighting can be an ESS.
The Volunteer’s Dilemma, introduced in Diekmann (1985) [VOD], models a multiplayer game in which one player must volunteer to pay a cost in order to provide all players with a benefit. Weesie (1993) [Weesie] shows that if the value of the benefit is decreasing over time and there is an asymmetry in costs among the players, there is a unique SPE in which the player with the lowest cost volunteers immediately. In our analysis, we take Weesie’s model of decreasing value over time and asymmetric players and couple this with the War of Attrition model, achieving a SPE for PoW security in which there is no attack in equilibrium.
2 A Model of Majority Attack Without Retaliation
We first modify the model and analysis of a doublespend attack from Budish [Budish]. As with Budish, we will assume the availability of a hashrate marketplace, but also allow for some friction, so that the rental cost increases as more hashpower is rented. We also allow for an attack having the effect of changing the price of the cryptocurrency.
Based on this, we determine the cost of a single doublespend attack in terms of the block reward. For now, we assume that the victim of the doublespend will not retaliate. The analysis reveals a safety condition: the size of a transaction must be small enough relative to the size of the block reward in order to make it unprofitable to doublespend the transaction.
2.1 Model
Consider the following elements of our model:

Let denote the block reward,^{5}^{5}5The block reward includes both the block subsidy and transaction fees paid to miners. For simplicity, we assume that is constant over the time we consider, even though transaction fees may vary. This is a reasonable approximation since, as of Febuary 2020, the typical total fee reward for a Bitcoin block is about 0.5%  2.5% of the block subsidy [fees], so does not vary much blocktoblock. measured in dollars.

Let denote the amount of honest hashpower in the system, measured in hashes per block.

Let denote the marginal cost of renting one unit of hashpower in the absence of attack, in dollars per hash.

Let denote the multiple of the total honest hashpower that the attacker acquires.

Let denote the escrow period, in blocks on the honest chain, that the victim waits before accepting a transaction as valid.

Let denote the size of the transaction being attacked, in dollars.
We allow for two kinds of friction resulting from an attack. The first kind of friction we consider is that the hashrate market may not be perfectly liquid, and the cost of renting one unit of hashpower may increase as an attacker rents hashpower. For this, let denote the market impact on the hashrate market as a function of , the fraction of honest hashrate that is rented. We assume that the function is weakly monotone increasing as increases. For example, the cost of renting one unit of hashrate, meaning , is .
The second kind of friction we consider is that the attack may have an effect on the price of the underlying cryptocurrency. For this, we use to denote the price decrease, relative to dollars, of the underlying cryptocurrency after an attack, so that the price of one dollar’s worth of that cryptocurrency is, after attack, reduced to be worth dollars.^{6}^{6}6Our analysis of a single doublespend attack would also go through for a price increase (and negative ), just as long as the hashrate market impact , satisfies , so that the net cost of attack remains positive. Later, we will use this same approach to model the ongoing, additional effect on price of a sequence of attacks and counterattacks.
2.2 Analysis
Suppose that anyone with hashpower is free to enter into the mining game of a permissionless network such as Bitcoin. Based on this, competition between miners for block rewards leads to an equilibrium condition, relating the amount of hashpower in a PoW system to the mining reward.
Lemma 2.1 (Free entry, Budish [Budish]).
Free entry into the mining competition and liquid hashpower leads to the equilibrium condition
(1) 
Proof.
Suppose that , meaning there exists an for which . In expectation a miner with hashpower who enters the mining competition will earn but pay . By assumption and the miner would be better off entering. Thus this is not an equilibrium. A similar argument shows that the marginal miner whose payments (in expectation) are greater than earnings will drop out. ∎
Lemma 2.1 provides a simple relationship between the amount of honest hashpower , the block reward , and the no attack, marginal cost of renting hashpower .
Based on this, Theorem 2.2 derives the net cost of a single attack as a function of the block reward, , the escrow period, , the market impact of a hashrate purchase of size (majority is needed for attacks that we consider), and the price decrease of the underlying cryptocurrency after an attack, .
Theorem 2.2 modifies an earlier analysis presented in Budish [Budish].^{7}^{7}7We thank Eric Budish for helpful discussions regarding this formulation. Budish models the net cost of attack, and establishes that the cost of attack can be quite small. In this earlier model, the attacker rents majority hashpower for honestblocktimes but only collects block rewards, whereas in our analysis the attacker collects block rewards, reflecting the relative length of the attack chain.^{8}^{8}8We thank Jacob Leshno for pointing this out. Without further modification, this analysis reveals a (likely unrealistic) zero net cost of attack (see Corollary 2.2.2). By considering one or both of the two different kinds of market frictions, we reintroduce a positive net cost of attack. As discussed above, one possibility is that the attacker’s cost of hashrate is larger than the honest miners’ costs, represented by . A second possibility is that the value of the underlying cryptocurrency declines as a result of the attack, represented by , which is a possibility also discussed by Budish.
Theorem 2.2 (Net Cost of Attack).
The net cost of a single doublespend attack on a proofofwork system, considering the possibility of hashrate market impact and currency value decrease, is
(2) 
Proof.
The cost of renting a majority of mining power to generate blocks is per honestblocktime, but only requires mining for honestblocktimes, giving a total cost of . Since an attacker earns block rewards on the attacking chain, but these block rewards are reduced in value by , a successful attack earns . Substituting (1), the net cost of attack is . ∎
Knowing the cost of a single doublespend attack, we can now derive a safety condition, sufficient to protect against doublespend attacks being profitable, as a function of the parameters in the above theorem and the size of the transaction being attacked, .
Corollary 2.2.1 (Safety condition).
It is not profitable to conduct a single doublespend attack on a proofofwork system, considering the possibility of hashrate market impact and currency value decrease, if and only if
(3) 
Proof.
In order for no doublespend attack to be profitable, we need the net cost of attack to be larger than the largest possible benefit from attack, i.e., . ∎
The way to think about Corollary 2.2.1 is that if large transactions are to be safely supported, then needs to be correspondingly large such that if the attacker were to rent the amount of hashrate needed to execute the attack, the attacker would have to pay more than the stolen transaction would be worth. The large block reward thus incentivizes miners not to participate in a doublespend but to mine honestly instead (and at a greater profit). The network becomes safer as increases, and as , and increase. The escrow period is under the control of the potential victim.
As a special case of Theorem 2.2, when for all , that is the hashrate marketplace is liquid enough that the attacker’s purchase does not increase the hashrate price, and , that is the value of the cryptocurrency does not change on news of the attack, the cost of the attack is zero, and no size of block reward or length of escrow period can disincentivize attack.
Corollary 2.2.2 (ZeroCost Attack).
if and there exists such that , then the net cost of a single doublespend attack is zero, and it is always profitable to attack a transaction of nonzero value.
Proof.
Substitute and into Theorem 2.2. ∎
This corollary implies that, for blockchains for which the hashrate marketplace is very liquid relative to the total amount of work done on the chain, and for which the price does not change upon news of attack, every transaction is susceptible to a doublespend attack no matter the escrow period.
3 The Retaliation Game
Going forward, we make the assumption that at least one of or (for all ) is nonzero, such that we have a (possibly small) positive cost of attack, and we denote this cost of attack as . Our main result is to establish that the possibility of retaliation can amplify this cost of attack until it is no longer profitable in any circumstance (e.g., under any valid , and ).
In the Retaliation game, we allow a victim who has been doublespent to counterattack. Just as the attacker might rent sufficient hashpower to conduct a doublespend from a hashrate marketplace, a victim might rent from the same marketplace at the same cost to retrieve its property. In this way, the interaction between the attacker and the victim takes the shape of a War of Attrition, in which two players compete for a fixed prize by opting to attack each other in turns, where each time they attack this incurs an additional cost.
Our results crucially rely on the net profit of each successive attack (value of cryptocurrency gained minus cost of attack) falling for at least one of the players, so that it eventually becomes unprofitable to counterattack one more time. This ensures an end to the game because at that point it will be more damaging for a player to counterattack than to quit. We think this is a mild assumption, as it can be achieved in a number of ways. For example, it can arise by assuming that each attack weakens the value of the underlying cryptocurrency, while the cost of attack remains relatively constant. Decreasing profit could also arise if the value of the cryptocurrency stays relatively constant but the cost of attacking increases over time (e.g. because a player’s cost of capital rises as the player borrows more capital to finance the escalating counterattacks).
3.1 The MultiRound DoubleSpending Model
See Figure 1 for an extensiveform description of this multiround, doublespending game with retaliation (the Retaliation game).
We need a small amount of new notation. We consider two players, an (A)ttacker and a (D)efender. As explained above, we adopt to denote the net cost, in dollars, of conducting a single, doublespend attack. This is the net cost of an attack on the network by the attacker as well as the net cost of an attack on the network by the victim, who can choose to launch a retaliation attack.^{9}^{9}9The initial attack, due to the escrow period, typically will require a larger reorg than each successive attack, which merely needs to surpass the previouslyovertaking chain. For simplicity, we keep constant throughout, though this asymmetry is an additional, initial advantage to the defender. We continue to use to denote the value, in dollars, of the transaction that is in conflict. Attacker
has the initial option to attack. Thereafter, players alternate choosing whether to (f)ight or (q)uit, with q ending the game and leaving the opponent with the reward. The game can, in principle, continue indefinitely. We refer to each moment at which one of the two players has the option to fight or quit as a
time period, with making the first decision at time . We refer to a round as a play of followed by a play of .^{10}^{10}10The game could be made more complete by including strategic miners who take a loss when reorgs are revealed and their mining rewards taken from them. This could provide an additional initial asymmetry in favor of the defender, but for simplicity we consider that all miners besides and follow the heaviest chain rule.We assume the net profit from each successive attack falls until at some point it becomes negative for at least one of the players. For concreteness, we do this through the following two specific assumptions (but as discussed above, there are other reasons why the net cost of attack can fall):

The value of the underlying cryptocurrency decreases with the number of attacks (including counterattacks), making the reward worth after total completed attacks, where makes the first move at , , and is a function that is monotonically decreasing in the number of time periods . For example, we could have , for , referring to the earlier use of to model the multiplicative price decrease of the cryptocurrency after a successful attack. Here, would mean the price decreases by 10% of its contemporaneous value after each attack. Alternatively, we could have for , which would take value for all . Here, would mean the price decreases by 10% of the preattack value after each successive attack.

The net cost of attack, , remains constant even as the underlying price of the cryptocurrency falls. Note it is not crucial that that remains constant. If is decreasing, merely needs to decrease more slowly than (or could increase); we assume it remains constant for notational convenience.
In addition, we assume that quitting is free for , but costs reputation cost for . To motivate this, we imagine a typical defender to be an exchange with a public reputation to lose, whereas a typical attacker is anonymous. If an exchange is attacked, customers may be less likely to use the exchange in the future. This introduces an asymmetry into the model. We discuss the assumptions of the model in more detail in Section 3.3.
3.2 Equilibrium Analysis
The strategy of a player defines, for each possible history at which it has an action to choose, the probability with which to fight. A complete strategy profile can be written as , with the probability of fight by if time period is even, and the probability of fight by otherwise. Since each step in this sequence counts a “halfround”, the round number .
We define the breakeven time , for each player and , as the first point in time at which quitting is weakly more profitable than continuing.^{11}^{11}11The analysis follows some aspects of the analysis of the Volunteers Dilemma [Weesie]. In both cases, we have decreasing , a benefit, and a cost. The principal difference is that in our model just having one actor pay the cost does not make the benefit free for the other actor. This property makes our game similar to the War of Attrition, in which both players pay the cost of escalating the game. These breakeven times are continuous quantities, and delineate distinct ranges of time steps that play a role in the theoretical analysis.
For the attacker, satisfies
(4) 
so we have . For the defender, satisfies
(5) 
so we have .
Due to our restrictions on to be nonnegative, if then is undefined, and it is always profitable for to fight. Since is guaranteed to be finite, will surely quit at , and there is no chance of an infinite game.
Suppose without loss of generality that player has , where denotes the other player. Now we recognize that player only needs to consider time steps with . If , player is sure to choose quit, and the game will end. Opponent similarly needs only to consider turns in which the time step satisfies . For this reason, it is without loss of generality to consider a finite strategy profile, defining all actions until one step beyond . Beyond this point, quit is a dominant strategy for at least one of the two players, ending the game surely.
We now provide the main theoretical result, which states that a nonfighting strategy profile is a SPE of the Retaliation game. The proof makes use of the onedeviation principle, i.e., that a strategy profile is a SPE in a finite, extensiveform game, if and only if there is no profitable single deviation. Our game has an equivalent, finite form, because of time , beyond which quit is a dominant strategy for at least one of the two players, which ends the game at that time.
In the following, it will be convenient to let
denote the largest odd integer less than or equal to
, and denote the largest even integer less than or equal to . In particular, denotes the last time step at which has a profitable move and denotes the last time step at which has a profitable move.Theorem 3.1 (Noattack equilibrium).
In the Retaliation game, if the defender is last to have a profitable move, then the following strategy profile is a subgame perfect equilibrium:
(6) 
Proof.
Recall in the following that and play on even and odd turns, respectively. Formally, is last to have a profitable move if .
We proceed by case analysis:
(Odd time step , to play). Following the SPE, ’s utility will be since the SPE necessitates . If deviates and plays , the expected utility will be by assumption that and the definition of . Therefore has no incentive to deviate.
(Odd time step , to play). Similarly, by definition of , we see that reduces utility compared with .
(Even time step , to play). Deviating from the SPE and selecting leads to negative utility in every case while leads to 0 utility.
(Even time step , to play). Since we assumed , , thus by the SPE. Given this, has no chance of winning in this round and therefore ’s utility will be if , with utility if . No deviation is profitable here.
∎
As long as is the last to have a profitable move, then the equilibrium is for to play ‘never fight’ () and to play ‘always fight’ (). The effect of this is a noattack equilibrium, because does not attack when given the chance, and does not need to counterattack. The main idea is that after a point in time, , it will no longer be in ’s interest to fight because the cost of an attack will be higher than the best possible benefit, while quitting will net zero utility. Meanwhile, has the last profitable move, and is still willing to fight at least in the next turn after . Based on this, in every turn in which it may be profitable for the attacker to fight, the defender is sure to fight back, making it best for the attacker to immediately quit.
We provide a sufficient condition for to be last to have a profitable move, and for this noattack equilibrium. From the asymmetry provided by reputation cost , we know that has a worse quitting outcome than , and that , for holdout times and . The holdout times are continuous, and we need the difference to be large enough to imply . We establish a safety condition on reputation cost for the special case of a linear effect of attack on the value of the cryptocurrency.
Theorem 3.2 (Reputation safety condition).
In the Retaliation game, given of the form , with , then
(7) 
is sufficient for the noattack equilibrium.
Proof.
Concretely, having the last profitable move is equal to condition . This is always satisfied when , since applying the odd function to both sides of this inequality gives us . It can be shown that , thus showing .
We now derive an equivalent condition for involving . Substituting the definitions of and , we seek such that . Applying the monotonically decreasing function to both sides of the inequality, and thus reversing the inequality, we have . Rearranging, this leads to
(8) 
We have and . We have (otherwise the game would never start). We have that is defined and nonnegative for positive arguments , and is positive for nonnegative arguments, so .
Given , with , we have . Note we only consider these two functions on their valid domains in the following argument.
Lemma 3.3.
Given with ,
Proof.
Suppose for the purpose of contradiction we have . Applying the definition of to the inequality, we have . Simplifying, we have . This is a contradiction. ∎
∎
As an example, if and , is sure to win if ’s loss of reputation from being successfully doublespent is greater than .
3.3 Modeling Assumptions
In this section we will further discuss the specific modeling assumptions we make.
3.3.1 The net profit of each successive attack falls
The net profit of an attack has two parts: net cost of attack, that is the price of renting sufficient hashrate minus the mining rewards earned, and benefit from attack, that is the value of the transaction stolen. For concreteness, we have achieved this assumption by assuming that (1) the price of the asset weakens as attacks increase, and (2) that cost of attack stays constant. However, the model would work equally well assuming, for example, that the price remains constant and the cost of attack increases over time. Here we discuss some explanations for these possible assumptions.
Every doublespend attack further weakens the value of the underlying asset. This is a widelyheld assumption, and one formally incorporated into at least one of the models put forward in each of Budish (2018) [Budish], Auer (2019) [Auer], and Hasu et al. (2019) [Hasu].^{12}^{12}12An industry commentator has also stated, “A successful 51% attack is likely to have a very negative effect on the market value of a cryptocurrency” [ConsensysCentralization]. That this assumption is so common is perhaps surprising given that, for the few doublespend attacks that have been observed (see Table 1), the price has not always been significantly affected and has not always gone down. The attack on BTG in May 2018 was followed by a decline in price, while the attack on LCC in July 2019 was followed by a relatively stable price, and the attack on BTG in Jan 2020 was followed by a rise in price.
Constant net cost of attack across rounds. We assume that the net cost of attack, , remains constant even as the underlying price of the cryptocurrency falls. In fact, the proof of Theorem 3.1 only requires that the net cost decreases more slowly than the decrease in the value of the cryptocurrency, . This assumption can be justified by recognizing that an attack is likely to throw the mining hashrate market out of equilibrium, keeping price higher than its equilibrium value because mining operators have fixed costs, electricity contracts, and other frictions that can prevent them from acting quickly.
3.3.2 Defender has a higher penalty to losing than the Attacker.
We need this assumption, which encapsulates an asymmetry between the attacker and victim. Businesses such as exchanges, which are typical targets for attack, have large footprints. Since doublespends become public information (see Table 1) and the cryptocurrency addresses of prominent groups are often widely known, if the wallet of a known entity is doublespent, the public would know about this. ’s future customers may be more likely to engage in doublespend attacks against as a result, and others may be less likely to bring their business to the exchange. For these reasons, it is reasonable to assume that ’s value of losing is , for some reputation cost , while cybercriminals who mount doublespend attacks remain anonymous, presumably for fear of prosecution.
4 Empirical Investigation
No hashratedriven doublespend attacks are known to have occurred against Bitcoin or Ethereum since 2015.^{13}^{13}13In 2013, a doublespend attack was successfully executed against Bitcoin. However, the fork was due to a bug in the software that caused the network to split and follow different forks, not because the attacker acquired a majority of the hashpower [BIP50, doublespendbitcointalk] This is despite the existence of many large transactions that would appear profitable to doublespend if enough hashrate could be acquired (see Figure 5, Figure 5, and Table 3). One reason for this might be that the transactions are between trusted parties (or are actually sent between two wallets owned by the same party) who have a relationship outside the blockchain.
Despite the lack of attacks, mining pool concentration has caused concern in the Bitcoin and Ethereum communities. As of February 2020, the total Bitcoin hashrate was about SHA256 hashes per second, and four mining pool operators controlled a majority of the hashrate on the Bitcoin network, while two pools controlled a majority of the hashrate on the Ethereum network (see Table 2) [BitcoinDifficulty, BitcoinPoolCentralization, TopETHMiners]. One implication of this is that Bitcoin and Ethereum may themselves be vulnerable to majority attacks if mining pools collude. Indeed, when a hacker exploited a software security vulnerability to steal $40M worth of Bitcoin from Binance (a large exchange) in May 2019, the Binance CEO considered (but ultimately abandoned) the idea of recruiting large mining pool operators to doublespend the stolen Bitcoin back to the company [CZReorg].
It should be noted, however, that the operators of mining pools do not always directly control the mining hardware within the pool. Individual miners could leave a pool upon noticing it is participating in an attack. Indeed, in 2014 a Bitcoin mining pool, Ghash.io, obtained more than 51% of the total Bitcoin hashrate. In response, users threatened to leave the pool, leading Ghash.io to commit to never obtaining more than 40% of the Bitcoin hashrate [ghash]. As emphasised in [Hasu], miners may have a longterm stake in a particular chain remaining attackfree.
However, a second implication of the small number of pools is that smaller chains such as Bitcoin Cash (BCH) and Ethereum Classic (ETC) should be vulnerable to attack because they use the same PoW algorithms as chains with a much larger amount of hashrate. In fact, ETC was successfully attacked a dozen times in Jan 2019 [ETCAttacked]. As of February 2020, the Bitcoin Cash network computed about hashes per second [BCHDifficulty]. This means that if one of the larger Bitcoin mining pools was to redirect its hashrate (about 16% of the total, see Table 2) towards mining Bitcoin Cash, as it could without significant modification due to a shared hash function, it would provide over triple the entire Bitcoin Cash hashrate. Indeed, several chains have been attacked. This is also likely due to the greater relative availability of their hashrate on marketplaces like Nicehash [crypto51].
4.1 Observed Attacks
A list of known doublespend attacks appear in Table 1, including attacks on the BTG, VTC, LCC and EXP chains that were recently discovered through the Reorg Tracker system [BTGAttacked], a tool that logs reorgs and makes the data publicly available. The Reorg Tracker has, between July 2019 and February 2020, monitored 20 PoW chains chosen based on their perceived susceptibility to hashrate rental attacks as well as their market capitalization.^{14}^{14}14BCH, BSV, BTC, BTG, CLO, DBIX, DOGE, ETC, ETH, EXP, IMG, LCC, LTC, MONA, PAC, PIRL, VTC, ZCL, ZEC, and ZEL Most reorgs are nonmalicious and do not contain any double spends (we call these random reorgs). They are typically naturallyoccurring, lowdepth (1 or 2 block) reorgs that happen when different miners find a block at the same height around the same time. The difference between random reorgs (shallow and frequent) and doublespends (deep and rare) is exemplified in Figure 3 and Figure 3. The Reorg Tracker has observed a total of 18 doublespend attacks on four cryptocurrencies during this time, and as of Feb 2020, four of these attacks on Bitcoin Gold appear to be counterattacks. We now report on the doublespend attacks known publicly.
By far the largest known group of doublespend attacks (totaling over $17 million) occurred on the Bitcoin Gold (BTG) network between May 16 2018 and May 19 2018 [BTGVergeAttacked]. On May 18, the BTG Director of Communications advised exchanges to “increase confirmations and carefully review large deposits” [btg_iskra]. One week later, on May 24, the BTG team put out a proposal [btg_iskra_responding] to do a hardfork (preserve user balances but update the blockchain software in a nonbackwardcompatible way) to a new hash function, in hope of preventing further doublespends by attackers who could accumulate hashpower of the old hash function. The update was successfully implemented but BTG was still not safe.
In late January 2020, the Reorg Tracker observed two reorgs totalling about $70,000 on Bitcoin Gold (BTG), each about 15 blocks deep. This was larger than the the contemporaneous 12block BTG withdrawal requirement on Binance, which Binance increased to 20 blocks after the attack [BTGAttacked]. In early February 2020, the Reorg Tracker also observed preliminary evidence of retaliations to doublespend attacks on Bitcoin Gold.
As of mid February 2020, preliminary evidence from the Reorg Tracker showed eight reorgs totalling about $120,000 on Bitcoin Gold (BTG), some of which appeared to be counterattacks. These appear to include three separate instances of a retaliation game, one of length four (attack, counterattack, and two further moves) and two of length two (attack and counterattack). The identities of the participants are not known.
Beyond BTG, six doublespend attacks were on Litecoin Cash (LCC) [LCCAttacked]. These comprised a series of six deep reorgs between depth 40100 over four days. These reorgs were far outside the norm of the frequent random reorgs which occur due to network latency issues and are depth 1 or 2, see Figure 3. All the original transactions were made to the same address and the double spend transactions redirected to a single different address, indicating one attacker and one victim.
One doublespend attack observed by the Reorg Tracker was on the Expanse (EXP) network [EXPAttacked]. The victim account in this case is linked to a wallet with about 90% of the total EXP supply, suggesting the victim is an exchange, likely Bittrex or Upbit, which host most of the EXP trading.
Figures 3 and 3 depict the reorgdepth of doublespends and random reorgs as observed by the Reorg Tracker on Litecoin Cash (LCC) and Expanse (EXP), respectively. Red dots represent the doublespend attacks, with the yaxis recording the number of blocks removed from the chain during an attack. Blue dots represent naturallyoccurring, lowdepth (1 or 2 block) reorgs that happen when different miners find a block at the same height around the same time.
The total amount stolen by way of doublespend attacks is far less than the amount estimated to have been stolen by hacking methods involving thefts of private keys, or ransomware for example. The Wall Street Journal, for example, reported that over $1.5 billion USD in cryptocurrency has been stolen between 2014 and 2018 in over 56 prominent attacks [wsjautonomous]. In contrast to doublespend attacks, stolenkey or ransomware attacks do not require subverting an existing financial transfer between the attacker and victim to succeed. We do not consider these types of attacks here because we seek to investigate the security of the underlying PoW system, not of the software stack it runs on. We are not aware of any other incentive attacks in the underlying PoW systems that enable theft of cryptocurrencies.
Coin  Date(s)  Victim  Attacks  USD  Source 

BTG  02.08.20  02.11.20  Unknown  8  RT  
BTG  01.23.20  1.24.20  Unknown  2  RT [BTGAttacked]  
VTC  12.01.19  Unknown  1  RT [VTCAttacked]  
EXP  07.29.19  Unknown  1  RT [EXPAttacked]  
LCC  07.04.19  07.07.19  Unknown  6  RT [LCCAttacked]  
ETC  01.05.19  01.08.19  Bitrue  12  [ETCAttacked]  
BTG  05.16.18  Bittrex  ?  [BTGVergeAttacked]  
VTC  10.12.18  10.18.18  Unknown  ?  [VTCAttacked]  
Zencash  06.02.18  Unknown  ?  [ZencashAttacked] 
5 Discussion
Both doublespend attacks and counterattacks are technically difficult to implement.
Perhaps a reason that we have seen relatively few doublespend attacks is that they are technically cumbersome to execute. The Nicehash marketplace has a difficult user interface to understand. Furthermore, conducting a doublespend likely requires custom mining pool software, as every existing mining pool is likely to be following the honest protocol. Counterattacking, as Bonneau [Bonneau] wrote, is an even more challenging task because all of this technical work must be prepared ahead of time and set to activate automatically upon the detection of a deep reorg. This may explain why we have only begun to observed counterattacks in the empirical evidence. However, as the market matures (e.g. as new marketplaces like Honey Lemon [honeylemon], a cloudmining market aggregator, come online) we expect these tasks to become easier.
External trust enables parties to make large transactions without the risk of doublespending.
It is possible that transactions larger than the safety limit (Corollary 2.2.1) only occur between parties who have reasons to trust each other. As an example, most exchanges require their customers to disclose their legal identities and tax ID numbers, especially for significant deposits or withdrawals (see [KYC] for an analysis of the information that exchanges collect on their customers). The threat of legal action by the victim (exchange) against the attacker (doublespending customer) likely incentivizes nonattack in this case.
Market impact, , is high for Bitcoin and Ethereum, protecting them from double spends, and low for other chains.
As of Febuary 2020, NiceHash only has enough SHA256 hashrate for sale (500 PH/s) to match about 0.5% of Bitcoin’s total SHA256 hashrate (100,000 PH/s), and only had enough EthHash for sale (3TH/s) to match 2% of Ethereum’s total Ethhash (150TH/s) [crypto51]. So, at the moment, it is not possible to rent sufficient hashrate on NiceHash to attack these networks. However, as the markets mature, we expect to see more liquidity on them. Meanwhile, there are networks such as Expanse for which 70x of its total hashrate is regularly available for purchase on NiceHash [NiceHash]. Indeed, the less hashrate a chain has, and the more common the ability to produce that hashrate, the more likely it is that a hashrate marketplace will form with sufficient volume that a cheap doublespend is possible.
6 Conclusion
In this work, we have shown that the lowcost of a single doublespend attack can be amplified by the threat of retaliation, inducing a noattack equilibrium. We first modified the economic analysis developed by Budish [Budish], obtaining a similar conclusion as that drawn in this paper, namely that doublespending attacks can be relatively cheap, and in our analysis, even free under certain conditions. We then proposed a defense to such attacks, showing how a small cost of attack can be amplified greatly if the victim has the same capabilities as the attacker, and can counterattack the double spend.
We have also reported on a number of doublespend attacks that have been empirically observed. This empirical evidence suggests that attacks on some chains are in fact quite cheap, as some were done for almost no gain. We have only begun to see any evidence of the counterattack defense, but as the markets for hashrate power continue to mature, we expect sophisticated actors to increase their readiness to defend themselves in the case of a doublespend attack.
We close the paper with a discussion of some future directions for research. First, the disincentives for mining operators to launch doublespend attacks, coming from ownership of specialized equipment and cryptocurrency, could come under threat in the presence of a liquid derivatives market. A mining operator can have a legitimate reason to hedge a highly exposed position through taking a short position. But the larger the short position, the greater the operator’s incentive to attack the network despite being invested. Liquid derivatives markets are an explicit goal of Ethereum’s “decentralized finance” (DeFi) movement, and there are significant Bitcoin lenders such as Genesis [genesis] and Bitcoin derivatives markets such as BitMex [bitmex].
Second, a single attacker (or cartel of attackers) could doublespend several victims at once. This seems to provide a new advantage for the attacker, because the attacker would have more at stake than each individual victim, and thus more to lose by quitting in the War of Attrition (whereas before, the single victim had more to lose). For this reason, it may be useful to study the possibility that multiple victims could coordinate to defend against a single attacker, in addition to the possibility that bystander miners may behave strategically to protect their mining rewards.
We have shown that considering a new kind of behavior in the context of doublespend attacks can give a novel outcome. We anticipate that broader viewpoints in modeling the behavior of agents in the context of other blockchain attacks can similarly lead to new insights.
Acknowledgments
The authors would like to thank James P. Lovejoy, Eric Budish, Jacob Leshno, Mark Nesbitt, Jonathan Zittrain, James Mickens, Yiling Chen, Tadge Dryja, Nic Carter, and David Vorick for helpful discussions. This work is supported by two generous gifts to the Center for Research on Computation and Society at Harvard University, funders of the MIT Digital Currency Initiative, and NSF grant NSF CCF1509178. The first author was supported in part by the Ethereum Foundation.
Appendix A Mining Pool Concentration
Table 2 shows the percent of total hashrate owned by the top mining pools on Bitcoin and Ethereum as of February 2020. Note that just a few such pools collectively own over 50% of the hashrate in both Bitcoin and in Ethereum.
BTC  ETH  

Pool Name  Share  Pool Name  Share 
BTC.com  16.4%  Spark Pool  32.8% 
F2Pool  13.9%  Ethermine  21.0% 
Poolin  12.9%  F2Pool  11.1% 
AntPool  11.8%  NanoPool  7.9% 
SlushPool  7.2%  Zhizhu.top  4.1% 
Total  62.2%  Total  76.9% 
Appendix B Large Bitcoin and Ethereum Transactions
Figures 5 and 5 show the distribution of Bitcoin and Ethereum transaction sizes, respectively, from Jan 2018  June 2019. These plots were generated using data acquired by querying the Google BigQuery database that contains fullchain data on both Bitcoin and Ethereum (see Day and Medvedev (2018) [Day]). Estimating the transaction size in Bitcoin is challenging because of Bitcoin’s UTXO model. For each transaction, the quantity plotted is the value of the smallest output, making this a conservative estimate of the value of a transaction. See Table 3 for the largest Bitcoin transactions recorded as of September 2019.
Block  Date  BTC (K)  USD (B)  Fee 

578328  05.29.19  157.46  1.37  107 
578327  05.29.19  144.08  1.25  19 
576358  05.16.19  122.80  1.00  11 
593467  09.06.19  94.50  1.02  700 
577462  05.23.19  121.80  0.93  10 
499773  12.17.17  48.50  0.89  15 
503030  01.07.18  51.04  0.85  227 
498970  12.12.17  48.50  0.80  178 
574898  05.06.19  125.80  0.73  9 
575024  05.07.19  124.30  0.72  9 
Comments
There are no comments yet.