Log In Sign Up

Hopping-Proof and Fee-Free Pooled Mining in Blockchain

The pool-hopping attack casts down the expected profits of both the mining pool and honest miners in Blockchain. The mainstream countermeasures, namely PPS (pay-per-share) and PPLNS (pay-per-last-N-share), can hedge pool hopping, but pose a risk to the pool as well as the cost to miners. In this study, we apply the zero-determinant (ZD) theory to design a novel pooled mining which offers an incentive mechanism for motivating non-memorial and memorial evolutionary miners not to switch in pools strategically. In short, our hopping-proof pooled mining has three unique features: 1) fee-free. No fee is charged if the miner does not hop. 2) wide applicability. It can be employed in both prepaid and postpaid mechanisms. 3) fairness. Even the pool can dominate the game with any miner, he has to cooperate when the miner does not hop among pools. The fairness of our scheme makes it have long-term sustainability. To the best of our knowledge, we are the first to propose a hopping-proof pooled mining with the above three natures simultaneously. Both theoretical and experimental analyses demonstrate the effectiveness of our scheme.


RPPLNS: Pay-per-last-N-shares with a Randomised Twist

"Pay-per-last-N-shares" (PPLNS) is one of the most common payout strateg...

On Reward Sharing in Blockchain Mining Pools

This paper proposes a conceptual framework for the analysis of reward sh...

Do the Rich Get Richer? Fairness Analysis for Blockchain Incentives

Proof-of-Work (PoW) is the most widely adopted incentive model in curren...

Equilibrium of Blockchain Miners with Dynamic Asset Allocation

We model and analyze blockchain miners who seek to maximize the compound...

Better Together? How Externalities of Size Complicate Notions of Solidarity and Actuarial Fairness

Consider a cost-sharing game with players of different contribution to t...

Modeling Coordinated vs. P2P Mining: An Analysis of Inefficiency and Inequality in Proof-of-Work Blockchains

We study efficiency in a proof-of-work blockchain with non-zero latencie...

Off-Chain Micropayment Pool for High-ThroughputBandwidth Sharing Rewards

This paper presents a layer-2 micropayment pool design which supports hi...

1 Introduction

Blockchain is the underlying fabric of mainstream cryptocurrency systems such as Bitcoin [11] and Ethereum [19]. These cryptocurrencies have obtained a phenomenal success, recognized as the wave of future[12] with a total market capitalization around 179.6B dollars at present. To realize a distributed and trustable consensus, a data structure called blockchain111In this paper, we use Blockchain to denote the technology while blockchain to indicate a chain of blocks. is introduced in Blockchain system. It is a public ledger including a sequence of chained blocks, with each recording a set of digital transactions. Since anyone can participate in creating and verifying blocks, Blockchain system is open, leading to its vulnerability.

To deter attacks incurred by the openness of Blockchain system which essentially originates from its decentralized nature, a Proof-of-Work (PoW)[11] mechanism is employed, which allows network participants, i.e., miners, can approve new transactions only after mining a block successfully, implying that they need to solve cryptographic puzzles in the form of a hash computation with success. PoW undoubtedly increases the cost of malicious behavior, making many security attacks such as Sybil attack financially unaffordable. This is because 1) mining is actually a race where only the winner who solves the PoW task first can verify digital transactions, which needs a sufficient amount of computational power; 2) solving cryptographic puzzles is a probabilistic process, implying that no one would win the race with certainty even though it is computationally powerful.

In return for mining blocks successfully, miners are rewarded in proportion to the computational powers they invested. However, due to significant computational resources needed and probabilistic factors involved in the mining process, a solo miner has low expected revenue as well as volatility in the reward. For example, Bitcoin system now sets the difficulty of mining such that one block is generated every 10 minutes. Hence, a solo miner often has to wait 687 days in expectation to mine a block [8].

To tackle the above issue, solo miners join coalitions in the form of mining pools

, gathering their computational powers to seek the solution of PoW puzzles and sharing the rewards proportionally to their contributions. This undoubtedly increases the chance of solving cryptographic puzzles successfully and makes the mining process more predictable. Hence, pooled mining can benefit miners from high payoffs and low variance in rewards. At present, nearly 80% of the computing power in Bitcoin and 60% of that in Ethereum belong to less than 8 and 3 mining pools, respectively.

The dominant position of pooled mining leads it to become a valuable target to be attacked. Many pools have an open trait, allowing any miner to join them through public Internet interfaces[5], which makes matters worse. Such a nature of openness makes pooled mining susceptible to attacks. There are mainly three kinds of security attacks in pooled mining: the selfish mining attack [16, 15, 21], the block withholding attack [1, 5, 6] and the pool-hopping attack [14]. The first two attacks can be well solved through the state-of-the-art approaches [15, 21, 10, 1, 6], and hence, we focus on the last one.

The pool-hopping attack was first proposed by Rosenfeld[14], in which the malicious miners strategically switch among the pools to obtain a higher payoff. This attack is cost-efficient and straightforward because of no more extra operations (e.g., keeping the block secret, dropping full proof of work or forking) needed. Studies have proved that the miner has no incentive to stay in a pool without pool hopping or redistributing the computing power[8, 10, 1]. This kind of greedy and opportunistic manner definitely casts down the mining power of a pool, resulting in its declined expected revenue. In addition, the pool-hopping attack also jeopardizes the interests of honest miners, who join in a pool continuously without switching to other pools. According to [14], the honest miners in the attacked pool will receive 43% less payoff in the worst-case theoretically, which is unfair for them.

However, little research has studied the pool-hopping attack. PPS and PPLNS [14] are pioneer countermeasures. Considering that the unbalanced distribution of reward over time makes room for miners’ strategic hopping, the key idea of PPS and PPLNS is reducing the variance of reward in time series. Typically, in a PPS pool, a miner will be rewarded as long as she222In this paper, we denote the pool as “he” and the miner as “she” for easy differentiation. submits a share (her contribution) to the pool, regardless of whether a block is mined successfully or not. PPLNS, one of the most prevailing reward mechanisms[2], drops the concept of “round”, focusing on shares submitted to the pool recently and distributing rewards according to the shares in proportion.

Essentially, the difference between PPS and PPLNS lies in that the former is driven by events while the latter is triggered by time. In detail, PPS rewards a miner once the event of receiving her share happens; PPLNS evaluates whether a miner should be awarded when the paying time arrives. The common feature of PPS and PPLNS is that they pay miners proportionally to their contribution, regardless of whether a block is mined successfully or not. Due to the uncertainty of mining results, the pool takes the full risk when no block is mined. Therefore, both PPS and PPLNS charge miners some fees to alleviate such a risk, which is critical to both of the pool and its members. The higher the fee, the higher the cost of the miner joining in the pool, and the smaller the motivation to mine and vice versa.

In a nutshell, the mainstream countermeasures to the pool-hopping attack, namely PPS and PPLNS, pose a risk to the pool as well as the cost to miners. Therefore, we propose a hopping-proof pooled mining with free fee in this paper, which can hedge pool hopping without any fee charged if the miner does not switch in pools strategically. The proposed pooled mining strategy has a wide scope of application since it can be employed in both prepaid and postpaid mechanisms. The former rewards once share is submitted, no matter whether there is a success mining or not; the latter awards only when the full cryptographic puzzle is solved.

It is challenging to realize the hopping-proof pooled mining without fee charged. The reasons behind the fact are: a) the strategic transferring among different pools is the instinctive demand of a miner. Especially when no fee is charged, costless hopping easily arouses miners to switch among pools; b) in the postpaid mode, mining risk is completely transferred from the pool to miners. In this situation, it is non-trivial to motivate miners to still work without hopping.

To tackle these challenges, we take advantage of the zero-determinant (ZD) theory to design an incentive mechanism for pooled mining, where cooperation (i.e., mining without hopping) is the dominant strategy of a rational miner in all situations. The ZD theory was first developed in [13] by Press and Dyson, in which the player who adopts the ZD strategy (i.e., the ZD adopter) can unilaterally set its adversary’s utility no matter what strategy the adversary takes. The power of the ZD strategy endows the pool to dominate the game with any miner, rewarding her cooperation and punishing the defection, to lure the cooperation of the miner.

The main contributions of this paper can be summarized as follows:

  • The interaction between the pool and any miner is formulated as an iterated prisoner’s dilemma (IPD) game and the corresponding conditions are also identified. The generality of our model empowers the proposed pooled mining to have a wide scope of application, implying that it is suitable to both prepaid and postpaid mechanisms. When applied in a postpaid mechanism, the proposed pooled mining can incentivize miners to work without hopping while keeping the pool away from the risk of no block mined successfully.

  • We investigate in detail whether the pool can be a ZD adopter and how he plays the ZD strategy. We draw a conclusion that the pool can unilaterally control the miner’s payoff rather than his own one. The specific expected payoff of a miner that the pool can set is characterized.

  • An incentive mechanism based on the ZD theory is proposed for motivating the non-memorial and memorial evolutionary miners to work without hopping. Specifically, the proposed mechanism empowers the pool to encourage the miner to behave cooperatively by increasing her short-term payoff without any additional payment in the long run.

  • Both theoretical and experimental analyses demonstrate the effectiveness of the proposed incentive mechanism. More importantly, we find the proposed pooled mining is fair, implying that even the pool can dominate the game with any miner, he has to cooperate when the miner works collaboratively. The fairness of our scheme makes it have long-term sustainability.

The rest of the paper is organized as follows. Section 2 describes the formulation of our problem. The ZD strategy for the pool in an iterated prisoner’s game is deduced in Section 3. Based on which, we propose an incentive mechanism in light of the ZD theory in Section 4. We evaluate the mechanism both theoretically in Section 5 and experimentally in Section 6. The related literatures are listed in Section 7. Section 8 concludes our paper finally.

2 Game Formulation

In this section, we introduce our game model to formulate the interaction between the pool and the miner. Generally, we define the strategy space of each player as a dichotomous space, namely cooperation () and defection (). In the PoW mining scenario, the pool is considered as a cooperator if he decides to pay the highest payoff to the miner; otherwise, he is regarded as a defector. On the other hand, the miner can devote herself wholeheartedly to the current pool by providing her total computational power to the pool without hopping, defined as cooperation, or contribute herself halfheartedly through offering partial computing ability or switching to other pools strategically, denoted by defection. We denote the actions of the pool and the miner as , respectively. Therefore, there are four possibilities of states in each round between the pool and the miner, i.e., , where and denote the state of the pool and that of the miner, respectively. It is worth to note that the terminal of a mining round mentioned in our model can be defined as the time a block is mined successfully or the paying time similar to that in PPLNS. Hence, the proposed scheme can be applied in both prepaid and postpaid mechanisms.

Each state will correspond to specific payoffs for both players, which can be derived as follows:

  • if both the pool and the miner are collaborative with the pool providing the highest payoff and the miner offering her entire computing power to the current pool, the payoffs of them are represented as and , respectively;

  • when the miner defects while the pool cooperates, the miner will get an increase of based on her original payoff , while the pool may obtain a decrease of on ;

  • in the case that the defective pool plays against a cooperative miner, the payoff of the pool increases by , while the miner receives a loss of ;

  • when both players behave maliciously, the payoffs of the pool and the miner are and , respectively.

Subsequently, the payoff vectors of the pool, denoted as

, and the miner, denoted as , , can be presented as follows

which are also shown in Table I.

PoolMiner Cooperation Defection
TABLE I: Payoff matrix of the pool and the miner

Next, some insightful theorems are introduced to characterize the game in the following.

Theorem 2.1.

If , a prisoner’s dilemma (PD) game can be modeled to depict the confrontation between the pool and the miner.


To become a PD game, two fundamental conditions should be satisfied. In detail, 1) the stable state occurs when both players defect, i.e., is the Nash equilibrium; 2) mutual cooperation is the best outcome with respect to the social welfare, which means outperforms other states from an overall perspective.

The game between the pool and the miner satisfies the first condition. To be specific, if the miner is friendly, the pool will get a lower payoff as when he cooperates than his payoff of when he defects; besides, if the pool challenges with a malicious miner, the payoff when he defects, i.e., , is also larger than that of his cooperation, i.e., . Thus, as a rational decision maker, the pool will always choose to defect rather than cooperation when facing an adversary with uncertain actions. With similar analysis, we can find the only feasible option for a rational miner is also to behave viciously. Accordingly, both the pool and the miner will select defection as the stable state. Therefore, the Nash equilibrium of this game comes to be

In order to investigate the second condition clearly, we denote the social welfare in each state as and . Thus, we have , , , and . Then the second condition is satisfied when hold. It is obvious that when , the above inequalities can be satisfied. Based on the analyses above, as self-regarding players, the pool and the miner will choose malicious behavior to maximize their payoffs, leading to mutual defection as the stable state in the game consequently. However, the most favorable outcome of the confrontation turns out to be mutual cooperation. Therefore, a PD game is formed when . ∎

Notably, the miner may stay in the current pool for a long time without hopping to others. Hence, in this case, the PD game mentioned above can become an iterated one if some conditions are satisfied, which are summarized in the following theorem.

Theorem 2.2.

If , the confrontation between the pool and the miner can be modeled as an iterated prisoner’s dilemma (IPD) game.


A PD game becomes an iterated one when the payoff of any player’s persistence on cooperation is larger than hopping between cooperation and defection. In other words, the inequalities below should hold


Hence, when and , the game between the pool and the miner can be modeled as an IPD one. ∎

In light of the above analyses, we can find that the miner and the pool may be trapped into the iterated prisoner’s dilemma, where the Nash equilibrium is far away from mutual cooperation, leading to low efficiency and distrust for Blockchain system in the long run. To tackle this problem, we employ the powerful ZD strategy to drive the players to cooperate so as to reach the win-win situation. As introduced in Section 1, the ZD adopter can unilaterally set its adversary’s payoff no matter what strategy the adversary takes.

Aware of such an effective strategy, the pool is attracted to use the ZD strategy to resist a hopping miner. In this case, however, we are facing the following problems: is the pool capable of being a ZD adopter? if yes, how does the ZD strategy work? To address these questions, we conduct the following analyses.

3 ZD Strategy for the Pool

In this section, we examine whether the pool can play the ZD strategy, and if yes, how to achieve that. Firstly, a Markov game is established between the pool and the miner. As mentioned in Section 2, there are four possible game results, i.e., , in each round. We define the pool’s mixed strategy as , where

represents the probability of choosing cooperation in this round based on the previous outcome

. Similarly, when the previous outcome is , or , the probability of the pool to cooperate in this round is , or . Accordingly, the probability of the pool being defective in each round is corresponding to different game results in last round. Comparably, in the cases that the miner chooses to cooperate when or happens previously, her strategy can be denoted as , while the probability of defecting is

With the above-defined strategies of the pool and the miner, the Markov matrix in each round can be derived as follow,

where each element denotes the probability of state transition. For example, if the previous outcome is , combining the cooperation probabilities of the pool and the miner, i.e., and , the probability of in this round is , so do other elements in .

Denote as the stationary vector of matrix , then and , where (

is the identity matrix). According to the Cramer’s rule, the equation

holds, where and represent the adjugate matrix and the determinant of . Subsequently, the equation above indicates that every row of is in proportion to [13]. Thus, if the dot product of with any vector is conducted, the determinate remains unchanged with some elementary column transformation, such as adding the first column to the second and the third columns. Thus, we have,

It is evident that the second column of the above determinant is only related to the pool’s strategy. Based on this, the expected payoffs of the pool () and the miner () can be derived as


Hence, the linear relationship between the pool and the miner’s expected payoffs holds as follows


where are coefficients.

Therefore, if the pool sets his strategy the same as , the determinant in the numerator equals 0, because there exists two identical columns. In this case, , implying that a linear relation is established between the expected payoffs and , where the corresponding strategy is therefore called Zero-Determinant Strategy, denoted as below.

Specifically, when the pool sets (i.e., ), the pool can control the miner’s expected payoff independently as ; while when he exerts his strategy as by setting , he can set his own expected payoff at . The following theorem demonstrates the effectiveness of the ZD strategy adopted by the pool.

Theorem 3.1.

The pool can unilaterally control the miner’s expected payoff as , while he is not able to set his own expected payoff independently.


Firstly, if the pool wants to control his adversary’s expected payoff as by setting , the specific ZD strategy of the pool should satisfy , according to which, we can deduce and with respect to and ,


It is evident that and are meaningful as they belong to Therefore, it is clear that being a ZD player, the pool can set the miner’s expected payoff unilaterally. And the miner’s expected payoff comes to be


As (5) consisting of a weighted average of and with weights and , we can conclude that the expected payoff of the miner can be set in the range of by the pool’s ZD strategy.

Secondly, when it comes to the case that the pool sets his own expected payoff, the ZD adopter’s strategy should meet (). Using and to represent and , we have


And we can use and to describe and as


which indicates and . Under this condition, the pool’s strategy is feasible in only one case, i.e., , resulting in and according to (6). Thus, as a ZD player, the pool cannot control his payoff. ∎

4 Incentive Mechanism based on the ZD Strategy

In this section, we propose a ZD-based incentive mechanism for the pooled mining to hinder pool-hopping attacks. Theorem 3.1 reveals the capability of the pool as a ZD player to set the miner’s expected payoff unilaterally. However, whether the pool can take advantage of such a capability to regulate the miner depends on her strategy. If the miner’s strategy is irrelevant to her payoff, such as all-cooperation (ALLC, ), all-defection (ALLD, ), tit-for-tat (TFT, ), the pool cannot employ the ZD strategy to motivate the cooperative behavior of the miner. Hence, the proposed ZD-based incentive mechanism is suitable for the case that the strategy is laid down by the miner in light of her payoff. Win-stay-lose-shift (WSLS, ) and evolutionary strategies are typical payoff-driven examples.

A WSLS player will keep the same strategy as the previous round in which the outcome is good, that is so called “win-stay”. Otherwise, it will adopt the strategy opposite to the one in the previous round, which is therefore named as “lose-shift”. Hence, WSLS can be regarded as a particular case of the evolutionary strategy. In this work, we take the evolutionary strategy as the representative for further analysis, which can be categorized into two kinds: non-memorial and memorial. We introduce them in detail as follows.

4.1 Evolutionary strategies

The non-memorial evolutionary (E) strategy is featured by the fact that an E player may develop the strategy only based on its expected payoff. Specifically, as a rational player, if the cooperative behavior brings about a higher payoff than the defective one, the E player will choose to collaborate and vice versa. A typical non-memorial evolutionary strategy can be formulated as follow [20],


where denotes the non-memorial E player’s cooperation probability in round based on the pool’s strategy and is a scaling parameter. Besides, and represent the expected payoffs of the miner who acts cooperatively and defectively.

Different from the non-memorial evolutionary strategy, the memorial evolutionary strategy is associated with not only the expected payoff but also its strategy in the previous round, which we call it memory. That is to say, informed of the previous strategy and the expected payoff, the memorial E player may adjust its strategy more rationally.

Inspired by [9], we present the memorial evolutionary strategy as following: if the cooperation probabilities of the pool and the miner are denoted as and in round , then the miner’s cooperation probability in the next round evolves as


where indicates the expected payoff of the miner when she cooperates and implies the expected payoff of the miner in round . Accordingly, and can be calculated by


where is the miner’s expected payoff when she defects.

4.2 ZD incentive mechanism

From equations (8) and (9), it is clear that if the miner obtains more payoff as a cooperative player, her cooperation probability will increase. That is to say, the miner is more likely to devote her computing power entirely to the pool without hopping if such an action brings about a higher payoff. Therefore, as a ZD player, the pool may reward the cooperation of a miner with a higher payoff while punishing her defection with the lower one. Based on this, we propose a ZD-based incentive mechanism for the pool to coerce the miner’s collaborative action, thereby deterring the hopping behavior of the miner, which is detailed in the following.

As shown in Algorithm 1, in the first round, we offer the reward to each miner () proportionally to her contribution to the pool. The historical best computing power is recorded as the initial computation power of each miner , namely (Lines 1-4). In practice, whether a miner behaves cooperatively or defectively can not be deduced without any side information, since it is the private information of the miner. Hence, the pool has to differentiate a collaborate or defective miner based on the observation of the difference of computational powers between two continuous rounds. This requires the pool to record the computation power of any miner at the end of each round (Line 7), so that the pool can obtain the difference of the devoted computational power of miner between round and round , i.e., (Line 8). If , miner is considered to be a cooperative player and vice versa.

When , the miner splits her computing power into other pools333The situation where the miner is unavailable due to some reasons such as lacking of electricity is out of our consideration in this paper., implying she is a pool-hopping attacker. Her payoff is therefore needed to be reduced in order to hinder such an attack. Under this situation, the pool will exert the ZD strategy, setting the attacker’s payoff as the minimum one, i.e., (Lines 9-10). If , the pool provides the same payoff to the miner as that in the last round (Lines 11-12). When , the pool would update if needed (Lines 14-16). Since this case indicates the miner behaves more cooperatively, the pool will increase her payoff as , where and represents a scaling parameter (Line 17-18). It is worth to note that the more increment of computational power relative to is, the higher reward the miner can obtain, which is up to the maximum payoff that the pool can offer, namely .

0:    The total number of iterations, ;The number of miners, ;The initial computation power of miner , ;The minimum and maximum payoffs that the pool can offer, and ;
1:  for  to  do
2:     Calculate the initial reward according to
4:  end for
5:  for  to  do
6:     for  to  do
7:        Update computation power
9:        if  then
10:           Calculate which makes
11:        else if  then
12:            which makes
13:        else if  then
14:           if  then
16:           end if
18:           Calculate which makes
19:        end if
20:     end for
21:  end for
Algorithm 1 The ZD-based incentive mechanism

5 Theoretical Analysis

In this section, we analyze the proposed incentive mechanism theoretically.

Theorem 5.1.

For any non-memorial evolutionary miner who is motivated by the ZD incentive mechanism, it is conceivable that the miner’s cooperation probability will be maximized.


To maximize according to (8), we turn to prove that rises with the increase of game round if the miner is a cooperative one. According to Algorithm 1, if any miner behaves more cooperatively than the previous round, we have


Since keeps raising because of the miner’s collaborative behavior, becomes to one at last, leading equals to consequently. Hence, driven by the proposed ZD incentive mechanism, can evolve to the maximum. ∎

Theorem 5.2.

For any memorial evolutionary miner who is motivated by the ZD incentive mechanism, her cooperation probability tends to 1 gradually.


In light of (9), a memorial evolutionary miner can calculate her cooperation probability according to and , which can be deduced by (10). In practice, we use the cooperative frequencies and to approximate and . Specifically, indicates the number of rounds the pool cooperates divided by the total number of rounds, while denotes that of a miner.

Based on the ZD incentive mechanism, we consider the following two cases, where the miner chooses to cooperate or defect [7].

a) if the miner is considered as cooperative, the pool may reward her, resulting in . In this case, with the increase of and , turns to


Hence, because of .

b) when the miner is regarded as a defective miner, then we have , and the decrease of and will lead to


Comparably, because of .

To sum up, Case a) indicates that increases and remains unchanged and Case b) implies that declines while remains steady. Thus, , such that , holds. Based on this, can be derived as


In light of (14), we can conclude that with the increase of game round . That is to say, the memorial evolutionary miner will gradually increase the cooperation probability to one eventually. ∎

Conclusively, the non-memorial and memorial evolutionary miner will be encouraged to behave cooperatively by the proposed ZD incentive mechanism in the end.

Another essential nature of the proposed incentive mechanism is that it can be employed into the prepaid mechanism as well as the postpaid mechanism, with the former rewards the miner when a share is submitted and the latter defines the terminal of a mining round as the time a block is mined successfully. Noteworthily, the ZD incentive mechanism is free-fee charged for miners in both prepaid and postpaid cases due to their wholehearted devotions. More importantly, in the postpaid mechanism, the proposed incentive mechanism can hinder pool hopping attackers without putting any risk on the pools since our mechanism enables the miners to mine wholeheartedly until a block is generated successfully.

Now that such a powerful strategy the pool can employ, he has an overwhelmingly dominant position compared with the miner, then is the pool capable of getting a higher payoff greedily through defecting when the miner collaborates? We use the following theorem as a response to the above concern.

Theorem 5.3.

When the miner chooses to cooperate, the only rational strategy of the pool who employs the ZD incentive mechanism is to collaborate.


As demonstrated in Theorems 5.1 and 5.2, the miner will choose to contribute her maximum computational power into the pool because of the effectiveness of the proposed ZD incentive mechanism. In this case, the pool will provide the miner with the maximal payoff. Therefore, we will discuss what the ZD strategy is when the pool sets the expected payoff of the miner as the optimal value in the following.

According to Section 3, the miner’s expected payoff can be set as , which belongs to . Due to


and because of as indicated in Theorem 2.2, implying a monotonically increasing relationship between and , . Hence, when , , the pool can maximize the miner’s expected payoff. Furthermore, according to (4), if and are equivalent to 1, the only possible value of is 1 because should lie in to be a probability, so as for . That is to say, the pool can set to maximize the payoff of a miner.

In light of the above analysis, once the miner cooperates, the pool will set his ZD strategy as to maximize a collaborative miner’s expected payoff. That is to say, whenever the miner cooperates, the pool will collaborate subsequently.

In summary, the pool will be collaborative in return if the miner offers her maximum computing power. Thus, the proposed ZD incentive mechanism is fair to both sides, which makes it be long-term sustainable. Such an aim is achieved via controlling the miner’s short-term expected payoff by the pool. Then, what are the players’ actual payoffs over the long run? This question can be answered by the following two theorems.

Theorem 5.4.

In the long run, the miner’s actual payoff equals to based on our proposed ZD incentive mechanism.


a) For a non-memorial evolutionary miner, , such that , can be maximaized. That is to say, when , the expected payoff of the miner is identical to , which is the maximum payoff for a cooperative miner. In light of this, the actual payoff of the miner can be derived as the average of the expected payoff in each round , where and the expected payoff after round . Therefore, can be written as:


b) The actual payoff of a memorial evolutionary miner is


By inspecting Theorem 5.4, the miner will receive the actual payoff as over the long run. Then, is it possible for the pool to own more payoff by greedy behavior? This question can be resolved by the following theorem.

Theorem 5.5.

In the long run, the pool’s actual payoff is equivalent to based on our proposed ZD incentive mechanism.


According to Theorem 5.3, the pool will behave cooperatively to reward a collaborative miner, implying that is the stable state for the game. In such a case, holds according to Table I. ∎

In light of Theorems 5.4 and 5.5, the pool and miner will obtain the actual payoffs as and , respectively. That is to say, neither the pool nor the miner can receive higher reward by noncooperative manner over the long run, which is quite fair for both sides.

6 Performance Evaluation

To testify the effectiveness of the ZD incentive mechanism proposed in Section 4, we conduct experimental simulations in this section. To be specific, we set the payoff vectors of the pool and the miner as and which is a typical example of the prisoner’s dilemma. We also carry out the simulations with other parameter settings and derive the comparable results. So we omit to present those results to avoid redundancy. Note that each simulation is repeated 100 times to get the average value for statistical confidence.

In detail, if the pool is a ZD adopter competing with a miner who employs four classical strategies, i.e., ALLC, ALLD, TFT and WSLS, the miner’s expected payoffs can be set at a fixed value as shown in Fig. 1. Taking the specific ZD strategy of the pool as an example, no matter what strategies the miner employs, her expected payoff will finally become to a constant. That is to say, the adversary’s outcome can be controlled unilaterally by the ZD adopter because of his effective strategy.

As mentioned in Section 4, the classical strategies ALLC, ALLD and TFT are out of our consideration because the strategies are irrelevant to the payoff of the player. Moreover, WSLS is regarded as a special evolutionary strategy. Hence, only the simulations of the evolutionary miners who compete with a ZD pool are included in this work, which are demonstrated as follows.

In our simulation, we assume there are four miners in a pool, whose initial computational powers are respectively 444The cases in which more miners exist in a ZD pool share the same conclusion, so we omit it for reducing repetition.. Setting the original cooperation probabilities (CPs) and , Figs. 2 and 3 respectively show how the CPs of the non-memorial evolutionary miners evolve according to the proposed ZD incentive mechanism when 555 is set to be big enough here so that the maximum cooperation probability of a non-memorial evolutionary player (calculated by (8)), can approach to 1. and .

Through further observation of Figs. 2 and 3, we can conclude that the CPs of the non-memorial evolutionary miners converge to one with different speeds, which is mainly because of different initial computational investments and the scaling parameter . To be specific, a miner with a larger initial computing investment would be more inclined to accelerate the cooperation process due to the higher growth of payoff. Intuitively, a higher brings about a faster convergence speed of the CP according to (8).

Fig. 1: The expected payoffs of the miner when she adopts ALLC, ALLD, TFT, WSLS strategies and the pool employs the ZD strategy.
Fig. 2: The evolutions of the CPs of the non-memorial evolutionary miners when .
Fig. 3: The evolutions of the CPs of the non-memorial evolutionary miners when .
Fig. 4: The evolutions of the CPs of the memorial evolutionary miners.

Fig. 4 plots the CPs of a memorial evolutionary miner driven by the ZD-based incentive mechanism, where the CPs go up to 1 gradually with the initial values as and . In detail, each subfigure shows that the CP of the miner with a small initial input converges slowly compared with other miners, even though they share the same initial cooperation probability. The reason may lie in that the miner with a smaller initial computing investment may get a relatively lower payoff in the beginning, leading a slow growth of the expected payoff. Thus, her CP would rise slower comparably. Moreover, considering the CPs of a miner with the same initial investment but having different initial cooperation probabilities, for example, the blue lines in subfigures (a)-(d), the result is that the higher the initial CP is, the faster it is converged to one, which is mainly caused by the memory we mentioned above in light of (9).

7 Related Work

At present, the researchers mainly focus on three kinds of security attacks in pooled mining: the selfish mining attack, the block withholding (BWH) attack and the pool-hopping attack.

In detail, a selfish mining attacker[4] keeps its mined block secret and intentionally forks the main blockchain. Specifically, the selfish miner mines on its private branch instead of working on the public chain as the honest miners. When the public ledger approaches it’s private chain, the selfish miner advertises its concealed chain to the public, leading to wasting resources of the honest miners on resolving cryptopuzzles which ends up gaining no rewards. Several defense mechanisms have been proposed to block this selfish manner as well as its variants. For example, Saad et al.[15] developed a defense mechanism in the network-wide scope to detect and deter selfish miners; Zhang et al. [21] proposed a backward-compatible mechanism to defend selfish attacks.

The BWH attackers pretend to devote their computational capabilities into the target pool and then obtain payoffs. However, they send only partial proof of work, not full proof of work, resulting in reward reduction to other miners in the pool. This kind of attack was first proposed in [14], after which, Courtois et al.[3] summarized its concept and Eyal modeled the confrontation between the pools as a prisoner’s dilemma in [5]. Specifically, in [5], a Nash equilibrium was established, where the rational pools would attack each other, resulting in a lose-lose situation. Besides, the pools are trapped into an iterative prisoner’s dilemma, in which the pool chooses to attack or not is the so called miner’s dilemma. Ongoing researches on avoiding this attack have proposed some efficient and cheap defense mechanisms. For example, Bag et al. in[1] proposed a generic scheme to counter BWH attacks via employing cryptographic commitment schemes, based on which, an implementation using hash function was presented as an alternative. Besides, Luu et al.[10] put forward a power splitting game for the miners so as to find a solution to fight back the BWH attacks. Additionally, Hu et al. [6] took advantages of the Zero-determinant theory to analyze the BHW attacks between two pools. Based on which, different conditions for the pools playing the ZD strategy individually and simultaneously have been demonstrated comprehensively.

We focus on the pool-hopping attack in this work. Pioneer countermeasures are PPS, PPLNS and their variants, including the Slush’s method, maximum pay-per-share (MPPS), and pay-once-PPLNS. Detailedly, the pool manager can calculate the score of each share based on the exponential score function , in which represents the score of the share given in time and denotes the scaling parameter. Due to the share’s score, the pool hopping behavior can be alleviated in mining pools by reducing the score of shares at the earlier stage of the round while increasing the score of shares later on. Such kind of score-based method is recognized as the Slush’s method and has been applied in the mining pools such as Slushpool[17]. Besides, in the maximum pay-per-share method, two balances are kept for each miner, that is, a PPS balance and a proportional balance[14]. To be specific, if the miner offers a share, her PPS share balance is increased as if the pool is a PPS pool. When the pool generates a block, the proportional balances of the miners are increased as if they have joined a proportional pool. Based on which, the reward paid for each miner is the minimum between the PPS balance and the proportional balance. In pay-once-PPLNS, every share is rewarded at most once[14]. In other words, the share is deleted after it is paid, leading a higher probability to the elder shares to be paid for future blocks. If a share is partially paid, it will be deleted partially. However, theoretical analysis on the above mechanisms are lacking and their effectiveness in preventing pool-hopping attacks still remain an open issue[18].

8 Conclusion

In this paper, we propose a hopping-proof pooled mining with fee-free in Blockchain. To that aim, we formulate the interaction between the pool and any miner as an IPD game and identify the corresponding conditions. The generality of our model capacitates the proposed pooled mining to have wide applicability. Based on the model, we take advantage of the ZD theory to empower the pool can unilaterally control the miner’s payoff, which can be used to motivate the cooperation of the non-memorial and memorial evolutionary miners through the proposed ZD incentive mechanism. Both theoretical and experimental analyses demonstrate the effectiveness of the ZD incentive mechanism. To the best of our knowledge, we are the first to propose a hopping-proof pooled mining with the natures of fee-free, wide applicability and fairness at the same time.


  • [1] S. Bag, S. Ruj, and K. Sakurai (2017) Bitcoin block withholding attack: analysis and mitigation. IEEE Transactions on Information Forensics and Security 12 (8), pp. 1967–1978. Cited by: §1, §1, §7.
  • [2] P. Chatzigiannis, F. Baldimtsi, I. Griva, and J. Li (2019) Diversification across mining pools: optimal mining strategies under pow. arXiv preprint arXiv:1905.04624. Cited by: §1.
  • [3] N. T. Courtois and L. Bahack (2014) On subversive miner strategies and block withholding attack in bitcoin digital currency. arXiv preprint arXiv:1402.1718. Cited by: §7.
  • [4] I. Eyal and E. G. Sirer (2018) Majority is not enough: bitcoin mining is vulnerable. Communications of the ACM 61 (7), pp. 95–102. Cited by: §7.
  • [5] I. Eyal (2015) The miner’s dilemma. In 2015 IEEE Symposium on Security and Privacy, pp. 89–103. Cited by: §1, §7.
  • [6] Q. Hu, S. Wang, and X. Cheng (2019) A game theoretic analysis on block withholding attacks using the zero-determinant strategy. In 2019 IEEE/ACM 27th International Symposium on Quality of Service (IWQoS), pp. 1–10. Cited by: §1, §7.
  • [7] Q. Hu, S. Wang, L. Ma, R. Bie, and X. Cheng (2017) Anti-malicious crowdsourcing using the zero-determinant strategy. In 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 1137–1146. Cited by: §5.
  • [8] Y. Lewenberg, Y. Bachrach, Y. Sompolinsky, A. Zohar, and J. S. Rosenschein (2015) Bitcoin mining pools: a cooperative game theoretic analysis. In Proceedings of the 2015 International Conference on Autonomous Agents and Multiagent Systems, pp. 919–927. Cited by: §1, §1.
  • [9] X. Liu, W. Wang, D. Niyato, N. Zhao, and P. Wang (2018) Evolutionary game for mining pool selection in blockchain networks. IEEE Wireless Communications Letters 7 (5), pp. 760–763. Cited by: §4.1.
  • [10] L. Luu, R. Saha, I. Parameshwaran, P. Saxena, and A. Hobor (2015) On power splitting games in distributed computation: the case of bitcoin pooled mining. In 2015 IEEE 28th Computer Security Foundations Symposium, pp. 397–411. Cited by: §1, §1, §7.
  • [11] S. Nakamoto et al. (2008) Bitcoin: a peer-to-peer electronic cash system. Cited by: §1, §1.
  • [12] K. Nayak, S. Kumar, A. Miller, and E. Shi (2016) Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 305–320. Cited by: §1.
  • [13] W. H. Press and F. J. Dyson (2012) Iterated prisoner s dilemma contains strategies that dominate any evolutionary opponent. Proceedings of the National Academy of Sciences 109 (26), pp. 10409–10413. Cited by: §1, §3.
  • [14] M. Rosenfeld (2011) Analysis of bitcoin pooled mining reward systems. arXiv preprint arXiv:1112.4980. Cited by: §1, §1, §1, §7, §7.
  • [15] M. Saad, L. Njilla, C. Kamhoua, and A. Mohaisen (2019) Countering selfish mining in blockchains. In 2019 International Conference on Computing, Networking and Communications (ICNC), pp. 360–364. Cited by: §1, §7.
  • [16] A. Sapirshtein, Y. Sompolinsky, and A. Zohar (2016) Optimal selfish mining strategies in bitcoin. In International Conference on Financial Cryptography and Data Security, pp. 515–532. Cited by: §1.
  • [17] Slushpool. Note: June 25, 2019 Cited by: §7.
  • [18] W. Wang, D. T. Hoang, P. Hu, Z. Xiong, D. Niyato, P. Wang, Y. Wen, and D. I. Kim (2019) A survey on consensus mechanisms and mining strategy management in blockchain networks. IEEE Access 7, pp. 22328–22370. Cited by: §7.
  • [19] G. Wood et al. (2014) Ethereum: a secure decentralised generalised transaction ledger. Ethereum project yellow paper 151, pp. 1–32. Cited by: §1.
  • [20] H. P. Young (2006) The diffusion of innovations in social networks. The economy as an evolving complex system III: Current perspectives and future directions 267, pp. 39. Cited by: §4.1.
  • [21] R. Zhang and B. Preneel (2017) Publish or perish: a backward-compatible defense against selfish mining in bitcoin. In Cryptographers Track at the RSA Conference, pp. 277–292. Cited by: §1, §7.