Blockchain technologies have received significant attention since the release of the Bitcoin protocol in 2008 [nakamoto2008bitcoin]. Blockchain arose as a solution to the problem of permissionless, decentralized cryptocurrency: how to maintain a global consensus on users’ account balances. The Bitcoin system was the first instance of a blockchain, and it addressed this problem by putting every transaction into a globally visible ledger protected by a Proof-of-Work (PoW) mechanism. In this system, each block creator is tasked with assembling a list of valid transactions and doing considerable computational work, and is rewarded with some amount of the native asset, Bitcoin.
Proof-of-Stake (PoS) protocols are widely thought to be the successors of PoW protocols. Both mechanisms run a lottery to select the creator of the next block, and in order to prevent malicious participants from creating many identities to increase their chances of winning, entry into these lotteries must be costly. PoW requires that lottery entrants burn computational cycles in order to join, while PoS requires participants to forego the use of staking capital for a time. While the prospect of wasting energy is sufficient to keep PoW miners following the protocol, PoS protocols require that staked capital be forfeited if miners’ behavior is not in line with the protocol. Both systems reward participants proportionally to expenditure. PoW has received significant scrutiny and criticism, and PoS is widely seen as the next step for consensus mechanisms on blockchains.
The three main critiques of PoW systems are the enironmental impact, the inflationary tendencies, and issue of centralization found in many digital currencies. The environmental argument is that PoW has led to significant energy expenditure; by some estimates, the annual energy consumption of the Bitcoin network is equivalent to that of Austria[wastebitcoin]. The related ‘inflationary’ criticism of PoW systems is that they require substantial real world expenditures by miners on hardware and electricity. These miners are in turn compensated by large block rewards that lead to high inflation, and if the rewards are reduced, fewer miners participate and the security of the system degrades. PoS systems do not suffer from these limitations because they do not require much energy expenditure. The ‘centralized’ argument is that PoW mining power is highly concentrated among a few mining pools. As of Nov 2019, F2Pool owns 18% of the hashpower in the Bitcoin network, and the top four pools combined control more than 50% of the resources [pools]. However, achieving any degree of decentralization is non-trivial. Ownership of crytocurrencies is far from decentralized [quantdecentralization], so PoS may not address this issue; indeed, several alternative consensus mechanisms besides PoS have also been presented [baliga2017understanding, mingxiao2017review].
While many PoS protocols have been proposed, few are live. PoS protocols have proven difficult to implement and pose novel technical challenges. Ethereum’s PoS proposal, Casper [buterin2017casper], is still in development as of November 2019, but EOS [eos], Cardano (ADA) [kiayias2017ouroboros], BlackCoin [vasin2014blackcoin], Nxt [nxt], and Tezos [goodman2014tezos] are major PoS systems currently running.
The distinguishing feature of Tezos is that it has a built-in upgrading mechanism as part of its protocol. The development of Bitcoin has been slow as few developers want to risk forking the network over a protocol change. In contrast, Tezos hopes to encourage agreement on upgrades by creating a specific venue and timeline for voting on software updates. As of November 2019, each change requires a quorum of participants and over 80% approval to be instantiated [postezos]. On October 17, 2019, an update labelled ‘Babylon’ [babylonupdate, babylondoc] was accepted into the Tezos protocol. Here we analyze a large component of this upgrade: a new consensus mechanism called Emmy [emmyplusannounce].
2 Related Work
We seek to understand the extent to which rational participants in a particular PoS system can benefit by not behaving according to the protocol.
This question is in the vein of Eyal and Sirer (2013) [eyal2018majority], which demonstrated that miners could earn a higher proportion of rewards in a PoW protocol by ‘selfish’ mining rather than by following the prescribed ‘honest’ protocol. Follow-up works include Sapirshtein et al (2016) [sapirshtein2016optimal], which found the optimal such policy, Nayak et al (2016) [nayak2016stubborn], which combined this policy with network attacks, and Kwon et al (2017) [kwon2017selfish], which considered the impact of this policy on mining pools.
PoW has been heavily scrutinized, but PoS analysis is still in early days. Recently, Brown-Cohen et al. (2019) showed that complete security in their model of longest-chain PoS protocols is not possible [brown2019formal]. The dishonest behavior that we call selfish endorsing is a real-world instance of the theoretical “Predictable Selfish Mine” attack that appears in their work.
We are not aware of any other academic work formally analyzing the incentives of the Tezos PoS protocol. Nomadic Labs, the team that implemented the recently-updated consensus protocol for Tezos [emmyplusannounce], did release a blog post with the results of an incentive analysis [analysisemmyplus]
. Though we consider the same protocol, their work does not provide an explicit formalization of the model used and the probabilistic analysis performed. We have verified with the authors of the post that our different models achieve similar numerical results when calculating the probability of a profitable attack using the same parameters. In this work, we aim to present the complete derivation of our model and make explicit the methods used to obtain our results.
3 Proof of Stake in Tezos
3.1 The Basics
Tezos implements an optional Delegated Proof of Stake (DPoS) mechanism [goodman2014tezos, postezos], which is sometimes referred to as Liquid Proof of Stake [lpos] to distinguish it from the more rigid DPoS implementations [eos]. Members of the Tezos consensus layer are called delegates and are considered active when they participate in the creation and validation of blocks (passive otherwise). The Tezos unit of account (XTZ) is split into groups of 8,000 tokens called rolls, and each delegate has an associated set of rolls. Active delegates participate in a lottery to bake and endorse a block at every block-height in the chain. Bakers are responsible for including transactions in blocks while endorsers cryptographically sign the “best” (as discussed in Section 3.2) block that they have seen at each height. The baking-and-endorsing-priority lottery is carried out by randomly selecting rolls and giving the next available priority to the owner of that roll, a technique known as follow-the-Satoshi [bentov2014proof]. At each height of the chain, a list of bakers is created using the random roll selection process, and the index of a baker in this list determines the priority (as discussed in Section 3.2) with which they can create a block at this height. Additionally a set of 32 endorsers is created for each block-height, but there is no priority list for endorsers and thus each has equal weight. Each draw from the set of rolls is done with replacement so the same delegate may appear many times on the baking priority list and in the set of endorsers. Bakers and endorsers are rewarded based on participation which creates an incentive for delegates to remain active. We now turn our attention to the Babylon update of the protocol.
3.2 The Babylon Upgrade & Emmy
The new consensus protocol, Emmy, is distinct from its predecessor, Emmy, in three important ways.
A block’s validity-time is now a function of the number of endorsements it includes in addition to the priority of the baker. Note that this number of endorsements is not the number of delegates who endorse the block itself, but rather the number of endorsements for the previous block that it includes (endorsements are simply operations that are heard over the network so including an endorsement is equivalent to including a transaction in a block). In order for a block to be considered valid, its timestamp must differ from the previous block’s timestamp by at least seconds, where is the following function of the baker’s priority, , and the number of endorsements included in the block, (see Minimal block delays in [postezos]).
Each priority-level a baker is below the highest-priority (0) increases validity-time by 40 seconds, and each endorsement missed below 24 of the 32 increases validity-time by 8 seconds. That is, a block may miss up to 8 endorsements without incurring a time penalty, but each additional missed signature slows validity by 8 seconds. Historical data for the Tezos network shows that the typical block misses few endorsements and that these penalties have been quite rare [tzstats]. If the priority of the baker is 0, a block will typically be baked every 60 seconds.
The fork-choice rule was changed. Before this update, the ‘canonical’ fork was the one that with the most endorsements, a heaviest-chain rule[goodman2014tezos], but now the best fork is simply the one with the longest chain from the genesis block. A longest-chain fork-choice rule makes evaluation of branches easier and alleviates a baker’s uncertainty of when to publish blocks to avoid missing out on late endorsements. However, Brown-Cohen et al. show that it also leads to theoretical vulnerabilities [brown2019formal]. Here we focus on one of these, “Predictable Selfish Mining,” and our work highlights a real-world example of this result.
The rewards for baking and endorsing blocks were modified. Previously, baking a block earned the delegate a constant reward of 16 XTZ, but now the block rewards are a function of the baker’s priority, , and the number of endorsements for the previous block included, (see Rewards in [postezos]). Let be the baking reward. Then:
The rewards for endorsements also changed subtly. Before Babylon, endorsement rewards were a function of the priority of the block that the endorsement signed, but now they are a function of the priority of the block that includes the endorsements. Denote the priority of the baker who baked the block that includes an endorsement . Then the reward for endorsing, , is
Figure 1 shows the rewards that the bakers and endorsers would earn under the new reward rules in an arbitrary scenario.
We describe baking and endorsing rights in terms of slots that correspond to a specific length of the chain. As implemented, delegates in Tezos see exactly who will have baking and endorsing rights for the next several thousand () blocks. Let be a rational delegate who is willing to deviate from the protocol described above. For a given slot , let be the highest priority and the number of endorsement rights that is randomly allocated. Additionally, let denote the number of consecutive top baking priorities given to at slot (e.g. if the baking priority list for the slot is , then ).
4 The Selfish Endorsing Attack
We now give an example of the incentive vulnerability we call selfish endorsing that with some probability incentivizes a rational baker to ignore the longest-chain rule and create a separate two-block fork faster than the rest of the network. First we show an example where this is possible, which enables a 1-confirmation double-spend, but also show it can be profitable based on block and endorsement rewards alone.
4.1 An Example Attack
Figure 2 shows how this attack can be used by to bake a block at slot that will end up on the final chain despite having second priority, , and the block baked with priority 0 being published on time. Recall that priorities are zero-indexed with 0 being the highest.
Delegate is able to look ahead and calculate when this attack is possible to execute because the baking priorities and endorsing rights are publicly known. We verify that the selfish chain will create two blocks faster than the honest chain using Equation 1. Let and be the total time to create both blocks for the honest and selfish chains respectively.
The combination of having a large share of endorsements for slot and the two highest priorities for slot allows to slow down the honest network by only endorsing a private block at slot . This enables to produce a second valid block before the honest network, and thus create the unique longest chain. Using Equations 2 and 3 we verify that this selfish behavior also results in a greater reward than following the honest protocol, thus demonstrating that this is a profitable deviation in its own right and not just an opportunity for a 1-confirmation double spend. Let be the total reward earned by over the next two blocks while behaving honestly. The labels underneath the expressions indicate the reason each reward is added.
Similarly we calculate the total rewards earns while selfishly endorsing, denoted .
This demonstrates that the gain in reward from creating a new block at slot outweighs the loss in reward from the endorsements on slot ending up on a lower priority block and the block baked in slot only including 14 endorsements. Critically, the rewards for the 14 endorsements for slot (which are essential in slowing down the honest network), do not decrease at all because these endorsements are still included on the block baked by at slot , which has priority .
Figure 2 describes just one instance of a whole family of length-2 selfish endorsing attacks. In order to calculate the probability of any of these attacks happening, we develop a generalized model. Consider tuples of the form . We define as feasible if the selfish chain can create two valid blocks faster than the honest chain with this combination of parameters. Figure 2 demonstrates an attack that is feasible with the tuple , but we want to find all such combinations of parameters with this property. Let be the total time for the selfish and honest networks to create two blocks respectively. Further let be the difference in the selfish and honest times,
An attack is feasible if , which implies .
First, we express in terms of using Equation 1.
Similarly, we define as the time it takes for the selfish fork to create two blocks.
Now we solve for .
Now if we can assert the feasibility of an attack parameterized with the tuple .
Now we need to similarly parameterize the reward functions. Let be the reward for delegate playing honestly for the next two blocks, and be the reward for selfish endorsing over that same span. Further let be the difference in selfish and honest rewards.
An attack is profitable if the amount of rewards that receives playing selfishly is greater than that which they would receive playing honestly, or if . We are slightly abusing notation here in that for delay, the subscripts refer to the delay for versus the delay for the rest of the network. In the case of rewards, however, the subscripts both refer to delegate and correspond to selfish or honest behavior. Now we define as a function of the tuple .
First we focus on the reward for behaving honestly. We must take into account the endorsement rewards and the block rewards for the next two blocks. Using Equations 2 and 3 we define the total reward for honest behavior over then next two blocks, , as
Note that we categorize the rewards for the endorsements under the next slot because that is where they are included. Similarly we calculate the rewards while following the selfish endorsing policy, .
Now we solve for .
Now if , we can assert that an attack parameterized by the tuple is profitable.
We now find the probability of a tuple occurring on the chain. Notice that if is the percentage of active rolls that owns, the probability of receiving any priority or endorsement for slot is . Then let
be the random variable representing the number of consecutive slots not owned by. Additionally the probability of being allocated the first priorities in slot also a geometric random variable but with probability ; let . Lastly, the probability of being allocated endorsement rights for slot is a binomial random variable with fixed size of 32; let . Thus we calculate the probability of tuple given .
We can now easily calculate the probability of this family of length-2 attacks occurring. Let the set be all tuples for which the attack is feasible (we will create two blocks faster than the honest network) and profitable (playing selfishly will incur higher rewards than playing honestly). More formally:
We also want to measure how profitable these attacks are. Let be the expected increase in reward of the attacks in (i.e. how much more we make by deviating than by playing honestly).
Procedure 1 (in Appendix B) demonstrates how these calculations are done, and the blue columns in Table 1 show the results. Let represent the number of minutes in a year, so is the expected number of attacks per year and is the expected increase in value (in XTZ) for following the selfish policy for a year. This shows the attack is not a serious threat, given that even with 40% of the stake, is only expected to earn 254.94 XTC ( $307.23 in November 2019) more than if they had played honestly for the year. Regardless, it is an example of how this type of attack could be formulated against a general longest-chain PoS system.
5 A Heuristic Fix
The profit from this attack can be reduced further by including a simple fix into the protocol. If the rewards for endorsements are reverted to being a function of the block that they endorse instead of the block that includes them, the attacks occur less frequently. The orange columns in Table 1 represent the probability and value of the attack at different levels of after this fix, and the % column reports the improvement over the status quo. The only exception to this reduction is the case of where we observe that both the probability and the value of the attacks rise as a result of our change; since they remain so low (expected increase in value of 0.21 XTZ over a year), the fix still seems reasonable. The values of the orange columns in Table 1 were calculated using Procedure 1 (in Appendix B), but with the reward function presented in the following lemma. We show the proof in the appendices because it is similar to Lemma 4.2.
If the endorsement rewards are now a function of the block that they endorse, , then .
See Appendix A. ∎
Note that this is not
a security proof, but rather a heuristic change to decrease the probability and profitability of selfish endorsing for most values of.
6 Modified Delay and Reward Functions
In contrast to the probabilistic argument above, we now prove that, for particular delay and reward functions, profitable selfish endorsing is not possible. In reality, creating a secure PoS protocol is not as simple as implementing this functionality because there are other long-range forking attacks that must be taken into account. Still, we think it is worth presenting these functions to show that certain PoS systems can be made provably secure against a specific attack vector (length-1 and length-2 selfish endorsing in this case). Letbe the new delay function for a block being valid (still a function of the priority of the baker, , and the number of endorsements it includes, ).
We see that the only new component is the amount of time added for each drop in priority of the baker; in Emmy this value is 40 and in it is 193. Now let be the modified reward function for a block baked with priority and including endorsements. The following reward scheme was proposed by Arthur Breitman as we discussed potential tweaks to the protocol. It maintains an 80 XTZ per block inflation rate, but splits the rewards 40/40 between the baker and the endorsers.
Now let be the reward for an endorsement that is included in a block baked with priority .
We see that if a block is baked with priority 0 and all 32 endorsements are included from the previous block, then the total reward for the block is XTZ. Now we prove that length-1 selfish endorsing attacks are not feasible under this new delay schedule and length-2 selfish endorsing attacks are not profitable under this new reward mechanism. Again, this is a useful result in the context of defending against selfish endorsing, but it weakens the system against longer forking attacks. The last section of the analysis done by Nomadic Labs discusses these trade-offs and how the exact constants were selected for Emmy [analysisemmyplus].
6.1 Security Against Length-1 Selfish Endorsing
The attentive reader may be wondering why we haven’t considered single block selfish endorsing attacks until this point. This is due to the following lemma.
For any tuple the length-1 selfish endorsing attack is not profitable under Emmy.
See Appendix C. ∎
When we consider our new delay schedule, we find that a length-1 selfish endorsing attack is never even feasible. Assuming the honest network has the highest priority baking rights, let be the time for the honest network to create a single block under the new delay, and be the time for the selfish delegate.
For any tuple , .
In the worst case, the honest network will not receive any endorsements, so the slowest the block creation could be is
In the best case for the attacker they own all 32 endorsements and priority of 1 ( best) in the block.
So we have
6.2 Security Against Length-2 Selfish Endorsing
We will prove that this modified system is secure against length-2 selfish endorsing attacks by demonstrating that they are never profitable. We first need a closed form representation of the rewards would receive playing honestly and selfishly under our new reward function, denoted and respectively. This is derivation is highly similar to that of Lemma 4.2 and thus deferred to the appendices.
Under the reward policy , the total reward for a rational delegate playing honestly over the next two blocks with the tuple is
The total reward for to play selfishly over the next two blocks is
See Appendix D. ∎
Now we prove that length-2 selfish endorsing under this reward system is never profitable.
For all tuples in the form , .
Assume for contradiction that , which implies
We reduce this algebraically.
Because , we know
This along with the fact that implies
Further, this implies that (from line (49)), but we know this is not possible because By contradiction we conclude that ∎
This work demonstrates that live PoS systems can be formally analyzed for incentive vulnerabilities. It also serves as a real-world example of the “Predictable Selfish Mine” attack theorized by Brown-Cohen et al [brown2019formal]. The formalization in our work provides a framework that can be used to check other PoS systems for potential vulnerabilities to selfish behavior by parameterizing a model of time and reward with respect to a specific protocol. We present a modified delay schedule and reward functions that are provably secure against length-1 and length-2 selfish endorsing (though we acknowledge that in practice other attack vectors must also be considered when implementing these mechanisms). While we recognize that, as of November 2019, length-2 selfish endorsing attacks do not seem to be a major threat to the Tezos network, we do demonstrate a simple heuristic modification that reduces the probability and value of many of the attacks by at least an order of magnitude.
There is a wide array of open problems to address in this area, and we see two immediate future directions that build on our work. The first is the goal of a theory of profitable selfish-endorsing attacks beyond length-2. Second, we hope to consider a more general forking attack that on its own would earn a smaller staking reward relative to honest behavior but allows for an attacker to include a double-spend transaction. Both of these questions are considered in [analysisemmyplus] but the precise models, derivations, and probabilistic machinery used are not made explicit. We hope that our work serves as a starting point for forthcoming analyses and for a more formal treatment of the security properties of PoS systems.
The authors would like to thank Eugen Zalinescu and Arthur Breitman for helpful discussions. This work is supported in part by two generous gifts to the Center for Research on Computation and Society at Harvard, both to support research on applied cryptography and society.
Appendix A Proof of Lemma 5.1
First we focus on the reward for behaving honestly. We must take into account the endorsement rewards and the block rewards for the next two blocks. We define the total reward for honest behavior over then next two blocks, , be
Similarly we calculate the rewards while following the selfish endorsing policy, , as
Now we solve for .
Appendix B Procedure 1
Note that is the Cartesian Product of the lists.
Appendix C Proof of Lemma 6.1
For any tuple the length-1 selfish endorsing attack is not profitable under Emmy.
First we consider the time it takes the honest network to produce a single block at height . Denote this value .
Now we find the time it takes for the selfish delegate to create a block, .
Consider that the best case scenario for the attacker is having .
Now we find the amount of endorsements required for the selfish delegate to produce a valid block faster than the honest network to be . We verify this with the following calculations.
So now we know that is the best case scenario for the attack being feasible. Additionally we know that the reward for playing honestly for this block is because we will get all our endorsement rewards, and the reward for playing selfishly will be
Plugging in we have
So even for the smallest value of that makes the attack feasible, the profit gained from creating a new block does not outweigh the profit lost for the endorsements ending up on a worse block. So because , single block selfish endorsing attacks are not profitable under Emmy. ∎
Appendix D Proof of Lemma 6.3
Under the reward policy , the total reward for a rational delegate playing honestly over the next two blocks with the randomly allocated tuple is
The total reward for to play selfishly over the next two blocks is
This derivation is very similar to 4.2, but with the new reward functions.