The Bitcoin network (nakamoto2008bitcoin) and several cryptocurrencies rely on nodes participating in transaction verification, ordering and execution, and mining new blocks for their security and performance. Bitcoin incentivizes these nodes (or miners) with block (mining) rewards and transaction fees. Historically, the fixed block reward has been the dominating source of Bitcoin miners’ revenues. However, the block reward is a system parameter for Bitcoin and halves approximately every four years.111The currently fixed block reward is BTC. The next halving event to BTC is scheduled for May 2024. (btchalving2) With the deteriorating reward design choice, as the Bitcoin network grows further, the block rewards domination is expected to vanish and the transaction fees will become the major mining revenue generator. Today, with a stable reward value, a miner’s expected revenues rely mostly on the probability of it finding a block, which itself is contingent on the miners hashing power. However, once the transaction fees start to dominate, the fair sharing of revenue based on the hashing power may not be maintained: transaction fees are voluntary and arbitrary, the total fee inside different blocks can differ and the miner’s reward can no longer be relatively fixed. As a simple, illustrative example, consider two miners and in the system with 50% mining powers each such that they both are expected to mine an almost equal number of blocks. If miner mines blocks with the total fee around BTC each and always encounter wealthy transactions and mines blocks of the total fee around BTC each, ’s revenue is going to be twice of ’s revenue. In general, under the transaction fee-based incentive setting, a miner’s revenue mostly depends on users’ offerings and its transaction selections. As both parameters are time-variant and the timing of discovering new blocks matters, rational miners aim for deviating mining strategies offering better rewards. There have already been rigorous discussions on attacks related to mining strategies. Most notable attacks are selfish mining (eyal2018majority; sapirshtein2016optimal; nayak2016stubborn), block withholding (rosenfeld2011analysis; luu2015demystifying; courtois2014subversive; luu2015power; eyal2015miner), and fork after withholding (kwon2017selfish). Even the defenses against these game-theoretic attacks have been well-studied (heilman2014one; zhang2017publish; pass2017fruitchains; kwon2019eye; lavi2019redesigning). Nevertheless, the transaction fee-based incentivization framework brings about new challenges: the freedom of choosing transactions to form new blocks and the voluntary feature of fee rates nurtures a possible deviating mining strategy called undercutting (carlsten2016instability). In undercutting, the attacker intentionally forks an existing chain by leaving wealthier transactions out in its new block to attract other (petty compliant) miners to join the fork. Petty compliant miners break ties by selecting the chain that leaves out the most transaction fees. Carlsten et al. find that undercutting can become the equilibrium strategy for miners, thus making the system unstable as miners are undercutting each other. We observe that petty compliant actions can be irrational especially when the attacker is too weak or the edge in the amount of remaining fees of a chain is small. If following the undercutter is unworthy, the assumed petty compliant miners may not join the fork, thus making the performance of undercutting questionable. Moreover, intuitively, the undercutter risks losing what it could gain on the main chain to start a fork. To compensate such risks, the attacker expects the transaction fee rates in later transactions to be much lower than its initially excluded wealthy transactions. Besides, the successful implementation of undercutting discourages users from attaching high fees to transactions, which harms fairness to users and lowers average fee rates, narrowing the profit space for undercutting. Towards analyzing the potential profitability of the undercutting attack, we construct a model to capture the performance of undercutting. We accommodate miners who follow the undercutter to the fork by incorporating rational miners, and also include honest miners as players in the undercutting mining game. Overall, a rational miner takes actions that will lead to the maximization of its returns: it can selfishly pick transactions to form blocks, intentionally fork the chain, or join a fork if worthwhile. As illustrated in Figure 1, petty compliant miners mostly honest mine as shown in trace 2 but select the chain with the most fees available when faced with a tie as in trace 1 and 3. A rational miner joins the fork with a certain probability if a new block is appended to the fork as shown in trace 1 and 3. It can also shift back to the previous chain when a new block is created as shown in trace 2. Honest miners will only change sides when the other chain is longer as shown in trace 4. The key here is to obtain the probability of a rational miner shifting. In one sentence, we get this tendency by calculating the probability of the other chain winning. Intuitively, the higher this possibility, the more likely a rational miner joins the fork. The undercutter can tune this possibility by choosing the proportion of high fee rate transactions to leave outside. The more it leaves out, the higher the possibility that other rational miners joining will be and the faster its mining power will be diluted.
A general framework for analyzing profitability issues of miners’ deviating mining strategies analytically
By forcing different system states and applying different transition functions, we can analyze attacks or games related to miners’ behaviors other than undercutting. For undercutting, we keep track of the heights of competing chains and the mining power distribution among them. State transitions are determined by event types – which chain extends by one block. System states update after transitions. In some attacks like selfish mining, some elements like mining power distribution in system states may stay unchanged after state transition. We can accommodate this by altering the state transition function. We can also utilize this model to analyze the profitability of undercutting on other PoW-based cryptocurrencies. System parameters including the safe depth and fee rates distribution can be fed into the model at the outset. Besides, the model can also be of potential value for systems relying on the stability of Bitcoin like (le2020tale; qin2019applying; minaei2020moneymorph) where Bitcoin forks can cause rewinding of their system states.
Analytical results on the profitability of undercutting attack
We abstract the Bitcoin system as states during the process of mining. System evolution is characterized by state transitions. We model the outcome of undercutting by accommodating the undercutter and other miners’ behaviors and the updating rules for state transitions. The principal idea here is to model the decisions of rational miners other than the attacker. They play a mixed strategy to shift among chains with a certain probability, which is an augmented probability of a chain winning. This probability is determined by treating the time needed for a chain to extend to a certain length as an Erlang distribution. With the knowledge of system’s initial state and the transitions, we can obtain all possible paths from the initial state to a specific state and compute the undercutter’s returns with specific fee rate distributions. Nevertheless, without specifying these distributions, we can still deduce the conditions that make undercutting profitable for the attacker and compare it with empirical statistics. Against the general perception in the cryptocurrency world, we find that undercutting is not profitable in most cases and we summarize the results below:
For the probability of successfully launching an undercutting attack to exceed , the undercutter needs a rather large mining power. We find the threshold mining power to be close to 40%. While this threshold varies for different target success probability, for the current largest Bitcoin mining pool taking up around 17.2% of the entire mining power(miningpowers), the probability to successfully initiate undercutting is very small (0.95%-3.95%).
For undercutting to be profitable( i.e., the expected returns to be higher than the attacker’s fair share), the undercutter needs more than 42% mining power to start in the best case, where the best case assumes that there are no honest miners. When half of the miners are honest, then the undercutting attack is not feasible even for strong attackers with nearly 50% mining power. In general, the presence of honest miners discourages strong undercutters.
For an undercutting attack to be profitable, specific distributions of future transaction fee rates are necessary. For an undercutter with 40% mining power, the miner will be expecting later transactions to be attached with much lower fee rates than the ones he initially sets aside on the fork. As typically it is not feasible to accurately predict the future, the attacker will be subject to volatile fluctuations on his returns. Besides, the undercutting strategy is sensitive to the changes in fee rates in subsequent transactions. If later transactions are not significantly worse than the ones left out, the extra profit the undercutter can obtain is limited. Indeed, the current fee rate distributions discourage undercutting.
The successful launch of this attack will violate the system invariant that higher fee rates imply faster confirmation which we later define in Section 3.1. If significantly high fee rate transactions trigger a potential attack, users will no longer be motivated to do so. This will change the distribution of fee rates, resulting in a less profitable transaction space, thus making undercutting less profitable over time. User reverse selection discourages undercutting.
Game-theoretical analysis of other rational miners’ responses
We model a mining game with three players, an initial undercutter who has started an attack, a rational miner, and an honest miner. Since honest miners do not strategize, we focus on the outcomes of rational miner’s responses. We explore five strategies: staying on the main chain, joining the fork immediately, honest mining, being typical rational, and undercutting the undercutter. We run the game for the three players and compute the profits for the rational miner. To locate equilibrium strategies, we closely looked into payoff matrices for the undercutter and responding rational miner with promising response strategies. We observe that staying on the main chain stubbornly or joining the fork immediately benefits the undercutter and the responding rational miner earns less than its fair share. Staying honest or rational will produce more profits than its fair share. Undercutting the undercutter can make the attacker worse off but the responding miner is losing much more. Undercutting is not an equilibrium strategy and rational miners are in disadvantage by undercutting each other. This is different from previous results. The best response strategy for the responding rational miner in our setting is to stay typical rational and do not undercut. One special case is when the majority of miners in the system are honest, being honest is the dominant strategy for all rational miners.
Experiments with Real-World Data
We test the model with the Bitcoin transaction dataset from Dec 31st, 2019 to Feb 5th, 2020, with 3.1 million transactions included. We simulate the decision processes of miners according to our analytical model. The only difference is that mining power distribution is now discrete. Miners select a chain head they will extend and join with their full computation power with some probability. We account for two mining powers for the attacker, one is 17.2%, which represents the real largest mining power at the time of writing, and the other is 45% which is a more ideal starting hashing power for the attacker. The results show that in the current distribution of mining powers in Bitcoin (i.e., the 17.2% attacker), the profits of the attacker are decreased by over 80% (i.e., from 17.5% to less than 4%). Conversely, if the attacker gains 45% of all the mining power in the network the profits can increase by up to 13% (i.e., from 45.5% to 51%). We further explore a variation of the undercutting attack dubbed as the pruned attack, where the undercutter gives up on extending its chain when the competing chain is a few blocks ahead. In our experiments, we set this parameter to be 2 since if chain is 2 blocks ahead, the probability of another chain to catch up and extend longer and faster is small. According to our results, for the 17.2% attacker, its profits approximately increase 7-8 percentage points to 8%-12.5%. For the 45% attacker, the returns increase 1-4 percentage points to 48%.
2. Related Work and Comparison
Carlsten et al. (carlsten2016instability) introduce the undercutting mining strategy to show the instability of the Bitcoin incentivization system without fixed block rewards. The authors mainly consider three mining strategies: default honest mining, undercutting, and petty compliant. Here, undercutting miners will intentionally create forks, while petty compliant miners break ties when there are multiple chains by comparing the fees left unclaimed. They find that an equilibrium exists where all undercutters use the same undercutting strategy. In this work, we investigate the profitability of this mining strategy in detail and present an alternative view of the instability it might bring about. Under our assumptions and without external utilities, undercutting an existing undercutter puts the responding miner in a disadvantageous position and benefits the initial attacker. Similar to (carlsten2016instability), we assume miners to be rational or honest. Rational miners may undercut or join a fork when they think of it as profitable. However, unlike petty compliant miners, rational miners in our model choose chain heads based on the probability of a chain becoming the main chain eventually and the fee prize left unclaimed. In (carlsten2016instability), players are aware of the strategies other miners are using, while we limit miners to public information. They can make inferences about other miners but only from a limited viewpoint. In terms of return calculations, we allow the transaction fee rates or the fee total inside blocks to change without specifying fee rate distributions. We also deduce optimal fee total distributions for the attack to be profitable and examine historical statistics to check the frequency of such conditions appearing. Finally, Carlsten et al. allow the undercutting miner to undercut the current chain head and the previous block, while towards making the game setting more relevant, we assume that the attacker can undercut blocks not currently on-chain.222In Bitcoin, a block is considered on-chain after 6 confirmations. Therefore, we observe much different results on the feasibility and profitability of undercutting and the equilibrium strategies for rational miners. Kiayias et al. (kiayias2016blockchain) study stochastic mining games in the Bitcoin system with fixed block reward. They define two games where miners have complete information and they can be strategic in new block publication or chain head selection. They find that the best response for miners is to stay honest if each miner has small computation power. When one miner has large computation power, it can deviate from the default. Our analysis models the undercutting game involving rational and honest miners dynamically in the transaction fee-based setting. We allow rational miners to shift among chains but state transitions depend on miners’ limited view on system states. Miners do not have complete information. We also find that strong miners can benefit from deviating. Badertscher et al. (badertscher2018but) analyze the Bitcoin incentive mechanism with the Rational Protocol Design framework. They find that the expected revenue in combination with a high monetary value of bitcoins can explain why Bitcoin is not being attacked in reality, which means that rational assumptions on miners and bitcoin’s high value can substitute the honest-majority assumption. With this assumption, the equilibrium strategy for all rational miners in the undercutting game is honest mining.
Intuitions from Economics - Risk Premium
In analogy to investment theory, in the mining process, miners obtain their risk-free rate of return by performing honest mining. When they intentionally undercut an existing chain, they are taking a risk of losing their share that can be acquired from subsequent main chain blocks. If the undercutter decides to take the risk, it is worthwhile if it is earning a risk premium(bodie2009investments). The income it can solidly get if the attack is successful is the first block on the fork. If it stays on the main chain and there is no fork, the probability of the next block to appear is generally 1 and the probability of the chain to extend further is 1. If it starts a fork, the probability of the first block to occur is its mining power which is assumed to be less than 50% and the probability of subsequent blocks to be mined on this fork depends on the computation power accumulated. The transactions the undercutter left outside have to be much wealthier compared with transactions to come, to compensate for such risk.
Another angle to look at the problem on a higher level is through the market for "lemons"(akerlof1978market), the brand new car that becomes defective the minute you bought it. In the Bitcoin block space market, users are bidders, and miners are sellers. Users will have ideal prices in mind based on their observation of the relationship between confirmation time and fee rates. They then attach corresponding fee rates based on their desired waiting time. If a miner successfully launches an undercutting attack, users who attach high fee rates but are ghosted are provided with "lemons" instead of "peaches" – fast confirmation. If this happens more often than rare, the average fee rates these users are willing to pay will decrease and the overall fee rates tend to go down.
3. Background and Definitions
Mempool is an unconfirmed transaction set maintained by miners locally. When a transaction is announced to the network, it enters into miners’ mempools. A miner can also set up fee rate or size thresholds to filter transactions. Miners select transactions from their mempools to form new blocks. Usually, a miner will choose the bandwidth set or near bandwidth set with respect to the local mempool and global block size limit. When a new block is published, miners verify the block and then update their local mempools to exclude transactions included in the newly published block. A miner can also intentionally select less wealthy transactions to form blocks to attract rational miners. Wealthy transactions are those with high fee rates. Here we have two measures for fee rates. One is the fee per byte (F/B). As the name suggests, it is calculated by dividing the total fee with the total size of a transaction. After SegWit is introduced to the Bitcoin system, a new fee rate measure fee per weight unit (F/WU) appears. For our analytical discussion, we may refer to both terms simply as fee rates. Undercutting is not desired because it violates the system invariant we maintain: Transactions attached with higher fee rates are selected no later than transactions with lower fee rates, given that they appear in the same mempool at the time the miner selects transactions from mempool to form new blocks. We desire this system invariant because if the invariant is not kept, users are not incentivized to attach higher transaction fees even if they would like their transactions confirmed faster. The source of incentive is thus negatively affected. Moreover, if the invariant is violated, miners are aware of possible unjustified block formation procedure. Rational miners can make decisions to follow the trend based on their observed information but honest miners are put into a disadvantageous position, which violates the desired honest behavior of Bitcoin mining specifications.
In this section, we introduce definitions intensely used or important in the context of later discussions.
Definition 3.1 ().
(Bandwidth Set.) Given block size limit and an unconfirmed transaction set composed of transactions, is one bandwidth set of w.r.t if , where is the power set of and .
If the unconfirmed transaction set is of size smaller or equal to the block size limit , then the bandwidth set is the memory pool itself. If its size is greater than , then the bandwidth set only includes partial transactions from the pool. But bandwidth set is not necessarily a unique dominant partition of the mempool. When several different sets share the same fee total, they are all bandwidth sets. If we sort transactions by their fee rates (amount of fee for each byte), these bandwidth sets usually have similar components with differences occurring on the lower end.
Definition 3.2 ().
(Near Bandwidth Set.) A near bandwidth set is a collection of unconfirmed transactions, where a proportion of of the transactions are in the bandwidth set .
When a miner forms a block, it balances the computation of the puzzle and the inclusion of new transactions into the block that it is constructing. It also needs to take into account the propagation speed of the new block which is pertinent to its size. Therefore miners often have near bandwidth set in their new blocks. The distance between a near bandwidth set and the bandwidth set can be depicted as the ratio of transactions picked from the bandwidth set to the size of it, which is close to .
Definition 3.3 ().
(Safe depth D.) A block is considered on-chain after confirmations.
For the current Bitcoin system, , which means that a block is on-chain after 5 blocks have been appended to it. We do not claim this block to be on main chain although it is when there is only one chain in the system. When there exist multiple chains, it is the first chain that succeeds to extend by 6 blocks from the forking point becomes the main chain. It can still be forked but the block that has reached safe depth is now on the main chain and all transactions inside it are finalized. Note that there could be hard forks that break this rule, but we limit the discussion to soft forks.
4. Undercutting Mining Game
In this section, we model the system dynamically and explore the profitability of undercutting strategies with various parameter sets. We first define the game and the undercutting strategy. Then we demonstrate how the system evolves with undercutting in presence. We then compute the returns for the undercutter and compare it with the profits it could obtain if there was no attack. We further deduce the optimal conditions on transaction fee distributions in subsequent blocks for the attack to be profitable.
4.1. Game Definition
We define the mining game as follows:
Players : denotes mining power of the undercutter, is honest mining power, and refers to mining power of remaining rational miners. Honest miners are treated as one because they follow the same mining rules. Flexible rational miners can shift among chains. Rational miners are mostly flexible except for the undercutter and that when we analyze best response strategies for rational miners, they can be committed to certain chains.
Actions : indicates whether to start mining; indicates which mining algorithm the player chooses to use; is the chain a player chooses to extend; indicates whether to publish a new block. The a miner chooses depends on its type.
Utility functions : the utility function is characterized by the total transaction fees a player can obtain from the game, which a rational miner intends to maximize.
We let an undercutter start attacking when it is not the owner of the current chain head. We characterize the amount of high fee rate transactions it left unclaimed from the current chain head by a parameter . Suppose the prize size and the current chain head incorporates 100 fee units (not realistic), an undercutter typically leaves out the wealthy transactions worth 20 fee units and puts remaining transactions in its new block. We allow each miner to own no more than 50% mining power. We let miners publish their discovered blocks immediately. We assume there are sufficient transactions to be assembled into blocks in the mempool. This assumption is reasonable since scalability has been a bottleneck for the Bitcoin application. We assume the mempool to be the same for miners on the same chain considering that undercutting is not practical if miners have distinct mempools. Because wealthy transactions an attacker left unclaimed may not exist in others’ mempools in the first place. We allow the undercutter to set aside an arbitrary amount of transaction fees from its bandwidth set transactions. These assumptions make the attacker stronger and we intend to uncover what the attacker can obtain with ideal environment settings. We also assume that new blocks appear every 10 minutes, which is a goal of Bitcoin, regardless of the chains they are appended to. This assumption is feasible in the sense that currently difficulty is adjusted every 2016 blocks for Bitcoin, we expect our game not to be happening in between difficulty changes.
4.2. Stubborn Undercutting
In undercutting strategy, the deviating miner forks an existing chain by selecting only a limited proportion () of transactions from its bandwidth set at time . It can select other transactions outside its bandwidth set. In the stubborn version of undercutting, the undercutter does not give up on its chain until it wins or loses the game. By winning we mean that a chain extends to safe depth from the forking point, which is the latest block all miners have consensus on, before other chains. We set for Bitcoin for now. In the following discussions, we refer to the fork chain as "fork" and the other chain as "main". The "main" might not be on the main chain eventually. The relative height of a chain is the number of blocks it has accumulated after the forking point. Overall, the process proceeds as follows. The undercutter sees a new block is appended to the main chain by some other miner. It starts to work on a block that takes out wealthy transactions appearing in the latest block. With some probability it can discover this block faster than the next block on the main chain. When the undercutter publishes its block, some rational miners will consider shifting to the fork because there are more high fee rate transactions that they can benefit from on the fork. To model this procedure, we screenshot the state of the system as a tuple which we denote as , where:
is the relative height of the main chain and is the relative height of the fork after the forking point;
is the list of transaction fee total in blocks on the main chain and is a list of fee total inside blocks on the fork;
(Limited Power on the Fork) is the limited view of mining power currently on the fork, which is the total mining power visible on the fork. Intuitively, miners can see whatever is public and thus form a point of view of the probability that the fork wins based on the information they witness;
(Power on the Fork) is the actual mining power currently working on the fork, which can increase or decrease based on new block appending event. This quantity is not visible to miners;
is the mining power shifting from the main chain to the fork, which is negative if miners are shifting to main chain;
and are hypothetical block generation rates for the main chain and fork respectively. The two rates reflect miners’ viewpoints and can be calculated form in the parent state. They are not the actual block incoming rates which can be derived form . We only include two limited view rates and disregard the actual block occurrence rates in analytical analysis to save notations.
We model the full version single-undercutter game as a state graph, as shown in Figure 2. Initially there is one chain in the system and the undercutter intends to fork the main chain as shown by the leftmost point (0,1). If the main chain extends one block, we go one step downwards to (0,2). But if instead the undercutter successfully mines a new block, then we go one step to the right to (1,1). The undercutter wins if it reaches any vertices on the rightmost line.
We represent each state with only the relative height of two chains in the graph because other elements in the state tuple will be different after one-step transitions from different directions. Following different paths to the same vertex, we can have distinct system states. So how do we know what state we are in when we are at a specific vertex? The answer is we do not know each element if we stand at the node alone and have no knowledge about the past. In the real world, we know the values of , , and . But in analytical analysis, we can only have assumptions and expectations on the fee total and . For the other five elements, we need the information about the path that is taken. With the knowledge of the previous state, we first update the value of (visible mining power). If the block is published by a miner already known to be on the chain, then it stays the same as in the previous state. If the owner is "new" to the chain, then miners update their viewpoints by adding this fresh proportion of mining power to . In analytical reasoning, we do not have this information so we will be calculating the expected . We discuss the updating procedure in two scenarios. If the fork extends by one block, then with some probability newly shifted mining power will be visible. We denote the new mining power as as before and take it for granted now and explain the derivation later. Then we have
The intuition here is that with probability , a rational miner only sees previously visible miners . With probability , the miners shifted in the last round becomes visible, which is . If instead, the main chain creates the next block, we update the limited view of miners on the main chain first: . So how do we calculate for next round calculations? We obtain this quantity with the probability of a chain winning and the actual flexible miners on the other chain. We calculate the probability of a chain winning ()s through a black box that will be described in the next section. With this probability , we obtain by multiplying the flexible mining power on the other chain with an augmented version of plus the honest miners if they are shifting. By augmented version, we add an augmenting factor (), which is determined by the proportion of transaction fees (), to the raw calculation of winning probability. We have this factor to account for the fact that the more wealthy transactions the attacker leaves out, the more attractive is the fork to rational miners. As described in Section 4.1, we denote undercutter mining power as and honest mining power as . If the fork extends one block, then we have:
where the conditions are is on main chain and the fork is now longer; is on main chain but the fork is not longer; is on the fork. Likewise, if main chain miners extend by one block, we update with respect to the winning probability of main chain.
where the conditions are is on the fork and main chain is now longer; is on the fork but the main chain is not longer; is on main chain. In both cases, will be updated as:
For the augmenting factor , it depends on the risk preferences for flexible rational miners. For more general discussions, we can borrow the concept of risk-neutral, risk aversion, and risk-seeking from prospect theory and apply corresponding augmenting factors. Here we assume the rational miners are risk-neutral towards both loss and gain. Then we have the following:
where is the smaller depth of the two chains.
4.3. Probability of A Chain Winning
In this part, we describe one key drive of the system evolution when undercutting is taking place, the probability of a chain winning, which captures the probability of rational miners on one chain shifting to another. To obtain the winning probability measure for a chain from the state , we first present necessary discussions on the distribution of the time needed for a chain to complete
confirmations and become solidly on-chain. We view the block generation event as a Poisson process and use a random variable to represent the waiting time between block occurrence events. We denote the waiting time for the main chain asand the fork as
. They both follow exponential distribution but with different rates. The rate parameters depend on the mining power distribution. Given a state, we obtain the block occurrence rate for this round as:
This is derived based on the thinning theorem of the Poisson point process. The main idea is that independent sub-processes of a Poisson process are still Poisson processes with individual rates. With this property, we can determine the time interval for the next block to appear which follows exponential distribution. More detailed proofs can be found in Appendix A.1. Here we use the limited view mining power on fork for computation because we are calculating the rates for rational miners to choose sides. We are limited to the information visible to them. By substituting with , we arrive at actual block generation rates. Next we proceed and calculate the probability of the fork winning:
We know and
. Miners are aware of only public information. We let miners use the current perceived mining power distribution and obtain the cumulative joint distribution of the two random variables below:
We then obtain the probability density function:
where and . Then the winning probability of a chain can be calculated by
As the incoming block rates are calculated using the limited-view of the mining power, here, is capturing the conservative view probability of the fork winning.
4.4. Return Analysis
In this section, we bring the transaction fee totals and contained in blocks into the discussion. As shown in Figure 2, there are 210 paths in total where the undercutter reaches the right finish line before the main chain miners reach the bottom finish line. Let represent the expected revenue for the attacker after a game and denote its expected income if there is no fork. We have:
The probability of taking a specific path can be obtained by multiplying the one-step transition probability along the path, which equals to the actual mining power on the fork. In Equation 9, the power on the fork at certain block is dependent upon the path we are taking. Therefore we add path to its subscript.
4.4.1. Numerical Simulations
We summarize simulation results, the probability of the fork winning and the undercutter’s expected returns, in Table 4 in Appendix. Overall, it is possible for a rational miner to launch an attack and obtain extra profits out of it. The winning probability and returns depend on the initial mining power , the mining power of honest miners , and the prize size . Following are important observations from the simulation results: (1)
Undercutter’s mining power
: first of all, with larger starting mining power, the chance of winning and the expected profits both increase. Secondly, in the best case for the attacker, with zero honest miners in the system and the prize size being high, the threshold for the winning probability to be higher than 50% is 40%. But the 40% attacker will not gain more than what its fair share based on the distribution of block fee total. With other distributions and timing, it is possible for the attacker to earn premiums. Therefore we conservatively consider the threshold attacking mining power to be 40%. Thirdly, for the attack to be profitable, the threshold mining power is higher, which is 42% in the best case with 0 honest miners. As honest miners increase, this threshold mining power increases until undercutting becomes not profitable. (2)
Honest mining power
: firstly, for stronger attackers, the winning probability and the profits from attacking go downwards if there are more honest miners in the system. Secondly, for weak attackers, the higher the honest mining power, the better off the undercutter can be, though still negligible. The intuition is that the rational mining power they can attract is so small that by extending the chain longer than the main chain and attracting the honest miners will produce better profits. (3)
: firstly, when the prize size increases, the probability of the undercutter winning will be higher but in the meanwhile, the attacking profits decrease. The attacker needs to make a tradeoff between the winning probability and the final returns it can claim. The embedded reason is that When the attacker leaves more transaction fee unclaimed, it can attract more rational miners to the fork, which on the one hand increases the probability of the fork becoming the main chain but on the other hand lessen the proportion of the undercutter’s mining power on the fork. Secondly, when there are more honest miners in the network, then the prize proportion will have less effect on the winning probability and eventual returns because there are less rational miners present.
4.4.2. Optimal Mempool Conditions for Undercutters
Next we explore the conditions on the mempool to make a stubborn attack profitable. For demonstration purposes, we reason with the initial attacker having hashing power 17% and 45%, one accounting for the current biggest mining pool and one standing for an advantageous attacker. We can transform in Equation 9 and rewrite the expected returns of the undercutter as:
where is the mining power concentrated on the fork when we take path to get to the th block on the fork. Finally we can attain a tuple consisting of 6 elements, representing the expected proportion of fees a miner can get from each block. We call this tuple "return sequence". For 17% scenario, the return sequence for parameter set is [0.0089, 0.0085, 0.0082, 0.0074, 0.0057, 0.0031]. Since , we arrive at the expected returns for the undercutter:
For the attack to be profitable, we need . To get an upper bound, we make coefficients in front of equal to the smallest coefficient 0.0031. Then we let
We obtained the upper bound for the coefficients of and . We will refer to the two coefficients as the main coefficient and residual coefficient. Similarly to obtain the lower bound for the main coefficient, we can substitute coefficients of with the largest coefficient 0.0085. After computations, the main coefficient range is , which is rare (did not happen) in hindsight when we analyze historical data. The residual coefficient resides in the range . For 45% scenario, the return sequence of the undercutter for parameter set is [0.6918, 0.4634, 0.3940, 0.3553, 0.3309, 0.3169]. The attacker’s expected returns is
For the attack to be profitable, we need . Similarly to get an upper bound, we let
The main coefficient is in , which has a probability of appearing around 70% of the time from 2018 to February 9, 2020. The residual coefficient is in range . We summarize the lower and upper bounds for the coefficients for different parameter sets in Figure 3. Note that the higher is, the smaller will the second and fifth proportion number be. So we compute the coefficient bounds with respect to . This will be the best case for the undercutter and the condition is least demanding among other values of .
To determine whether the coefficient for is feasible, we look into the empirical ratio between consecutive 5-block fee total with 12243 blocks. We calculate this quantity to demonstrate the typical relationship between the subsequent 5 blocks and preceding 5 blocks in terms of transaction fees contained. In history, 51% of this ratio is between (0,1] and 48% is between (1,2]. We say the empirical feasible range for the main coefficients is [0,2]. Then for a given return sequence, a quick rule of thumb is to check whether the upper bound of its main coefficient (mining power divided by smallest element in return sequence) is in this range. As shown in Figure 3, miners with more than 30% mining power can expect to launch a profitable undercutting attack but with demanding fee rate distribution. For miners with more than 39% mining power, it can expect itself to successfully launch the attack because its main coefficient upper bound with 0 honest miner in the system is within [0,2]. Here the threshold is determined in terms of possible profits and the underlying fee rate distribution is not predefined. Our previous threshold 40% is decided in consideration of undercutting winning probability. The returns are calculated with 6-block fee total distribution. A more complete table for the coefficient bounds is organized in Table 5.
5. Undercutting the Undercutter
Although it is demanding to start an undercutting attack and it is not destined to be solidly profitable in each round because miners cannot foresee the future. This does not guarantee that undercutting will not happen, especially when there is some extreme occasion or external utility insight. In this section, we mainly explore into the question that if some rational miner is undercutting, what will be the best response for other rational miners. In this section, we are no longer concerned with the attacker’s profits only. On the contrary, we try to maximize the utility of other rational miners. We first describe (1) the responses other miners have towards an undercutter. Then we look into (2) miners’ utility by taking certain actions. We pay close attention to the situation of undercutting as a response to undercutting, which means two undercutters are present in the system.
5.1. Responses to Undercutting
We consider three aggregate miners with one initial attacker who is rational, one honest miner , and one rational miner who responds to the attack. The attacker is one party. Honest miners act according to the specifications so they can be viewed as one party. To derive a beast response for all other non-undercutting rational miners, we consider them as one party and explore different choices they have. For , the response strategy space we are considering is as follows:
Stay on the main chain they are working on. This is worth considering because shifting, updating mempools, and recomputing the nonce brings about computation overhead.
Join the fork immediately. This is because the undercutter has left high fee rate transactions outside. If a miner is not originally the owner of blocks on the main chain starting from the forking point, the miner can be better off by shifting. This is petty compliant strategy in (carlsten2016instability).
Honest mine. When there is a sufficient number of honest miners in the system, it can be rational to follow the trend.
Undercut the undercutter.
In the previous analysis, we have found that miners with 45% mining power can be expected to successfully undercut the main chain. In the rest of our analysis, we set and . It is subtle to choose the mining power for because this will determine the mining power of as well. For the nontriviality of discussion and the representativeness of the results, we test for having 45% mining power and honest mining power , to accommodate strategy . We summarize the profits for each response in Table 1. According to simulation results, staying on the main and joining the fork immediately benefits the undercutters. The profits of are lower than their fair share. Staying typically rational produces the most profits. Honest mining also generates higher expected profits than fair share. The high level intrinsic reason for higher expected income is that when there are competing chains in the system, being honest or rational reserves the right to shift among chains. By keeping options open, their expected returns can come from each individual chain winning. undercutting the undercutter outputs the least desired profits. This is because the initial undercutter is already 1 block ahead at the start of the game and it does not change sides. Besides, it is able to claim most of the blocks on its fork since the does not shift either and there will only be limited dilution of its mining power on its fork by honest miners.
|Profits||Profit Proportional to ()|
5.2. Undercutting As A Response
Next, we look into the response strategy undercutting. Intuitively undercutting the attacker brings about even less returns for because the attacker is staying on the fork and the only flexible mining power is . Given an attacker with mining power, the stronger the is, the smaller will the honest miners be. Initially, honest miners are working on the main chain. starts a fork through undercutting. The attacker leaves transaction fees outside its first block. Then starts to work on another fork. Next, if the extends a new block, shifts to its fork and this fork becomes the main chain because no miner is working on the main chain anymore. If the honest miner extends the main chain by one block, then the system continues evolving and no miner changes sides. If appends a new block, the other two miners will be aware of this fork. As the process proceeds, only the honest miner will shift between chains. Once shifts, the original main chain is discarded. We simulate with and both having 45% mining power. From previous discussions, we know that they are both capable of initiating a profitable undercutting attack. The returns for and has been summarized in Table 2 and 3. In Table 2, we summarize the results for undercuts and responses with honest mining or undercutting. If the attacker initiates an undercutting attack, the dominant strategy for is to be honest. Thus the equilibrium for (, ) here is (Honest, Honest).
In Table 3, we summarize the results for undercuts and responses with being honest or undercutting. If the attacker initiates an undercutting attack, the best response for is to be typical rational. The equilibrium for (, ) in this setting is (Undercutting/Rational, Rational). Here if the undercutter can expect to earn more than its fair share, then its dominant strategy is to attack. We notice that the premium for the initial undercutter is relatively small compared with the spreads of . The intuition here is that when an undercutter starts an attack, other rational miners by shifting among chains can expect to take advantage of the undercutter and honest miners. Combining Table 2 and 3, we conclude that it is always preferred for to stay rational. When there is an honest majority, the equilibrium strategy for all rational miners is to honest mine.
6. System Evaluation on Bitcoin
In this section, we evaluate the profitability of undercutting using Bitcoin real-world data. We first prepare the set of transactions used for the evaluation and further, explain the simulation setup of the mining process and the results from the experiments.
6.1. Data Collection
We obtained the blocks (Dec 31st, 2019) to (Feb 9th, 2020) from the Bitcoin blockchain using the API provided by blockchain.com (blockchaindotcom), from which we acquired transactions. For each of these transactions, we extracted the size, fee, and timestamp. The timestamp provided by blockchain.com records the time the transaction was broadcasted to the network. This timestamp will serve as a proxy for the time that the transaction arrives at the miners’ mempool.
In this experiment, we consider three types of miners. The undercutting miner also referred to as the adversary. We experimented with two types of undercutting miners (stubborn and pruned) that only differ on their decision on when to give up on an unsuccessful attack (i.e., return to the main chain and try to fork it again). Next, we have the honest miners that follow the policies stated in the Bitcoin protocol, which is to extend the longest chain and break ties according to the block’s broadcast time. Finally, we have the rational miners that their goal is to maximize their expected profits regardless of which chain is the longest. To mimic the current state of the Bitcoin network, we follow the mining power distribution of miners published by blockchain.com (miningpowers) on Feb 27th, 2020. In total, we have miners, with mining powers ranging from to percent. To give the advantage to the adversary, we select the strongest miner with of the mining power as the undercutting miner. The remaining 16 miners are distributed between honest and rational miners as explained later.
6.2. Experiment Setup
In this part, we provide an overview of our simulation of the Bitcoin blockchain. But before diving into the details, we will go over the system assumptions. We consider the blockchain to be event-based, where the events are new block creations. What this means is that all the parameters of the system and miners (including the arrival of the transactions) are updated upon the creation of a new block which we denote as for the remaining of this section. This is a reasonable assumption for our work as we are only interested in the block creations by the miners and their transaction fees. We further assume that all the miners have the same view of the network and there is no delay in propagation of the blocks and transactions.
We begin the simulation by first setting the time of the system to the earliest timestamp () of the collected transaction. Next, we create the empty genesis block and create the chain by appending to it. Next, we insert the tuple (, ) to an empty list chainsTime. The tuples inside this list indicate when the next block for each of the chains will be generated. Algo. 1 provides an overview of the simulation after the initial setup. The simulation takes the transactions (txSet), miners (minerSet) and the tuple list (chainsTime) as input. We consider all inputs to be global for all functions in the simulation. Each iteration of the while loop indicates an event, that we further detail below.
Block creation (line 2-4 in Algo. 1)
In the first step of each iteration, the chain to be extended, extChain, is selected using the nextChainToExtend function. It sorts all the tuples in chainsTime and picks the chain with the smallest next block creation time. Next, the algorithm selects the miner of the new block using the selectNextBlockMiner function. This function randomly selects miner m, from all the miners that are working on extChain, weighted by their mining power. Finally, the selected miner m publishes the next block using the transactions in its mempool.
Chain updates (line 5 in Algo. 1)
After the creation of the new block all the chains in the system are updated via the procedure depicted in Algo. 2. In the first step, block is appended to the current extending chain extChain. Next, all other chains are checked against the extChain to see if they are in a non-winning situation (extChain has at least blocks from the forking point). If a chain is non-wining, it will be removed from the system and chainsTime will be updated. Finally, the chainsTime list is updated with the new time for the next block on extChain.
Miner updates (line 6 in Algo. 1)
Following the chain updates, miners update their working chain (i.e., the chain they are extending). Each miner based on its type (undercutter, honest, rational) will decide if it should change its working chain (shown in updateMiners function in Algo. 2).
If extChain is a competing chain of a undercutter miner, the miner will check to see if extChain is blocks ahead of its own chain ( depends on the type of adversary, stubborn or pruned) and switch to extChain if it is.
If extChain is not a forked chain of the undercutter, and miner m (miner of block ), is not the undercutting miner itself, it will start to extend a new chain that forks block by undercutting miner m. Otherwise, it continues to extend extChain.
All honest miners check to see if extChain is the longest chain in the system. If so, they all switch to chain extChain.
All rational miners that are not extending extChain, compare the length of extChain with their current chain and calculate the winning probability and prize amount of extChain according to creftype 4.3 and decide to switch to extChain or remain on their current chain.
Mempool update (line 7 in Algo. 1)
The last system update before moving to the creation of the next block () is the mempool update of miners. In this step, all the transactions in txSet that have a timestamp between the creation time of and are added to the mempool of the miners working on extChain. In such a manner, the transactions that arrive after time will not be included in block .
We repeat all the steps explained above until all the transactions have been included in the blocks (txSet
is empty). To remove the outliers rooted by the random selections (time and miner selections), we repeat the experiment 10 times (for each set of parameters explained below) and report the mean values. The parameters that we consider in our simulation are threefold.
Two types of undercutter miner, namely the stubborn and pruned. The stubborn undercutter will give up on a forked chain when the forked block is confirmed on the competing chain (i.e., six blocks have been created since the fork point). In contrast, the pruned undercutter will give up on the forked chain as soon as the competing chain is two blocks ahead of the forked chain (accepting an early defeat).
The percentage of honest miners in the system. We considered four variations with , and (no attack) of the entire mining power.
The prize portion that the undercutter leaves for other miners when undercutting. We considered ten different values varying from 0 to 1 with 0.1 steps. For example, the prize portion of 0.5 indicates that the undercutter leaves out the top valued transactions that constitute 50% of all fees in the forking block and replaces them with less valued transactions (if any).
We also considered a hypothetical, but a potentially realizable scenario where the undercutting attacker has 45% of the entire mining power. To simulate this scenario, we considered six other miners where five of them each had 10% of the mining power and the remaining one had 5%. We repeated the simulation with all the parameter combinations for this power attacker and report the results in the next section.
For an undercutter to make a fortune, it can either attract the honest miners by extending the fork chain faster than the main chain or attract the rational miners by leaving transactions with high fees outside. We refer to the two effects as honest effect and rational effect. The game between the undercutter and other miners will have different outcomes depending on the attacker’s mining power and the distribution of the mining power between the honset and flexible rational miners. We present the simulation results for the undercutter’s profits in creftypeplural 54.
Undercutting attack results in a loss in today’s Bitcoin network
The solid lines in creftype 4 present the rewards of the attacker under the stubborn case. We see that when there is no attack (all miner play Honest), the miner with 17.2% power receives about 17.5% (the line with marks) of all transaction fees as expected. However, when the attacker undercuts other miners the profitability drops significantly (to 1-4% of all the transaction fees). The reason is that upon a fork, initially there will be only 17.2% mining power on the forked chain. As a result, the probability of the forked chain extending before the main chain will be low. Thus, the weak undercutter cannot rely on the honest effect. Furthermore, as the mining power on the forked chain is much lower than the 82.8% power on the main chain, rational miners are less willing to change chains (even in the case of same chain lengths) since they act according to the probability of a chain winning. Therefore rational effect will not be operative either. The dashed lines in creftype 4 present the rewards of the attacker under the pruned case. We see that the attacker is able to increase its profit by about percentage points. Although significant, it is still 5 to 8 percentage points below the baseline. The increase is brought about by timely giving up of hopeless games. This shows that in the current distribution of mining powers in Bitcoin, any undercutting attack results in a decrease of profits.
Undercutting attack is profitable when the attacker has a large amount of mining power
The solid lines in creftype 5 present the mean profits of the attacker under the stubborn case. Similar to the previous case, when there is no attack, the miners receive about the same share as their mining power. Here 45.5% for the miner with 45% mining power (the line with
mark). Contrary to the miner with 17.2% power, here, by undercutting the attacker increases its profit by as much as 6% (when every other miner is rational). However, for the case of 50% honest users, the profit of the undercutter is slightly below the 45.5% baseline. The reason is that the undercutting is only effecting the remaining 5% of the rational miners and less attractive for the other (50%) honest miners that follow the longest chain rule. The dashed lines increftype 5 present the rewards of the attacker under the pruned case. We see that depending on the percentage of honest miners in the network the attacker’s profit increases, decreases, or stays similar. When there are no honest miners, the attacker is better off by being stubborn and keep the game alive instead of killing it prematurely. However, when the majority of miners (other than the attacker) are honest (i.e., the case of 50% honest mining power), then there are only 5% flexible rational miners the undercutter can try to attract. The attacker would gain more by giving up a game when it’s not promising (3 percentage point increase). In the scenario where there is 25% honest miners and 30% flexible rational miners, by pruning, the undercutter can either end the game early for honest miners or be stubborn to attract more of the rational miners. Since the two group of miners take up similar proportions of mining power, the expected returns for the stubborn and pruned attacker will be similar.
The percentage of Honest miners has inverse effects on the attacker with low and high mining powers
As shown in creftypeplural 54 the presence of honest miners favors weak attackers. The reason is that the winning chance of a weak attacker is negligible if the fork is only one or two blocks ahead, thus the tendency of rational miners joining is low. The chance of the weak attacker extending its fork longer than the main chain is greater than this winning probability. Honest miners typically join longer chains.
In this paper, we construct an analytical model for a mining game involving undercutting strategy in Bitcoin. The game is defined in the transaction fee-based incentivization mechanism. The potential profitability of undercutting comes from the variance of fee rates across time, which is eventually from the indefinite incoming of new transactions. Therefore our major focus is put on the unconfirmed transaction set, miners’ local mempools. We explore the profitability of undercutting through numerical simulations and experiments with real-world data. We find that the attack is more likely to take effect with higher mining power. Our detected threshold of hashing power for undercutting to be successful is 40% and 42% for it to be profitable given the current transaction fee distributions in the best case with 0 honest miners in the system. With the increase of honest mining power, both thresholds increase. With majority honest miners, undercutting is not profitable at all. For strong attackers capable of initiating a profitable attack, their profits decline with more honest miners. For weak attackers that are not expected to earn premiums from undercutting, their returns are more decent with more honest miners. Another factor that affects the performance of undercutting is the prize size the attacker offers. When the prize portion reduces, the probability of the attack succeeding goes down but undercutter’s returns increase. This effect is more significant when honest mining power is small. We also look into the best response to an undercutting attack. The dominant strategy for a rational miner is to stay rational and do not undercut again when faced with an undercutting attack. When there is an honest majority in the system, being honest is the equilibrium strategy for all rational miners.
This work has been partially supported by the National Science Foundation under grant CNS-1719196 and CNS-1846316.
Appendix A Proofs
Following problems and discussions are in the context of blockchains. Some concepts may not apply to general contexts.
a.1. Derive Block Generation Rates for Multiple Competing Chains
Problem Statement: Given the overall system block generation being a Poisson process with rate , and competing chains with () mining power on each chain, the block generation on an individual chain is a Poisson process with rate . Sketch. This is essentially the thinning of a Poisson process. We may as well refer to it as the thinning theorem. For proof setup, we assume the system block generation rate is constant and the puzzle complexity is adjusted in order to keep the average block generation rate constant. The high level idea is to label each event with the corresponding chain ID. The probability of a block being appended to one chain is dependent upon the mining power concentrated on this chain.
We assume the system block generation rate is constant and the puzzle complexity is adjusted in order to keep the average block generation rate constant. We assume mining power distribution to be stable during the time period we are interested in. When , . The block generation rate on the single chain is . When , we have two competing chains in the system with mining power and (). Since we assume mining power distribution to be stable and the consensus protocol for Bitcoin is PoW, the two counting processes of blocks appearing on each chain are independent. If we label each incoming block with "1" or "2", depending on which chain it is appended to, the probability of the next block being tagged "1" is and the probability of it being labelled "2" is . We record the two processes as and . With Theorem A.1, we say is a Poisson process with rate and is a Poisson process with rate .
Theorem A.1 ().
Suppose is a Poisson process with rate . If an event can be independently observed with probability and we record this process as , then is a Poisson process with rate .
When , there are competing chains in the system. Similar to the previous case, we can observe the event of a block being appended to chain with probability . We record this counting process as . With Theorem A.1, we say is a Poisson process with rate . We briefly give the proof for Theorem A.1.
. The initial value for process is 0.
Appendix B Simulation Results