Majority is not Enough:
Bitcoin Mining is Vulnerable
∗
Ittay Eyal and Emin G¨
un Sirer
Department of Computer Science, Cornell University
ittay.eyal@cornell.edu, egs@systems.cs.cornell.edu
Abstract. The Bitcoin cryptocurrency records its transactions in a pub-
lic log called the blockchain. Its security rests critically on the distributed
protocol that maintains the blockchain, run by participants called min-
ers. Conventional wisdom asserts that the mining protocol is incentive-
compatible and secure against colluding minority groups, that is, it in-
centivizes miners to follow the protocol as prescribed.
We show that the Bitcoin mining protocol is not incentive-compatible.
We present an attack with which colluding miners obtain a revenue larger
than their fair share. This attack can have significant consequences for
Bitcoin: Rational miners will prefer to join the selfish miners, and the
colluding group will increase in size until it becomes a majority. At this
point, the Bitcoin system ceases to be a decentralized currency.
Unless certain assumptions are made, selfish mining may be feasible for
any group size of colluding miners. We propose a practical modification to
the Bitcoin protocol that protects Bitcoin in the general case. It prohibits
selfish mining by pools that command less than 1/4 of the resources. This
threshold is lower than the wrongly assumed 1/2 bound, but better than
the current reality where a group of any size can compromise the system.
1
Introduction
Bitcoin [
23
] is a cryptocurrency that has recently emerged as a popular medium
of exchange, with a rich and extensive ecosystem. The Bitcoin network runs at
over 42×10
18
FLOPS [
9
], with a total market capitalization around 12 billion US
Dollars as of January 2014 [
10
]. Central to Bitcoin’s operation is a global, public
log, called the blockchain, that records all transactions between Bitcoin clients.
The security of the blockchain is established by a chain of cryptographic puzzles,
solved by a loosely-organized network of participants called miners. Each miner
that successfully solves a cryptopuzzle is allowed to record a set of transactions,
and to collect a reward in Bitcoins. The more mining power (resources) a miner
applies, the better are its chances to solve the puzzle first. This reward structure
provides an incentive for miners to contribute their resources to the system, and
is essential to the currency’s decentralized nature.
The Bitcoin protocol requires a majority of the miners to be honest ; that
is, follow the Bitcoin protocol as prescribed. By construction, if a set of collud-
ing miners comes to command a majority of the mining power in the network,
∗
This research was supported by the NSF Trust STC and by DARPA
the currency stops being decentralized and becomes controlled by the colluding
group. Such a group can, for example, prohibit certain transactions, or all of
them. It is, therefore, critical that the protocol be designed such that miners
have no incentive to form such large colluding groups.
Empirical evidence shows that Bitcoin miners behave strategically and form
pools. Specifically, because rewards are distributed at infrequent, random inter-
vals, miners form mining pools in order to decrease the variance of their income
rate. Within such pools, all members contribute to the solution of each cryptop-
uzzle, and share the rewards proportionally to their contributions. To the best
of our knowledge, such pools have been benign and followed the protocol so far.
Indeed, conventional wisdom has long asserted that the Bitcoin mining pro-
tocol is equitable to its participants and secure against malfeasance by a non-
majority attacker (Section
7
). Barring recently-explored Sybil attacks on trans-
action propagation [
4
], there were no known techniques by which a minority
of colluding miners could earn disproportionate benefits by deviating from the
protocol. Because the protocol was believed to reward miners strictly in propor-
tion to the ratio of the overall mining power they control, a miner in a large
pool was believed to earn the same revenue as it would in a small pool. Conse-
quently, if we ignore the fixed cost of pool operation and potential economies of
scale, there is no advantage for colluding miners to organize into ever-increasing
pools. Therefore, pool formation by honest rational miners poses no threat to
the system.
In this paper, we show that the conventional wisdom is wrong: the Bitcoin
mining protocol, as prescribed and implemented, is not incentive-compatible. We
describe a strategy that can be used by a minority pool to obtain more revenue
than the pool’s fair share, that is, more than its ratio of the total mining power.
The key idea behind this strategy, called Selfish Mining, is for a pool to
keep its discovered blocks private, thereby intentionally forking the chain. The
honest nodes continue to mine on the public chain, while the pool mines on its
own private branch. If the pool discovers more blocks, it develops a longer lead
on the public chain, and continues to keep these new blocks private. When the
public branch approaches the pool’s private branch in length, the selfish miners
reveal blocks from their private chain to the public.
This strategy leads honest miners that follow the Bitcoin protocol to waste
resources on mining cryptopuzzles that end up serving no purpose. Our analysis
demonstrates that, while both honest and selfish parties waste some resources,
the honest miners waste proportionally more, and the selfish pool’s rewards
exceed its share of the network’s mining power, conferring it a competitive ad-
vantage and incentivizing rational miners to join the selfish mining pool.
We show that, above a certain threshold size, the revenue of a selfish pool
rises superlinearly with pool size above its revenue with the honest strategy.
This fact has critical implications for the resulting system dynamics. Once a
selfish mining pool reaches the threshold, rational miners will preferentially join
selfish miners to reap the higher revenues compared to other pools. Such a selfish
mining pool can quickly grow towards a majority. If the pool tips the majority