threshold (due to the addition of malicious actors aimed at undermining the
system, rational actors wishing to usurp the currency, perhaps covertly, or due
to momentum in pool popularity), it can switch to a modified protocol that
ignores blocks generated outside the pool, to become the only creator of blocks
and reap all the mining revenue. A majority pool wishing to remain covert may
remain a benign monopolist, accepting blocks from third-parties on occasion to
provide the illusion of decentralization, while retaining the ability to reap full
revenue when needed, as well as the ability to launch double-expenditure attacks
against merchants. Either way, the decentralized nature of the currency will have
collapsed, and a single entity, the selfish pool manager, will control the system.
Since a selfish mining pool that exceeds threshold size poses a threat to the
Bitcoin system, we characterize how the threshold varies as a function of message
propagation speed in the network. We show that, for a mining pool with high
connectivity and good control on information flow, the threshold is close to zero.
This implies that, if less than 100% of the miners are honest, the system may not
be incentive compatible: The first selfish miner will earn proportionally higher
revenues than its honest counterparts, and the revenue of the selfish mining pool
will increase superlinearly with pool size.
We further show that the Bitcoin mining protocol will never be safe against
attacks by a selfish mining pool that commands more than 1/3 of the total
mining power of the network. Such a pool will always be able to collect mining
rewards that exceed its proportion of mining power, even if it loses every single
block race in the network. The resulting bound of 2/3 for the fraction of Bitcoin
mining power that needs to follow the honest protocol to ensure that the protocol
remains resistant to being gamed is substantially lower than the 50% figure
currently assumed, and difficult to achieve in practice. Finally, we suggest a
simple modification to the Bitcoin protocol that achieves a threshold of 1/4.
This change is backwards-compatible and progressive; that is, it can be adopted
by current clients with modest changes, does not require full adoption to provide
a benefit, and partial adoption will proportionally increase the threshold.
In summary, the contributions of this work are:
1. Introduction of the Selfish-Mine strategy, which demonstrates that Bitcoin
mining is not incentive compatible (Section
3
).
2. Analysis of Selfish-Mine, and when it can benefit a pool (Section
4
).
3. Analysis of majority-pool formation in face of selfish mining (Section
5
).
4. A simple backward-compatible progressive modification to the Bitcoin pro-
tocol that would raise the threshold from zero to 1/4 (Section
6
).
We are unaware of previous work that addresses the security of the
blockchain. We provide an overview of related work in Section
7
, and discuss
the implications of our results in Section
8
.
2
Preliminaries
Bitcoin is a distributed, decentralized crypto-currency [
8
,
7
,
23
,
6
]. The users of
Bitcoin are called clients, each of whom can command accounts, known as ad-
dresses. A client can send Bitcoins to another client by forming a transaction and
committing it into a global append-only log called the blockchain. The blockchain
is maintained by a network of miners, which are compensated for their effort in
Bitcoins. Bitcoin transactions are protected with cryptographic techniques that
ensure only the rightful owner of a Bitcoin address can transfer funds from it.
The miners are in charge of recording the transactions in the blockchain,
which determines the ownership of Bitcoins. A client owns x Bitcoins at time t
if, in the prefix of the blockchain up to time t, the aggregate of transactions
involving that client’s address amounts to x. Miners only accept transactions if
their inputs are unspent.
2.1
Blockchain and Mining
The blockchain records the transactions in units of blocks. Each block includes
a unique ID, and the ID of the preceding block. The first block, dubbed the
genesis block, is defined as part of the protocol. A valid block contains a solution
to a cryptopuzzle involving the hash of the previous block, the hash of the
transactions in the current block, and a Bitcoin address which is to be credited
with a reward for solving the cryptopuzzle. This process is called Bitcoin mining,
and, by slight abuse of terminology, we refer to the creation of blocks as block
mining. The specific cryptopuzzle is a double-hash whose result has to be smaller
than a set value. The problem difficulty, set by this value, is dynamically adjusted
such that blocks are generated at an average rate of one every ten minutes.
Any miner may add a valid block to the chain by simply publishing it over
an overlay network to all other miners. If two miners create two blocks with
the same preceding block, the chain is forked into two branches, forming a tree.
Other miners may subsequently add new valid blocks to either branch. When a
miner tries to add a new block after an existing block, we say it mines on the
existing block. This existing block may be the head of a branch, in which case
we say the miner mines on the head of the branch, or simply on the branch.
The formation of branches is undesirable since the miners have to maintain a
globally-agreed totally ordered set of transactions. To resolve forks, the protocol
prescribes miners to adopt and mine on the longest chain.
1
All miners add blocks
to the longest chain they know of, or the first one they heard of if there are
branches of equal length. This causes forked branches to be pruned; transactions
in pruned blocks are ignored, and may be resubmitted by clients.
We note that block dissemination over the overlay network takes seconds,
whereas the average mining interval is 10 minutes. Accidental bifurcation is
therefore rare, and occurs on average once about every 60 blocks [
12
].
When a miner creates a block, it is compensated for its efforts with Bitcoins.
This compensation includes a per-transaction fee paid by the users whose trans-
1
The criterion is actually the most difficult chain in the block tree, i.e., the one that
required (in expectancy) the most mining power to create. To simplify presentation,
and because it is usually the case, we assume the set difficulty at the different
branches is the same, and so the longest chain is also the most difficult one.