A simple analogy presented in the form of a Lego Brick War, where the kid strategically reveals his fort to stay tall and mighty. Image makes more sense as you read through!
In my previous article, “Blockchain and Its Commitment Issues”, I discussed how colluding miners can work together to occupy a larger share of the hash rate. If they follow the simple blockchain protocol, the colluding party needs to constitute a majority of the miners — i.e., at least 51%.
However, if we distribute the gains equally among the colluding miners, how do we realize the upside? Easy — occupying a majority of the hash rate (say x%) assures the colluding party of discovering roughly x out of every 100 blocks. It reduces the variance compared to a node working alone. The entire colluding party gets to earn a piece of the cake at more steady intervals. The proportions align over time as the total number of blocks increases.
But what if the colluding party wanted to increase their reward even further? Or better yet — what if they could trade some of that predictability for earning disproportionately larger shares of rewards using significantly less hash power (considering revenue earned by occupying majority hashrate and following the Bitcoin protocol as the benchmark)?
This is where we get into the specifics of “How to Get Away with Mm..Theft :)”.
Collaboration is the key to success, but strategic collaboration is even better. Let’s say my friend and I are competing in a petty Lego Brick War, where we earn cash proportional to the height of whichever fort is chosen as the winner — with one condition: whenever we compare forts (that is, when either kid makes their fort public), we must adopt the taller one as the new standard, rendering all effort on the shorter fort completely worthless (sobs).
In this case, the kid mimicking the selfish mining pool would utilize the height differential strategically, keeping his fort private and only revealing it at the right moment. Every time the honest kid’s fort gets rejected, all his effort is rendered worthless. The selfish kid makes bank not by building faster, but by timing his reveal to ensure the honest kid’s work never counts. This is one of the ways of gaming the system while still following a globally compliant version of the blockchain protocol.
Let’s go deeper into how the timing of revealing the blockchain is decided by the selfish miner. It really is a game of numbers — just as the selfish kid assesses his lead to decide when to reveal, the different states (determined by the selfish mining pool’s lead over the honest pool) are organized into a Markov chain by Eyal and Sirer. This helps derive the minimum hash rate the colluding party needs to profit from selfish mining.
In a distributed system that resolves forks by choosing the longest chain, the private colluding pool can only strategically choose when to make its version public by keeping it secret. Otherwise, the network may adopt the honest pool’s chain, wasting the entire withheld chain and diminishing their earnings.
Now let’s come to the different states that decide what action to take. I will describe the expected value of each state, which together help determine the minimum hash rate threshold required for selfish mining to be profitable.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Note: The subscript numbers (e.g., S₀, S₁, S₂…) indicate the lead the selfish pool currently has over the honest pool in terms of private blocks.
α = probability that the selfish pool discovers the next block.1 − α = probability that the honest pool discovers the next block.γ = probability that, in the event of a tie (both pools publish competing chains of equal length), honest miners mine on the selfish pool’s chain first.1 − γ = probability that honest miners continue mining on their own (public) chain.
The number of blocks earned in each phase within a pool is subject to whether or not we publish it. The private pool is typically the one that publishes its forked chain strategically, timing its reveal to maximize the blocks earned while rendering the honest pool’s work worthless. The honest pool, on the other hand, only ever earns 1 block at a time, accounting solely for the block just discovered, never its accumulated past work, since it never gets the chance to publish its full chain before the selfish pool overtakes it.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Markov Chain
S₀ (the “square one” state): This is the state where the selfish pool holds no private blocks and both pools are even. It is typically encountered at the beginning, or after the selfish pool publishes its withheld chain, forcing the honest pool to discard its own and adopt the longer one, resetting both to square one.
Selfish mines next block → blocks earned in selfish pool = 1
EV: α × 1 × P(S₁) = α × P(S₁)Honest mines next block → blocks earned in selfish pool = 0
EV: (1−α) × 0 × P(S₀) = 0Honest mines next block → blocks earned in honest pool = 1
EV: (1−α) × 1 × P(S₀) = (1−α) × P(S₀)
S₀’ (The “race condition”): This is the state where the honest pool catches up with the selfish pool, forcing a tie. The selfish pool must now play its next move carefully to ensure the honest pool’s efforts get discarded. Who wins the race comes down to the value of γ. If γ equals 1, honest miners will always build on the selfish pool’s chain during the race in the case that they discover the next block, meaning the selfish pool wins every tie.
What would be the minimum threshold for the selfish mining pool in this case?
In the contrary case, where the selfish pool discovers the next block first, it earns two blocks — the tied block it had been withholding and the newly discovered one. It must publish its chain at this moment to cash out both blocks, since waiting any longer risks losing everything if the honest pool takes the lead.
Selfish mines next block → blocks earned in selfish pool = 2 (the tied block + new one) EV: α × 2 × P(S₁) = 2α × P(S₁)Honest mines next block → lead drops to 0, both chains tied, race begins (γ case — selfish wins race, earns 1)
EV: (1−α) × γ × 1 × P(S₁) = (1−α)γ × P(S₁)Honest mines next block → lead drops to 0, selfish immediately publishes, race begins (1−γ case, honest chain wins, selfish pool earns 0)
EV: (1−α) × (1−γ) × 0 × P(S₀) = 0Honest mines next block → lead drops to 0, selfish immediately publishes, race begins (1−γ case, honest chain wins, honest pool earns 1)
EV: (1−α) × (1−γ) × 1 × P(S₀) = (1−α)(1−γ) × P(S₀)
S₁ (narrow lead): This is the state where the selfish mining pool is 1 block ahead of the honest pool, i.e., it is withholding 1 block from the honest pool. This case could either lead to P(S₂) or P(S₀’), based on whether or not the selfish mining pool discovers the next block. If the honest pool catches up in this state, the selfish pool will feel threatened and immediately publish its withheld block to force a tie, entering the race condition at S₀’. From there, the outcome depends on γ.
Selfish mines next block → blocks earned in selfish pool = 1
EV: α × 1 × P(S₂) = α × P(S₂)Honest mines next block → lead drops to 0, selfish immediately publishes, race begins (γ case — selfish wins race, earns 1)
EV: (1−α) × γ × 1 × P(S₀’)Honest mines next block → lead drops to 0, selfish immediately publishes, race begins (1−γ case, honest chain wins, selfish pool earns 0)
EV: (1−α) × (1-γ) × 0 × P(S₀’) = 0Honest mines next block → lead drops to 0, selfish immediately publishes, race begins (1−γ case, honest chain wins, honest pool earns 1)
EV: (1−α) × (1-γ) × 1× P(S₀’)
S₂ (absolute lead): This is the state where the selfish pool is 2 blocks ahead of the honest pool, i.e., it is withholding 2 blocks from the honest pool. This case could either lead to S₃ or S₀, based on whether or not the selfish mining pool discovers the next block. If the selfish pool were to discover the next block, it would move from S₂ to S₃, having earned a single block since there is no need to redeem its efforts and computation just yet!
However, if the honest pool discovers the next block, it will feel threatened and publish its chain, leading to S₀, square one.
Selfish mines next block → blocks earned = 1
EV: α × 1 × P(S₃) = α × P(S₃)Honest mines next block → selfish immediately publishes a 2-block lead, resetting the state to S₀ → blocks earned = 2
EV: (1−α) × 2 × P(S₀) = 2(1−α) × P(S₀)
Thus, it really just becomes a game of when to redeem the pool’s efforts for building the secret chain. The higher the threat from the honest pool, the greater the chances of redeeming efforts to ensure we don’t “lose it all”.
Coming back to my previous question of what the minimum threshold should be if γ were equal to 1. Well, there wouldn’t be a minimum threshold! We could have any number of miners in the selfish mining pool, and the pool would still be able to stay ahead at all times, since in the race condition, honest miners always build on the private chain’s block with a probability of 1.
In reality, γ is decided by how quickly and how many miners in the honest pool the selfish mining pool is able to reach with its version of the chain. If the honest miners see the selfish pool’s chain first and happen to discover the next block, they will add that block to the selfish pool’s chain, putting it at a lead and helping it redeem its efforts and computation.
This allows the selfish pool to manipulate the value of γ by allocating the majority of the hardware in their pool solely to broadcast their blockchain to the honest pool during a race condition, thus artificially bringing the value of γ close to 1 or at least higher than what it was before, thus reducing the minimum threshold for the number of members needed in the selfish mining pool.
To counteract this loophole, Eyal and Sirer in their paper proposed setting the value of γ to 1/2. This way, miners in the honest pool make an equal choice between whether to append their discovered block to the selfish mining pool’s chain or their own, regardless of how strong the network is, increasing the minimum threshold to a decent value of 25% (anything is better than no threshold at all!).
Eyal and Sirer calculate the minimum threshold by finding the value of α at which the expected blocks earned by the selfish mining pool divided by the total expected blocks earned across both pools exceeds α, which is the selfish pool’s hash rate and what it would have earned under honest mining. When this ratio exceeds α, selfish mining becomes more profitable than playing by the rules.
Well, if you were an honest miner watching your peers get ahead of you, would you join their scam? This is the biggest threat to decentralized systems — the exploitation of loopholes in protocols that entice all the nodes to join in, making it centralized eventually!
References
Eyal and Sirer’s paper — “Majority is not Enough: Bitcoin Mining is Vulnerable” by Ittay Eyal and Emin Gün Sirer, 2014. https://arxiv.org/abs/1311.0243
How to Get Away With Theft (Crypto Version) was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.