Best Bitcoin Mining Incentives and strategies - Media Gust
We've spent most of this chapter describing how the main challenge of being a miner is getting good hardware, finding cheap electricity, getting up and running as fast as you can and hoping for some good luck. There are also some interesting strategic considerations that every miner has to make before they pick which blocks to work on.
1. Which transactions to include. Miners get to choose which transactions they include in a block. The default strategy is to include any transaction which includes a transaction fee higher than some minimum.
2. Which block to mine on. Miners also get to decide on top of which block they want to mine. The default behavior for this decision is to extend the longest known valid chain.
3. Choosing between blocks at the same height. If two different blocks are mined and announced at around the same time, it results in a 1‐block fork, with either block admissible under the longest valid chain policy. Miners then have to decide which block to extend. The default behavior is to build on top of the block that they heard about first.
4. When to announce new blocks. When they find a block, miners have to decide when to announce this to the Bitcoin network. The default behavior is to announce it immediately, but they can choose to wait some time before announcing it.
Thus miners are faced with many decisions. For each decision there is a default strategy employed by the Bitcoin reference client, which is run by the vast majority of miners at the time of this writing. It may be possible though that a non‐default strategy is more profitable. Finding such scenarios and strategies is an active area of research. Let’s look at several such potentially profitable deviations from default behavior. In the following discussion, we’ll assume there’s a non‐default miner who controls some fraction of mining power which we’ll denote by α.
The simplest attack is a forking attack and the obvious way to profit to perform a double spend. The miner sends some money to a victim, Bob, in payment for some good or service. Bob waits and sees that the transaction paying him has indeed been included in the block chain. Perhaps he follows the common heuristic and even waits for six confirmations to be sure. Convinced that he has been paid, Bob ships the good or performs the service. The miner now goes ahead and begins working on an earlier block — before the block that contains the transaction to Bob. In this forked chain, the miner inserts an alternate transaction — or a double spend — which sends the coins paid to Bob on the main chain back to one of the miner’s own addresses.
A malicious miner sends a transaction to Bob and receives some good or service in exchange for it. The miner then forks the block chain to create a longer branch containing a conflicting transaction. The payment to Bob will be invalid in this new consensus chain.
For the attack to succeed, the forked chain must overtake the current longest chain. Once this occurs, the transaction paying Bob no longer exists on the consensus block chain. This will surely happen eventually if the attacking miner has a majority of the hash power — that is, if α > 0.5. That is, even though there is a lot of random variation in when blocks are found, the chain that is growing faster on average will eventually become longer. Moreover, since the miner’s coins have already been spent (on the new consensus chain), the transaction paying Bob can no longer make its way onto the block chain.
Launching a forking attack is certainly possible if α > 0.5. In practice, it might be possible to perform this attack with a bit less than that because of other factors like network overhead. Default miners working on the main chain will generate some stale blocks for the usual reason: there is a latency for miners to hear about each others’ blocks. But a centralized attacker can communicate much more quickly and produce fewer stale blocks, which might amount to savings of 1% or more.
Still, at close to 50% the attack may take a long time to succeed due to random chance. The attack gets much easier and more efficient the further you go over 50%. People often talk about a 51% attacker as if 51% is a magical threshold that suddenly enables a forking attack. In reality, it’s more of a gradient.
Practical countermeasures.
It's not clear whether a forking attack would actually succeed in practice. The attack is detectable, and it’s possible that the community would decide to block the attack by refusing to accept the alternate chain even though it is longer.
Attacks and the exchange rate. More importantly, it’s likely that such an attack would completely crash the Bitcoin exchange rate. If a miner carried out such an attack, confidence in the system would decline and the exchange rate would fall as people seek to move their wealth out of the system. Thus, while an attacker with 51% of the hashing power might profit in the short term from double‐spending, they might seriously undermine their long‐term earning potential to just mine honestly and cash in their mining rewards. For these reasons, perhaps a more plausible motivation for a forking attack is to specifically destroy the currency by a dramatic loss of confidence. This has been referred to as a G oldfinger attack after the Bond villain that tried to irradiate all the gold in Fort Knox to make it valueless. A Goldfinger attacker’s goal might be to destroy the currency, possibly to profit either by having shorted Bitcoin or by having significant holdings in some competing currency.
Forking attack via bribery. Buying enough hardware to control the majority of the hash power appears to be an expensive and difficult task. But it’s possible that there is an easier way to launch a forking attack. Whereas it would be really expensive to directly buy enough mining capacity to have more than everybody else in the world, it might be possible to bribe the people who do control all that capacity to work on your behalf.
There are a few ways that you could bribe miners. One way is to do this “out of band” — perhaps locate some large miners and hand them an envelope of cash for working on your fork. A more clever technique is to create a new mining pool and run it at a loss, offering greater incentives than other pools. Even though the incentives might not be sustainable, an attacker could keep them going for long enough to successfully launch a forking attack and perhaps profit. A third technique is to leave big “tips” in blocks on the forking chain— big enough to cause miners to leave the longest chain and work on the forking chain in hopes that it will become the longest chain and they can collect the tips. Whatever the mechanics of the bribing are, the idea is the same: instead of actually acquiring all the mining capacity directly, the attacker just pays those who already have it to help their fork overcome the longest chain.
Perhaps miners won’t want to help because to do so would hurt the currency in which they have invested so much money and mining equipment. On the other hand, while miners as a group might want to keep the currency solvent, they don’t act collectively. Individual miners might defect and accept a bribe if they thought they could make more money in the short term. This would be a classic tragedy of the commons from an economic perspective. None of this has actually happened and it's an open question if a bribery attack like this could actually be viable.
Say that you just found a block. The default behavior is to immediately announce it to the network, but if you’re carrying out a temporary block‐withholding attack, you don’t announce it right away. Instead you try to get ahead by doing some more mining on top of this block in hopes of finding two blocks in a row before the rest of network finds even one, keeping your blocks secret the whole time.
If you’re ahead of the public block chain by two secret blocks, all of the mining effort of the rest of the network will be wasted. Other miners will mine on top of what they think is the longest chain, but as soon as they find a valid block, you can announce the two blocks that you were withholding. That would instantly be the new longest valid chain and the block that the rest of the network worked so hard to find would immediately be orphaned and cut off from the longest chain. This has been called selfish mining.
By causing the rest of the network to waste hash power trying to find a block you can immediately cause to be stale, you hope to increase your effective share of mining rewards.
This shows one of several possible ways in which the attack could play out. (1) Block chain before attack. (2) Attacker mines a block, withholds it, starts mining on top of it. (3) Attacker gets lucky, finds a second block before the rest of the network, continues to withhold blocks. (4) Non‐attacker finds a block and broadcasts it. In response, the attacker broadcasts both his blocks, orphaning the red block and wasting the mining power that went into finding it.
The catch is that you need to get lucky to find two blocks in a row. Chances are that someone else in the network announces a valid block when you’re only one block ahead. If this happens, you'll want to immediately announce your secret block yourself. This creates a 1‐block fork and every miner will need to make a decision about which of those blocks to mine on. Your hope is that a large fraction of other miners will hear about your block first and decide to work on it. The viability of this attack depends heavily on your ability to win these races, so network position is critical. You could try to peer with every node so that your block will reach most nodes first.
As it turns out, if you assume that you only have a 50 percent chance of winning these races, selfish mining is an improvement over the default strategy if α > .25. Even if you lose every race, selfish mining is still more profitable if α > .333.
The existence of this attack is quite surprising and it's contrary to the original widely‐held belief that without a majority of the network — that is with α ≤ .5, there was no better mining strategy then the default. So it's not safe to assume that a miner who doesn't control 50 percent of the network doesn't have anything to gain by switching to an alternate strategy. At this point temporary block withholding is just a theoretical attack and hasn’t been observed in practice. Selfish mining would pretty easy to detect because it would increase the rate of near‐simultaneous block announcements.
Blacklisting and punitive forking.
Say a miner wants to blacklist transactions from address X . In other words, they want to freeze the money held by that address, making it unspendable. Perhaps you intend to profit off of this by some sort of ransom or extortion scheme demanding that the person you're blacklisting pay you in order to be taken off of your blacklist. Blacklisting also might be something that you are compelled to do for legal reasons. Maybe certain addresses are designated as evil by the government. Law enforcement may demand that all miners operating in their jurisdiction try to blacklist those addresses.
Conventional wisdom is that there’s no effective way to blacklist addresses in Bitcoin. Even if some miners refuse to include some transactions in blocks, other miners will. If you’re a miner trying to blacklist, however, you could try something stronger, namely, punitive forking. You could announce that you'll refuse to work on a chain containing a transaction originating from this address. If you have a majority of the hash power, this should be enough to guarantee the blacklisted transactions will never get published. Indeed, other miners would probably stop trying, as doing so would simply cause their blocks to be elided in forks. Feather‐forking. Punitive forking doesn’t appear to work without a majority of the network hash power.
By announcing that you'll refuse to mine on any chain that has certain transactions, if such a chain does come into existence and is accepted by the rest of the network as the longest chain, you will have cut yourself off from the consensus chain forever (effectively introducing a hard fork) and all of the mining that you're doing will go to waste. Worse still, the blacklisted transactions will still make it into the longest chain. In other words, a threat to blacklist certain transactions via punitive forking in the above manner is not credible as far as the other miners are concerned. But there's a much more clever way to do it.
Instead of announcing that you're going to fork forever as soon as you see a transaction originating from address X , you announce that you’ll attempt to fork if you see a block that has a transaction from address X , but you will give up after a while. For example, you might announced that after k blocks confirm the transaction from address X, you'll go back to the longest chain. If you give up after one confirmation, your chance of orphaning the block with the transaction from X is α 2 . The reason for this is that you’ll have to find two consecutive blocks to get rid of the block with the transaction from address X before the rest of the network finds a block and α 2 is the chance that you will get lucky twice.
A chance of α 2 might not seem very good. If you control 20% of the hash power, there’s only a 4% chance of actually getting rid of that transaction that you don't want to see in the block chain. But it’s better than it might seem as you might motivate other miners to join you. As long as you've been very public about your plans, other miners know that if they include a transaction from address X , they have an α 2 chance that the block that they find will end up being eliminated because of your feather‐forking attack.
If they don't have any strong motivation to include that transaction from address X and it doesn’t have a high transaction fee, the α 2 chance of losing their mining reward might be a much bigger incentive than collecting the transaction fee. It emerges then that other miners may rationally decide to join you in enforcing the blacklist, and you can therefore enforce a blacklist even if α < .5. The success of this attack is going to depend entirely on how convincing you are to the other miners that you're definitely going to fork.
Transitioning to mining rewards dominated by transaction fees. As of 2015, transaction fees don't matter that much since block rewards provide the vast majority — over 99% — of all the revenue that miners are making. But every four years the block reward is scheduled to be halved, and eventually the block reward will be low enough that transaction fees will be the main source of revenue for miners. It's an open question exactly how miners will operate when transaction fees become their main source of income. Are miners going to be more aggressive in enforcing minimum transaction fees. Are they going to cooperate to enforce that?
Open problems.
In summary, miners are free to implement any strategy that they want although in practice we've seen very little behavior of anything other than the default strategy. There's no complete model for miner behavior that says the default strategy is optimal. In this chapter we’ve seen specific examples of deviations that may be profitable for miners with sufficient hash power. Mining strategy may be an area in which the practice is ahead of the theory. Empirically, we've seen that in a world where most miners do choose the default strategy, Bitcoin seems to work well. But we're not sure if it works in theory yet.
We also can’t be sure that it will always continue to work well in practice. The facts on the ground are going to change for Bitcoin. Miners are becoming more centralized and more professional, and the network capacity is increasing. Besides, in the long run Bitcoin must contend with the transition from fixed mining rewards to transaction fees. We don’t really know how this will play out and using game‐theoretic models to try to predict it is a very interesting current area of research.
No comments: