Bitcoin Game Theory: Selfish Mining (Block-Withholding)
How Bitcoin miners with >1/3 hash power could exert power over the blockchain
Selfish mining is a bitcoin mining strategy where groups of miners collude to increase their revenue and exert power over the Bitcoin blockchain. With selfish mining, the mining cartel withholds newly created blocks from the main chain, revealing them at a later point in time in order to gain an economic advantage.
For explanation, we’ll use three miners; Alice, Bob, and Mallory. Alice and Bob are honest miners, and Mallory is a malicious miner. Let’s assume Alice has 30% of the network hash power, Bob has 30% of the network hash power, and malicious Mallory has 40% of the network hash power. Mallory would theoretically not have enough hash power to control the network, however Cornell researches Eyal and Sirer released a 2013 paper1 demonstrating how a minority miner could earn more bitcoin by withholding blocks and releasing them at opportune times to invalidate honest blocks.
To do this, Mallory mines on top of the longest blockchain (black) as usual. However when she finds a block (red dash), instead of publicly adding it to the blockchain, she keeps it private and does not publish it, essentially creating a secret soft fork. Mallory can keep adding private blocks as long as nobody has added more blocks onto the main blockchain than her. Let’s say she has built three unpublished blocks (red dash).
Meanwhile, Alice and Bob are continuing to extend the main blockchain (black), unaware that Mallory is already three blocks ahead (red dash). The moment Alice and Bob add two blocks to the main blockchain, Mallory can publish her private three blocks thereby creating the longest chain (red). Now all miners would continue mining Mallory’s chain since it is the longest blockchain. Alice and Bob lose their two blocks, forfeiting any block rewards and transaction fees they may have earned. They also incur energy costs for mining those two valid blocks that are not rewarded.
In the event that Alice and Bob are able to outcompete Mallory, building the public (black) blockchain as fast or faster than the private (red) blockchain, then Mallory is the one that would waste energy, lose her blocks, and forfeit any rewards. Given that Mallory is a minority miner, it seems that this would not be a profitable strategy since she would lose more races than she wins. However, if we calculate the ratio of the selfish miner’s blocks and her revenue out of all blocks as a function of her size, we find that a selfish miner that has >1/3 of the hash power would increase their revenue by performing selfish mining.
In the Cornell paper, Eyal and Sirer highlight this as a significant risk: over time, selfish mining could lead to mining cartels growing in hash rate, as miners team up with the selfish entities to maximize their revenue. Once a single pool has acquired the majority of the power, it may attempt a 51% attack.
“At least 2/3 of the network needs to be honest to thwart selfish mining; a simple majority is not enough.” - Eyal, I., & Sirer, E. G.
Given that there already exist mining pools with >1/3 hash power, why hasn’t this happened yet? Part of it is larger game theory - if miners reduce the security of the network, then the bitcoin they receive is worth less (or worthless), so they are incentivized to act honestly in order to preserve the value of their bitcoin. However there is still the possibility of a bad actor that does not care about the value of bitcoin and wants to destroy the network’s integrity.
There are several proposed solutions to prevent or penalize selfish mining, such as randomly assigning miners to various branches when a fork occurs, or providing a limit to how many blocks could be published at once. A 2019 paper by Lee & Kim2 provides a strategy called detective mining to counter selfish mining by investigating necessarily public mining pool information. Since most mining (at least 78.7%) is conducted in pools rather than individually, there is more public information shared which can lead to the detection of selfish mining. An honest miner can then publicly build on the secret blocks, which then prevents selfish miners from publishing those blocks again.
Several groups are working on solving the selfish mining and other game-theoretic attacks on the Bitcoin network. One example is MIT’s Digital Currency Initiative launch of Pool Detective3, a project to monitor the behavior of mining pools. With each countermeasure developed to potential network attacks, the security of the Bitcoin network strengthens and becomes more resilient.
Resources
Eyal, I., & Sirer, E. G. (2014, March). “Majority is not enough: Bitcoin mining is vulnerable.” In International conference on financial cryptography and data security (pp. 436-454). Springer, Berlin, Heidelberg. https://www.cs.cornell.edu/~ie53/publications/btcProcFC.pdf
Cryptonomics (2019, September). “Bitcoin: Selfish Mining.” http://cryptoeconomics.study/docs/en/sync/3.5-lecture
Fang, Max & Hayes, Philip (2016, November). “Game Theory & Network Attacks: How to Destroy Bitcoin.” Blockchain at Berkeley.
Lee, Suhyeon & Kim, Seungjoo (2019, May). “Detective Mining: Selfish Mining Becomes Unrealistic under Mining Pool Environment.” CIST(Center for Information Security Technologies), Korea University, Korea; ADD(Agency for Defense Development), Korea.
https://www.cs.cornell.edu/~ie53/publications/btcProcFC.pdf
https://eprint.iacr.org/2019/486.pdf
https://pooldetective.org