(This post is part of the Understanding GHOSTDAG series)

This post is mainly dedicated to a subtle phenomenon called selfish mining, a very interesting attack on a blockChain. Selfish mining is not the focus of this book, and its theory becomes exponentially more complicated for blockDAGs than it is for blockChain. However, it is a fascinating phenomenon that no book about PoW will be complete without. Moreover, there are many bad interpretations of its consequences and a severe deficit of resources explaining it in a manner accessible for the layman. Hence, I decided that a segment about selfish mining specifically for HCR is in order.

The Selfish Mining Strategy

Ittay Eyal and Emin Gün Sirer first observed selfish mining in their 2013 paper Majority is not Enough: Bitcoin Mining is Vulnerable. They noticed that an adversarial miner can increase their expected profit by withholding blocks.

A double-spend attack is also a block-withholding attack, but a much more aggressive one: a double-spend adversary withholds all blocks they create until the attack is concluded. In contrast, a selfish mining attack only requires withholding only a few recently created blocks at any given time.

So what does a selfish mining attack look like?

Say I am a miner, and I happened to mine a block, before I broadcast it to the world, the situation looks like this:

Say I keep this block secret and keep mining on it, but before I manage to create a block, the honest network found one, leading us to this situation:

At this point, my private chain is tied with the honest chain, so there is a chance that I will find the next block first, leading to this:

At this point I can publish my hidden blocks, orphaning the honest block:

The point is this: if I had published my first block the second I found it, the honest network would have switched to mining above it. As a consequence of my withholding, any work that was put into the orphaned block after I mined my first block was wasted. My deviation from the protocol rules caused the amount of wasted work to increase.

Of course, it could have been the case that the honest network would have found a second block before me, orphaning my withheld block, so there is some risk involved. However, a careful mathematical analysis by Eyal and Sirer shows that if this strategy is implemented correctly then, for sufficiently large miners, the gains outweigh the losses in the long run.

Do note that I have not specified the strategy in full, but only demonstrated one central way it can go. A full specification requires handling a list of four or five similar cases, and is available in the paper.

Consequences

Let us deliberate on the following graph (Fig. 2 in Eyal-Sirer):

This graph is a bit intimidating so let’s pick it apart slowly. The $x$-axis represents the attacker fraction $\alpha$, and the $y$-axis represents the fraction of blocks the attacker manages to create.

An additional parameter γ\gamma describes how well connected the attacker is: if the attacker and the honest network broadcast a block simultaneously, $\gamma$ is the probability that the network chooses the attacker block.

We see that even for $\gamma=0$ the consequences are far reaching: a 42%-attacker can create more than half of the blocks! For $\gamma = 1$, this drop to 37%! Eyal and Sirer’s attack is not optimal, and further research (see next section) shows that these numbers can be made smaller, with a 34% with $\gamma=1$ attacker able to mine a majority of blocks.

This result has been misinterpreted by many to mean that a 34% attacker can double-spend on Bitcoin, but that is not quite the case. How can an attacker create more than half of the blocks, but cannot revert the chain? Because the attack forces them to interleave their blocks with honest blocks. The attacker cannot cause increased orphan rates on the honest chain if she spends all her resources creating a secret competing chain. A successful 51% attack looks something like this:

while a successful selfish mining attack could look like this:

Note that in the second image, the attacker created 9 out of the 17 chain blocks, giving him a majority of chain blocks. However, the honest network created 13 total blocks, more than the attacker’s 9 blocks. The attacker could post their blocks in a way that sidelines some of the honest work, which is not possible if they had arranged their blocks in a chain.

The next natural question is “so what? Let them all selfish mine, and the proportions will go back to what they should be”. But no dice, a situation where all miners are selfish still gives disproportional benefits to large miners. Worse yet, it increases the advantage of better-connected miners. And the worst of all: it causes orphan rates to skyrocket, deteriorating the security of the entire network.

Further Works

Since Eyal and Sirer’s initial observation, selfish mining has become an independent topic of research for consensus researchers. The attack has been extended in many ways and combined with other attacks and more complicated settings, we list just a few of them.

A formal framework for studying selfish mining was given by Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos in their 2014 paper The Bitcoin Backbone Protocol: Analysis and Applications. In that paper, they defined the chain quality property as the fraction of blocks an $\alpha$-miner should expect to mine and noted that Eyal and Sirer‘s attack proves that Bitcoin’s chain quality is not ideal.

In 2017, Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar published the paper Optimal Selfish Mining Strategies in Bitcoin, where they noted that Eyal and Sirer’s attack is not optimal and provided an optimal strategy. Their improvement is particularly interesting as it relies on optimization techniques: the authors noted that for any set of parameters $\alpha,\gamma$ the optimal strategy is slightly different, and provided an efficient algorithm that computes the optimal policy from these parameters. They noted that the original selfish mining strategy coincides with theirs for $\gamma=1$ and small values of $\alpha$.

In the 2018 paper On Profitability of Selfish Mining, Cyril Grunspan and Ricardo Pérez-Marco provide a subtler analysis of selfish mining. They note that the assumption that $\gamma$ is constant is unrealistic (as $\gamma$ depends on how long it took to create each block), and show that when incorporating the time variance of $\gamma$ into the computation, the honest mining strategy becomes optimal. They conclude that selfish mining attacks are actually attacks on the difficulty adjustment algorithm. In particular, they conclude that a successful selfish mining attack on Bitcoin must persist over several difficulty windows, making it impractical.

However, in the 2020 paper Selfish Mining Re-Examined, Kevin Negy, Peter Rizun, and Emin Gün Sirer pointed out a mistake in the computation by Grunspan and Pérez-Marco. Fixing it, they found that selfish mining can be profitable in the constant difficulty setting. They carefully analyze selfish mining in scenarios of varying difficulty and find it is even more confusing. A surprising property is that the attack is affected by how the difficulty adjustment works, and different approaches to adjusting difficulty furnish different efficacies for selfish mining attacks.

A year before that, Guy Goren and Alexander Spiegelman published the paper Mind the Mining, where they revisit mining in face of variable difficulty. The attacks in this paper “complement” selfish mining, as they are based on the miner deliberately shutting off some of their hardware. This kind of attack has very different flavor than selfish mining, which assumes attackers have a fixed hash rate. In other words, the analysis of selfish mining implicitly ignores the expenses of the miner, and treat income as pure profit. Taking expenses into account, Goren and Spiegelman find that Bitcoin’s long difficulty epochs enable “win-win” situations: a miner can increase the profits of all miners by reducing their mining efforts (where the reducing miner is “rewarded” in lower energy bills, while the rest are rewarded in higher mining income due to increased difficulty). The loser of this “win-win” is obviously the network itself, whose hash rate, and whereby security, is reduced.

(My deepest gratitude to Ittay Elay for reviewing this post and making invaluable comments and suggestions)