Selfish Mining in Ethereum

arXiv:1901.04620v4 [cs.CR] 11 Jul 2021 eosdfne ehnsssgetd(.. 7,[].In [8]). [7], nu- (e.g., and suggested [4]–[6]) mechanisms (e.g., defenses proposed merous strategies mining various oiyo h opttoa oe ntesse,te can they system, the in ma- so-called power a a computational launch occupy the miners blockchain of any colluding jority to If threat PoW. [3]. serious adopting mining a Bitcoin platform poses of context mining the selfish in The Sirer and Eyal by paper banarvnelre hnterfi hr.Sc behavior Such may share. they fair their profit, called than own is larger their revenue maximize devia a miners to obtain colluding protocol of the set a from computation if its Interestingly, to [1]. power proportional rewards block process receive will puzzles—a PoW literature. the solving in in mining called possible often as pow much the computation their as all contribute is e to block collect incentive new participants economic can its courages This (if participants). winner reward other block by each a accepted earn return, and a fees transaction As bloc the limit). to (up possible size contain as that transactions blocks outstanding new many PoW as generate this to of allowed winners are the puzzles competition math functions, solving hash successfully one-way By involving [2]. Bitcoi Ethereum as and such [1] platforms blockchain in algorithm consensus Motivation A. vulnerabl Bitcoin. more than is mining Ethereum selfish that to suggesting Sirer), and Eyal rfial nEhru.W n htti hehl slower is is (which threshold mining this Bitcoin that in find that We than Ethereum. mini selfish in makes that profitable determi power to computational compute of us Bitcoin threshold allows and the This a model rewards. Markov mining by deriv average our we long-term of inspired Second, distribution Sirer. the strategy and stationary model Eyal the mining First, by to proposed selfish mining strategy threat. process mining a selfish Markov potential analyzing of 2-dimensional its by behavior a understanding gap introduce pape research and strategies we this this mining Ethereum In fill its perspective. in to of mining aim exist selfish security we there the the from Nevertheless, about especially academia. studies attention and few much very industry received has both Ethereum from platfor contracts, decentralized smart biggest runs today’s and capitalization efihmnn nBtonhsbe elsuidwith studied well been has Bitcoin in mining Selfish faltemnr olwtemnn rtcl ahminer each protocol, mining the follow miners the all If adopted widely most the is (PoW) Proof-of-Work The Abstract efihmining selfish A h eodlretcytcrec ymarket by cryptocurrency largest second the —As colo niern,Uiest fBiihClmi (Oka Columbia British of University Engineering, of School 51% .I I. NTRODUCTION takt oto h niesystem. entire the control to attack n a ensuidi seminal a in studied been has and 25% efihMnn nEthereum in Mining Selfish sdsoee by discovered as { inunu chen.feng jianyu.niu, inuNuadCe Feng Chen and Niu Jianyu that m ng ne n- er te al r, n k e e , .OjcieadContributions Ethereum. and to Objective applied B. This directly be [9]. resear cannot existing Bitcoin Bitcoin most in on result, a results used As rewards analysis. it the block that complicates addition (standard) in in the rewards Bitcoin nephew to and from uncle so-called received differs the not provides Ethereum has Ethereum attention. in much mining selfish contrast, sharp hsppraesmaie sfollows: as summarized o are contributions paper main this The tracking. deterministic 1-dimensional and the model with uncle impossible of is effect which the rewards, characterize nephew to out us probabilis turns enables the tracking, It with their tic way. combined model, whereas deterministic 2-dimensional way a our that in probabilistic rewards a tracks in analysis analysis 2-dimensional rewards our is Second, block theirs model 1-dimensional. tracks from is Markov different model our is their First, whereas analysis aspects. our two [3], in Sirer and Eyal by insights. a engineering results perform several mathematical the obtain finally our We to verify rewards. to due nephew simulations Ethereum extensive and to this uncle threat of serious that presence selfi more words, find a other In We poses Bitcoin. mining in Ethereum. makes that than which lower in is power threshold profitable computational mining deter- of selfish to threshold us compute the allows and This mine rewards. model the mining derive Markov average then our long-term We of a [3]. distribution of by a behavior stationary inspired introduce the strategy first model mining we to selfish its goal, process understanding this Markov achieve 2-dimensional and To Ethereum threat. in potential mining selfish alyzing • proposed that to similar is strategy mining our Although an- by gap research this fill to aim we paper, this In • } eetne osuymr dacdsls mining can selfish analysis advanced our more that study strategies. believe to selfish We with extended rewards be detail. nephew in capture and can uncle mining of that impact analysis the mathematical a develop We 9) efidta h hehl slwrta htin that Bitcoin. vulnerable than than more mining lower is selfish is Ethereum to threshold that the suggesting that Bitcoin, find We on [9]). focus particular a with proposals ver- Ethereum different of under sions profitable threshold mining the selfish evaluate making we of results, theoretical our Using I10(hc saotdb h eesdByzantium released the by adopted is (which EIP100 @ubc.ca aa aps,Klwa Canada Kelowna, Campus), nagan and nd ch sh f - Block 4 The rest of the paper is organized as follows. Section II Prevhash provides some necessary background for our work. Sec- ... Block 1 Block 2 Block 3 tion III introduces a selfish mining strategy for Ethereum Transactions Prevhash Prevhash Prevhash inspired by Eyal and Sirer. Section IV gives the mathemat- ...... Block 4 ical analysis and results. Section V presents our simulation Transactions Transactions Transactions results. Section VI discusses how to improve the security Prevhash of Ethereum. Related work are discussed in Section VII. Common Blockchain ... Finally, Section VIII concludes the paper. Transactions

II. APRIMER ON ETHEREUM Figure 2. An illustration of a forked blockchain. Ethereum is a distributed blockchain-based platform that runs smart contracts. Roughly speaking, a smart contract is a set of functions defined in a Turing-complete environment. B. PoW and Mining The users of Ethereum are called clients. A client can issue transactions to create new contracts, to send Ether In order for a miner to produce a new valid block in PoW, (internal cryptocurrency of Ethereum) to contracts or to other it needs to find a value of the nonce such that the hash value clients, or to invoke some functions of a contract. The valid of the new block is below a certain threshold depending on transactions are collected into blocks; blocks are chained the difficulty level—a system parameter that can be adjusted. together through each one containing a cryptographic hash This puzzle-solving process is often referred to as mining. value of the previous block. Intuitively, the mining difficulty determines the chance of There is no centralized party in Ethereum to authenticate finding a new block on each try. By adjusting the mining the blocks and to execute the smart contracts. Instead, a difficulty, the blockchain system can maintain stable chain subset of clients (called miners in the literature) verify growth. the transactions, generate new blocks, and use the PoW Once a new block is produced, it will be broadcast to the algorithm to reach consensus, receiving Ethers for their entire network. In the ideal case, a block will arrive at all effort in maintaining the network. clients before the next block is produced. If this happens A. Blockchain to every block, then each client in the system will have the same chain of blocks. In reality, the above ideal case Each block in the Ethereum blockchain contains three doesn’t always happen. For example, if a miner produces a components: a block header, a set of transactions, and new block before he or she receives the previous block, a some reference links to certain previous blocks called uncle fork will occur where two “child” blocks share a common blocks (whose role will be explained in Sec. III-B) [9]. The “parent” block. See Fig. 2 for an illustration. In general, block header includes a Keccak 256-bit hash value of the each client in the system observes a tree of blocks due previous block, a timestamp, and a nonce (whose role will to the forking. As a result, each client has to choose a be explained shortly). See Fig. 1 for an illustration in which main chain from the tree according to certain rules (e.g., the blocks are linked together by the hash references, forming longest chain rule in Bitcoin and the heaviest subtree rule in a chain structure. the GHOST protocol)2. The common prefix of all the main Such a chain structure has several desirable features. chains is called the system main chain—a key concept that First, it is tamper-free. Any changes of a block will lead will be used in our analysis. to subsequent changes of all later blocks in the chain. Second, it prevents double-spending. All the clients will eventually have the same copy of the blockchain1 so that C. Ethereum Milestones any transactions involving double-spending will be detected and discarded. Ethereum has four milestones: Frontier, Homestead, Block 1 Block 2 Block 3 Metropolis, and Serenity. We are now in the third milestone Prevhash Prevhash Prevhash Timestamp Timestamp Timestamp where the mining difficulty level depends not only on the Nonce Nonce Nonce growth of the system main chain but also on the appearance Uncle blocks' Uncle blocks' Uncle blocks' header header header of uncle blocks, as suggested in EIP100 which is adopted by the released Byzantium [9]. By contrast, the mining Transactions Transactions Transactions difficulty level of Bitcoin only depends on the growth of the system main chain. Such a difference motivates our work. Figure 1. An illustration of the blockchain structure in Ethereum.

1More precisely, all the clients will have a “common prefix” of the 2Although Ethereum claimed to apply the heaviest subtree rule [11], it blockchain [10]. seems to apply the longest chain rule instead [6]. Table I III. SELFISH MINING ON ETHEREUM MINING REWARDS IN ETHEREUM AND BITCOIN A. Mining Model In this paper, we consider a system of n miners. The Ethereum Bitcoin Purpose Compensate for miners’ ith miner has mi fraction of total hash power. Clearly, we Static Reward X X have n m = 1. We assume miners are either honest mining cost i=1 i Reduce centralization Uncle Reward X × (those who follow the protocol) or selfish (those who deviate trend of mining P Encourage miners to from the protocol in order to maximize their own profit). Nephew Reward X × Let S denote the set of selfish miners and H denote the reference uncle blocks Transaction Fee X X Transaction execution; set of honest miners. Let α denote the fraction of total hash (Gas Cost) Resist network attack power controlled by selfish miners and β denote the fraction of total hash power controlled by honest miners. We have B1 α = mi and β = mi. Clearly, α + β = 1. i∈S i∈H 2 Without loss of generality, we assume a single selfish mining A P P B2 C1 D1 E1 F1 G1 H1 pool with α fraction of hash power. 1 2 3 4 5 6 7 8 The PoW mining process can be viewed as a series of B3 C2 D2 Bernoulli trials, each of which independently finds a valid 2 3 4 nonce to generate a new block with the same probability, Regular Block & Nephew Block Regular Block depending on the difficulty level explained in Sec. II-B. Stale Block & Uncle Block Stale Block Recall that a Bernoulli process can be approximated by a Poisson process if the duration of a trial is very short and Figure 3. Different block types in Ethereum. Here, regular blocks the success probability is very low [12]. Both conditions include {A, B2, C1,D1,E1,F 1,G1,H1} and stale blocks include are held in the context of Bitcoin and Ethereum. Therefore, {B1, B3, C2,D2}. Similarly, uncle blocks are {B1, B3,D2} and nephew blocks are {C1,F 1}. Uncle block B3 (uncle block D2, resp.) we can model the mining process of the ith miner as a is referenced with distance one (two, resp.). Poisson process with rate fmi. Here, f denotes the block mining rate of the entire system (e.g., 10 minutes per block In Ethereum, if the distance is 1, the uncle reward is 7 of the in Bitcoin and 10 − 20 seconds per block in Ethereum). 8 (static) block reward; if the distance is 2, the uncle reward That is, the th miner generates new blocks at rate . i fmi is 6 of the block reward and so on. Once the distance is Hence, the selfish pool generates blocks at rate fα, and the 8 greater than 6, the uncle reward will be zero. By contrast, honest miners generate blocks at rate . This model has fβ the nephew reward is always 1 of the block reward. In been widely used in the literature. See, e.g., [1], [13], [14]. 32 addition to blocks rewards, miners can also receive gas costs B. Mining Rewards as a reward for verifying and executing all the transactions [2]. However, the gas cost is dwarf with other rewards, and There are three types of block rewards in Ethereum, so we ignore it in our analysis. namely, static block reward, uncle block reward, and nephew We use Ks, Ku, and Kn to denote static, uncle, and block reward [2], [15], as outlined in Table I. The static nephew rewards, respectively. Without loss of generality, we reward is used in both Ethereum and Bitcoin. To explain assume that Ks = 1 so that Ku (Kn, resp.) represents the static reward, we introduce the concepts of regular and stale ratio of uncle reward (nephew reward, resp.) to the static blocks. A block is called regular if it is included in the reward. As we explained before, in the current version of system main chain, and is called stale block otherwise. Each Ethereum, Kn < Ku < 1, and Ku is a function of the regular block in Ethereum can bring its miner a reward of distance. As we will see later, our analysis allows Ku and exactly 3.0 Ethers as an economic incentive. Kn to be any functions of the distance. The uncle and nephew rewards are unique in Ethereum. An uncle block is a stale block that is a “direct child” C. Mining Strategy of the system main chain. In other words, the parent of We now describe the mining strategies for honest and an uncle block is always a regular block. An uncle block selfish miners. The honest miners follow the protocol given receives a certain reward if it is referenced by some future in Sec. II-B. Each honest miner observes a tree of blocks. regular block, called a nephew block, through the use of It chooses a main chain from the tree and mines new reference links. See Fig. 3 for an illustration of uncle and blocks on its main chain. Once a new block is produced, nephew blocks. The values of uncle rewards depend on the miner broadcasts the block to everyone in the system. the “distance” between the uncle and nephew blocks. This Also, it includes as many reference links as possible to distance is well defined because all the blocks form a tree. (unreferenced) uncle blocks in the tree. For instance, in Fig. 3, the distance between uncle block B3 By contrast, the selfish pool can withhold its newly mined (uncle block D2, resp.) and its nephew block is 1 (2, resp.). blocks and publish them strategically to maximize its own B1 C D1 E1 F G Algorithm 1 An selfish Mining Strategy in Ethereum on The selfish pool mines a new block 1: reference all (unreferenced) uncle blocks based on its private branch A B2 D2 E2 2: Ls ← Ls +1 Selfish miners' secret block Honest miners' block 3: if (Ls,Lh)=(2, 1) then Selfish miners' published block 4: publish its private branch 5: (Ls,Lh) ← (0, 0) (since all the miners achieve a Figure 4. An example to illustrate private branch length and public branch length. consensus) 6: else 7: keep mining on its private branch revenue. The basic idea behind selfish mining is to increase the selfish pool’s share of static rewards and, at the same on Some honest miners mine a new block time, to gain as many uncle and nephew rewards as possible. 8: The miner references all (unreferenced) uncle blocks Specifically, the selfish pool keeps its newly discovered based on its public branches blocks private, creating a fork on purpose. The pool then 9: Lh ← Lh +1 continues to mine on this private branch, while honest miners 10: if Ls

A2 A2 B2

Selfish miners' secret block Honest miners' block Selfish miner's published block a) Step 1: selfish pool withholds 3 blocks b) Step 2: selfish pool publishes 1 block b) Step 3: selfish pool overrides 2 blocks Figure 5. A simple example of the mining strategy.

Others Ethermine x sz s2 18.72% 26.34% .. 1,z ≥ 1, x ≥ y +2,  sz =y+2 sz−1=y+1 s1=y−z+3 f(x,y,z)= X X X MiningPoolHub  8.78%  z 0, otherwise.  | {z } (2)  Nanopool The functionf(x,y,z) is a multiple summations. See Ap- 10.33% SparkPool pendix A for some concrete examples. 22.46% F2Pool We have the following remarks for the stationary distri- 13.37% bution in Equation (2). Remark 2. When 1 , we have . Figure 6. The top 5 mining pools’ hash power in Ethereum (2018.09). 0 <α< 2 0 < π0,0 < 1 Specifically, the distribution π0,0 only depends on the parameter α and is monotonically decreasing. The tendency following global balance equations according to the above of π0,0 suggests that with more hash power, the selfish pool transition rates. can obtain more lead blocks and so stay in state (0, 0) less frequently. ∞ απ0,0 = π1,1 + β j=0 π2+j,j , Remark 3. The distributions πi,0 with i ≥ 1 are decreasing −6 π1,1 = βπ1,0, geometrically and are less than 10 when i ≥ 15 when  P∞ π , = βπ , + βγπ j,j , α = 0.4. It suggests that we can truncate the states in the  3 1 3 0 j=1 3+  πi,0 = απi−1,0, for i ≥ 1, numerical calculation.  P ∞  π = βπ + απ − + βγπ , for i ≥ 4,  i,1 i,0 i 1,1 j=1 i+j,j D. Reward Analysis πi,i−2 = β (1 − γ) πi,i−1, for i ≥ 4, P In this subsection, we conduct the reward analysis for  π = απ − + β (1 − γ) π − , for j ≥ 2,i ≥ 5.  i,j i 1,j i,j 1  (1) each state transition. Our analysis differs from the previous  Solving the global balance equations, we obtain the fol- analysis (e.g., [3], [5]) in that we track various block rewards lowing results for the stationary distribution: in a probabilistic way. Recall that each state transition induces a new block (mined by an honest miner or the pool). In general, it is impossible to decide the number of rewards 1 − 2α π = , associated with this new block when it is just created because 0,0 2α3 − 4α2 +1 i the “destiny” of this new block depends on the evolution πi,0 = α π0,0 for i ≥ 1, of the system. For this reason, we will instead compute 2 π1,1 = α − α π0,0, the expected rewards for the new block. In contrast, the i j j previous analysis tracks published blocks associated with a πi,j = α (1 − α) (1 − γ) f(i, j, j)π0,0+ state transition (whose destiny is already determined) rather i−j j−1 1 than the new block and so it can compute the exact rewards. α γ (1 − γ) i−j−1 − 1 π0,0− (1 − α) ! This gives rise to the following two questions. j 1) What is wrong with tracking published blocks? j−1 i−k j−k γ (1 − γ) α (1 − α) f(i, j, j − k)π0,0 2) How shall we compute the expected rewards for a new k=1 block at the time of its creation? X To answer the first question, one shall notice that tracking for i ≥ j +2 and j ≥ 1, where the function f(x,y,z) is published blocks don’t provide enough information to com- defined as pute the uncle and nephew rewards. Recall from Sec. III-B 1,1 Honest miners mine a block on the b selfish pool's block with rate bg b(1-g)a bg

a a a a a a 0,0 1,0 2,0 3,0 4,0 ... j-1,0 j,0 ... b b b b b a a a a b(1-g) 3,1 4,1 5,1 ... j,1 j+1,1 ...

bg b(1-g) b(1-g) b(1-g) a a a a b(1-g) ...... 4,2 5,2 6,2 j+1,2 j+2,2 bg b(1-g) b(1-g) b(1-g) a a a a b(1-g) 5,3 6,3 ...7,3 ... j+2,3 j+3,3 ...

bg b(1-g)... b(1-g)...... b(1-g)......

a a a a b(1-g) i+1,i-1 i+2,i-1 i+3,i-1 ... i+j-2,i-1 i+j-1,i-1 ...

bg b(1-g) b(1-g) b(1-g) a a a b1-g) a i+2,i i+3,i i+4,i ... i+j-1,i i+j,i ... bg b(1-g)...b(1-g) ...... b(1-g) ......

Figure 7. The Markov process of the selﬁsh mining in Ethereum.

that a published regular block can receive nephew rewards Ku(2) + Kn(2)β(1 + αβ(1 − γ)) rewards will belong to by referencing outstanding uncle blocks. The amount of honest miners (and the remaining will belong to the pool). nephew rewards depends on the number of outstanding uncle blocks. As such, we need to keep track of all the E. Revenue Analysis outstanding uncle blocks in the system together with their depth information (which is needed to determine the number In this subsection, we apply the previous reward analysis of uncle rewards). This greatly complicates the state space. to compute various rewards received by the selfish pool and To answer the second question, one shall notice that it honest miners. This calculation is straightforward. suffices to compute the expected rewards for a new block 1) Revenue Computing: First, we compute the static s by using the following information: the probability that it block rewards for the selfish pool (denoted as rb ) and honest h becomes a regular block, the probability that it becomes an miners (denoted as rb ). We have the following results: uncle block, the distance to its potential nephew block (if it s 2 2 2 indeed becomes an uncle block). Perhaps a bit surprisingly, rb = α(1 − π0,0) + (α + α β + αβ γ)π0,0 all the information can be determined when this new block 2 = α − αβ (1 − γ)π0,0, (3) is generated for our selfish mining strategy. α(1 − α)2(4α + γ(1 − 2α)) − α3 The complete analysis is provided in Appendix B for = 2α3 − 4α2 +1 a better presentation flow. Here, we just provide a simple example to illustrate our analysis. Assume that the selfish and pool has already mined two blocks and kept them private at h 2 time t. Then, some honest miner generates a new block. rb = β(π0,0 + π1,1)+ β (1 − γ)π1,0 According to Algorithm 1, the pool publishes its private (1 − 2α)(1 − α)(α(1 − α)(2 − γ)+1) (4) = . branch immediately. As such, this new block will become 2α3 − 4α2 +1 an uncle block with probability 1. Furthermore, we can s h show that this block will have a distance of 2 with its Note that rb and rb represent the long-term average static potential nephew block. Thus, this new block will receive rewards per time unit. Since all the miners generate new an uncle reward of Ku(2). Similarly, its potential nephew blocks at rate 1, the maximum long-term average reward is s h block will receive a nephew reward of Kn(2). Moreover, this 1 per time unit. Hence, we have rb + rb ≤ 1. reward will belong to some honest miner with probability Remark 4. If we only consider static rewards, the above β(1 + αβ(1 − γ)) and belong to the pool with probability results are the same as those in [3], though our approach 1 − β(1 + αβ(1 − γ)). (See Case 7 in Appendix B for is different from that in [3]. details.) Therefore, the expected rewards associated with this new block are Ku(2) + Kn(2) in total among which Next, we can compute the uncle block rewards for the s selfish pool (denoted as ru): 2) Absolute Revenue: We now define the absolute rev- s 2 enue Us for the selfish pool. As we will soon see, although ru = αβ (1 − γ)Ku(1)π0,0 the absolute revenue is equivalent to the relative revenue (1 − 2α)(1 − α)2α(1 − γ) (5) (i.e., the share ) in Bitcoin, it is different from the relative = K (1). Rs 2α3 − 4α2 +1 u revenue in Ethereum due to the presence of uncle and s nephew rewards. Remark 5. Note that ru is zero in Bitcoin. In other words, selfish pools’ blocks without rewards can be viewed as the Recall that Bitcoin adjusts the mining difficulty level so “cost” of launching the selfish mining attack. Thus the that the regular blocks are generated at a stable rate, say additional reward in Ethereum will reduce the cost of selfish 1 block per time unit. Thus, the long-term average total mining and make it easier. Moreover, as shown in our reward revenue is fixed to be 1 block reward per time unit with or analysis, the uncle blocks of the pool are always referenced without selfish mining. This makes the absolution revenue with distance 1—the minimum referencing distance possible equivalent to the relative revenue. The situation is different in in the system. Intuitively, this is because the pool has a Ethereum. Even if the regular blocks are generated at a stable global view of the system. rate, the average total revenue still depends on the generation rate of uncle blocks, which is affected by selfish mining Similarly, we can compute the uncle block rewards for as we will see shortly. Indeed, Ethereum didn’t take into h the honest miners (denoted as ru): account the generation rate of uncle blocks when adjusting

∞ the difficulty level until its third milestone. This motivates h 2 us to consider two scenarios in our analysis: 1) the regular r = (αβ + β γ)Ku(1)π , + βKu(i)πi, + u 1 0 0 block generation rate is 1 block per time unit, and 2) the i=2 ∞X∞ regular and uncle block generation rate is 1 block per time + βγKu(i)πi+j,j . (6) unit. i=2 j=1 In our previous analysis, the regular block generation rate X X is rs + rh, which is smaller than 1 as explained before. Remark 6. In the current version of Ethereum, the function b b Thus, we can re-scale the time to make the regular block K (·) is given below: u generation rate to be 1 block per time unit. In this scenario, (8 − l)/8, 1 ≤ l ≤ 6 the long-term absolute revenue for the selfish pool is K (l)= (7) u 0, otherwise. s s s rb + ru + rn Us = , (11) rs + rh Our analysis applies to an arbitrary function of Ku(·). b b Then, we can compute the nephew block rewards for the and the long-term absolute revenue for honest miners is s h h h selfish pool (denoted as rn) and honest miners (denoted as rb + ru + rn h U = . (12) r ): h s h n rb + rb ∞ ∞ s i−1 2 Similarly, we can re-scale the time to make the regular rn = αβKs(1)π1,0+ β γ(α−αβ (1−γ))Ks(i)πi+j,j and uncle block generation rate to be 1 block per time unit i=2 j=1 X X (8) and define long-term absolute revenues for the selfish pool and honest miners accordingly. h 2 2 3) Threshold Analysis: First of all, if the selfish pool rn = αβ (1 − γ)Ks(1)π0,0 + β γKs(1)π1,0+ ∞ ∞ follows the mining protocol, its long-term average absolute i revenue will be , since the network delay is negligible (and + β γ(1 + αβ(1 − γ))Ks(i)πi+j,j . (9) α i=2 j=1 so no stale blocks will occur). On the other hand, if the pool X X applies the selfish mining strategy proposed in this paper, Remark 7. In the current version of Ethereum, the function its long-term absolute revenue is given by Us, which can be is always equal to 1 . Our analysis applies to an Kn(·) 32 larger than α. arbitrary function of Kn(·). ∗ ∗ Let α be the smallest value such that Us ≥ α. That is, α

Finally, we can obtain the total mining revenue rtotal as is the threshold of computational power that makes selfish mining profitable in Ethereum. We can determine α∗ for s h s h s h rtotal = rb + rb + ru + ru + rn + rn. (10) both scenarios through numerical calculations. The details will be presented in the next section. Hence, s s s rb + ru + rn V. EVALUATION Rs = rtotal In this section, we build an Ethereum selfish mining gives the share of the mining revenue by the selfish pool. simulator to validate our theoretical analysis. In particular, we simulate a system with n = 1000 miners, each with the same block generation rate. In our simulations, the selfish 1 pool controls at most 450 miners (i.e., α ≤ 0.45) and 0.9 runs our Algorithm 1, while the honest miners follow the 0.8 designed protocol in Sec. III-C. Our simulation results are Honest Mining 0.7 Selfish Miners based on an average of 10 runs, where each run generates fi 0.6 Sel sh Miners (sim) 100, 000 blocks. Honest Miners 0.5 Honest Miners (sim)

A. Validation of the Theory Results 0.4 In this subsection, we validate the long-term average ab- 0.3 solute revenues for the selfish pool and honest miners. Fig. 8 Average Absolute Revenue 0.2 plots the results obtained from analysis and simulations. 0.1 From the results, we can see when γ = 0.5, Ku = 4/8Ks 0 and α changes from 0 to 0.45, the simulation results match 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 our theoretical results3. In addition, when α is above 0.163, Selfish Miners’ Computaion Power α the selfish pool can always gain higher revenue from selfish mining than following the protocol. More importantly, when Figure 8. Revenue rate for the selfish pool and honest miners when γ = 0.5, Ku = 4/8Ks and α changes from 0 to 0.45. α is below the threshold 0.163, the selfish pool loses just a small amount of revenue due to the additional uncle block 1.4 rewards, which is quite different from the results in Bitcoin 1.3 [3]. 1.2 1.1 B. Impact of the Uncle Reward 1 Ku = 2/8, Selfish Miners 0.9 Ku = 4/8, Selfish Miners In this subsection, we explore the impact of the uncle 0.8 Ku = 7/8, Selfish Miners · fi block rewards on the selfish pool’s and honest miners’ 0.7 Ku( ), Sel sh Miners Ku = 2/8, Honest Miners 0.6 revenues. To this end, we first use the uncle reward function Ku = 4/8, Honest Miners 0.5 Ku = 7/8, Honest Miners Ku(·) in Ethereum (see Sec. IV-E for details) and then set · 0.4 Ku( ), Honest Miners

Average Absolute Revenue Ku = 2/8, Total the uncle reward as a fixed value regardless of the distance, 0.3 Ku = 4/8, Total ranging from 2/8Ks to 7/8Ks. Here, the fixed uncle re- 0.2 Ku = 7/8, Total K (·) Total ward value can directly show its impacts and simplify our 0.1 u 0 understanding. 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 Fig. 9 shows that the higher the uncle reward, the more Selfish Miners’ Hash Power α absolute revenue for both the selfish pool and honest miners, which is quite intuitive. It also reveals that the total revenue Figure 9. Revenue rate for the selfish pool, honest miners under increases with the selfish pool’s computation power α and different uncle block reward Ku. soars to 135% of the revenue without selfish mining, when K = 7/8K and α = 0.45. This is because, without the u s when using the function K (·). This finding motivates our consideration of uncle blocks into difficulty adjustment, the u discussion in Sec. VI. selfish mining can produce additional uncle and nephew rewards, resulting in the fluctuation of total revenue. Addi- C. Comparison with Bitcoin tionally, the uncle reward function Ku(·) used in Ethereum In this subsection, we compare the hash power thresh- has the same effect as simply setting Ku =7/8Ks for selfish olds of making selfish mining profitable in Ethereum and pool’s revenue (as explained in Sec. IV-E). In contrast, Ku(·) Bitcoin under different values of γ. In Ethereum, we use functions complicatedly for the honest miners’ revenue. function Ku(·) to compute the uncle rewards. Particularly, When α is small, its impact is similar to the case of we compute the thresholds for the two scenarios described Ku = 7/8Ks, and when α is close to 0.45, its impact is in Sec. IV-E2: 1) the regular block generation rate is 1 block similar to the case of Ku = 4/8Ks. This is because, with per time unit, and 2) the regular and uncle block generation the increase of α, the average referencing distances of honest rate is 1 block per time unit. miners’ uncle blocks will increase, which further leads From Fig. 10, we can see that the higher γ is, the lower to the decrease of honest miners’ average uncle rewards hash power needed for making selfish mining profitable. Specifically, when γ =1, the selfish mining in Bitcoin and 3To simplify the numerical calculations of our results, we only consider the states (i,j) with i and j less than 200. This approximation turns out Ethereum can always be profitable regardless of their hash to be accurate when α ≤ 0.45. power. Besides that, the results show that the hash power Table II THEDISTRIBUTIONOFHONESTMINERS’ UNCLE BLOCK WITH 0.35 DIFFERENTREFERENCINGBLOCKDISTANCES

α 0.3 Referencing distance α = 0.3 α = 0.45 0.25 1 0.527 0.284 Ittay Model in Bitcoin 2 0.295 0.249 0.2 Scenario 1 in Ethereum 3 0.111 0.171 4 0.043 0.125 Scenario 2 in Ethereum 0.15 5 0.017 0.096 6 0.007 0.075 0.1 Expectation 1.75 2.72 sh miners’ Threshold ﬁ

Sel 0.05

0 miners’ blocks is increasing. Thus, we should decrease the 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 reward for uncle blocks with distance one and increase Network Capacity γ the reward for the uncle blocks with longer distances. In Figure 10. The profitable threshold of hash power in Bitcoin and particular, we can simply set the uncle reward function Ethereum. Ku(·)) as a fixed value, say Ku =4/8Ks, if uncle blocks’ referencing block distance is between 1 and 6. We recompute the threshold of making selfish mining profitable using this thresholds of Ethereum in scenario 1 are always lower than new function and find that when γ = 0.5, the threshold in Bitcoin. By contrast, the hash power thresholds in scenario increases from 0.054 to 0.163 in scenario 1, and from 0.270 2 are higher than Bitcoin when γ ≥ 0.39. This is because to 0.356 in scenario 2. In other words, this simple change the larger γ is, the more blocks mined by honest miners makes it harder for the selfish pool to be profitable. are uncle blocks. However, in scenario 2 the additional referenced uncle blocks will reduce the generation rate of VII. RELATED WORK regular blocks, resulting in the decrease of selfish pools’ block rewards. Thus the selfish pool needs to have higher The research of selfish mining is mostly focused on hash power in order to make selfish mining profitable. This Bitcoin with roughly two directions: 1) optimizing the selfish suggests that Ethereum should consider the uncle blocks into mining strategies in order to increase the revenue and lower the difficulty adjustment under the mining strategy given in the threshold of launching selfish mining attacks; 2) propos- Algorithm 1. ing defense mechanisms. In [3], Eyal and Sirer developed a Markov process to model the Selfish-Mine Strategy and VI. DISCUSSION to evaluate the selfish pool’s relative revenue. Moreover, In Ethereum, uncle and nephew rewards are initially they proposed a uniform tie-breaking defense against selfish designed to solve the mining centralization bias—miners mining, which is adopted in Ethereum. Inspired by this form or join in some big mining pools (Sec. III-D). This seminal paper, Sapirshtein et al. [4] and Nayak et al. [5] is because, due to propagation delay, mining pools with demonstrated that by adopting the optimized strategies, the huge hash power are less likely to generated stale blocks threshold of the hashing power to make selfish mining and can be more profitable for mining. Thus, rewarding the profitable can be reduced to 23.2% even when honest miners stale block can reduce the mining pools’ advantage [17] adopt the uniform tie-breaking defense. Furthermore, the and make them less attractive for small miners. However, as authors in [18] took the propagation delay into the analysis analyzed previously, the uncle reward (computed by using of selfish mining. the function Ku(·)) can greatly reduce the cost of launching As for defense mechanisms, Heilman proposed a defense selfish mining. To mitigate this issue, here we propose a mechanism called Freshness Preferred [8], in which by simple uncle reward function motivated by our analysis in using the latest unforgeable timestamp issued by a trusted Sec. IV-E1. It shows that the uncle blocks mined by the party, the threshold can be increased to 32%. Bahack in selfish pool can always be referenced with block distance [19] introduced a fork-punishment rule to make selfish one, i.e., the maximum uncle reward 7/8Ks using the mining unprofitable. Especially, each miner in the system function Ku(·). In contrast, the honest miners’ uncle blocks can include fork evidence in their block. Once confirmed, cannot obtain such high rewards. To illustrate the explicit the miner can get half of the total rewards of the winning situation, we provide the distribution of the honest miners’ branch. Solat and Potop-Butucaru [20] propose a solution uncle block with different referencing block distances in called ZeroBlock, which can make selfish miners’ block Table II given γ = 0.5. The results show that with the expire and be rejected by all the honest miners without increase of α, the average referencing distance of honest using forgeable timestamps. In [7], the authors proposed a backward-compatible defense mechanism called weighted REFERENCES FRP which considers the weights of the forked chains [1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash sys- instead of their lengths. This is similar in spirit to the tem,” Working Paper, 2008. GHOST protocol [11]. [2] V. Buterin et al., “A next-generation smart There exist very few studies about the selfish mining contract and decentralized application plat- attack in Ethereum. The work by Gervais et al. [6] is among form,” white paper, 2014. [Online]. Available: the first to develop a quantitative framework to analyze https://github.com/ethereum/wiki/wiki/White-Paper selfish mining as well as double-spending in various PoW [3] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin blockchains. Particularly, they developed optimal selfish- mining is vulnerable,” Commun. ACM, vol. 61, no. 7, pp. 95–102, Jun. 2018. mining strategies for various PoW blockchains. However, their work didn’t consider the general functions of uncle [4] A. Sapirshtein, Y. Sompolinsky, and A. Zohar, “Optimal selfish mining strategies in Bitcoin,” in International Conference and nephew rewards. Instead, they focused on a special case on Financial Cryptography and Data Security. Berlin, 7 when the uncle reward is always 8 of the block reward. Heidelberg: Springer, 2016, pp. 515–532. The author in [21] proposed to exploit the flaw of difficulty [5] K. Nayak, S. Kumar, A. Miller, and E. Shi, “Stubborn mining: adjustment to mine additional uncle blocks, which is shown Generalizing selfish mining and combining with an eclipse less profitable than our selfish mining strategy. In [22] Ritz attack,” in 2016 IEEE European Symposium on Security and and Zugenmaier built a Monte Carlo simulation platform Privacy (EuroS P). Saarbrucken, Germany: IEEE, March 2016, pp. 305–320. to quantify the security of the Ethereum after EIP100. However, their paper contains no mathematical analysis and [6] A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritz- dorf, and S. Capkun, “On the security and performance of cannot directly capture the effects of uncle block rewards proof of work blockchains,” in Proceedings of the 2016 and nephew rewards. ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’16. Vienna, Austria: ACM, 2016, pp. 3– 16. VIII. CONCLUSION AND FUTURE WORK [7] R. Zhang and B. Preneel, “Publish or perish: A backward- compatible defense against selfish mining in Bitcoin,” in In this paper, we have proposed a Markov model to Cryptographers’ Track at the RSA Conference. Cham: analyze a selfish mining strategy in Ethereum. Our model Springer, 2017, pp. 277–292. enables us to evaluate the impact of the uncle and nephew [8] E. Heilman, “One weird trick to stop selfish miners: Fresh rewards, which is generally missing in the previous anal- bitcoins, a solution for the honest miner,” in International ysis for selfish mining in Bitcoin. In particular, we have Conference on Financial Cryptography and Data Security. shown how these rewards influence the security of Ethereum Berlin, Heidelberg: Springer, 2014, pp. 161–162. mining. Additionally, we have computed the hashing power [9] G. Wood, “Ethereum: A secure decentralised generalised threshold of making selfish mining profitable under different transaction ledger Byzantium version,” Ethereum project yellow paper, pp. 1–32, 2018. [Online]. Available: scenarios, which is essential for us to evaluate the security https://github.com/ethereum/yellowpaper of Ethereum mining and to design new reward functions. [10] J. A. Garay, A. Kiayias, and N. Leonardos, “The Bitcoin As one of our major findings, we notice that it is important backbone protocol: Analysis and applications,” in Advances to consider uncle blocks when adjusting the mining difficulty in Cryptology - EUROCRYPT 2015. Berlin, Heidelberg: level. Otherwise, Ethereum would be much more vulnerable Springer, 2015, pp. 281–310. to selfish mining than Bitcoin. This finding supports the [11] Y. Sompolinsky and A. Zohar, “Secure high-rate transaction emendation adopted by the third milestone of Ethereum. processing in Bitcoin,” in International Conference on Finan- cial Cryptography and Data Security. Berlin, Heidelberg: However, once the mining mechanism is changed, the selfish Springer, 2015, pp. 507–527. pool is likely to change its new mining strategies in order to [12] R. G. Gallager, Stochastic processes: theory for applications. maximize its own profit. We leave the design of new mining Cambridge University Press, 2013. strategies as our future work. We believe that our analysis [13] N. Papadis, S. Borst, A. Walid, M. Grissa, and L. Tassiulas, developed in this paper (especially the probabilistic tracking) “Stochastic models and wide-area network measurements for would be useful in studying other mining strategies. blockchain design and analysis,” in Proc. of INFOCOM. Honolulu, HI,: IEEE, April 2018, pp. 2546–2554. [14] V. Bagaria, S. Kannan, D. Tse, G. Fanti, and P. Viswanath, ACKNOWLEDGEMENT “Deconstructing the blockchain to approach physical limits,” arXiv preprint arXiv:1810.08092, 2018. We sincerely thank the anonymous reviewers for their [15] Ethereum, “Mining rewards,” 2018. [Online]. Available: valuable comments and feedback as well as Arthur Gervais https://github.com/ethereum/wiki/wiki/Mining for useful discussions on his landmark paper [6]. This work [16] Ethereumscan, “Ethereum top 25 min- was supported by NSERC Discovery Grants RGPIN-2016- ers by blocks,” 2018. [Online]. Available: 05310. https://etherscan.io/stat/miner?range=7$&$blocktype=blocks [17] Ethereum, “Design rationale: Uncle incentivizati- the other hand, if some honest miners mine a new block, non,” github, Aug, 2018. [Online]. Available: we consider two cases. https://github.com/ethereum/wiki/wiki/Design-Rationale 1) i − j = 2. In this case, we have Lh = j +1 and [18] J. Göbel, H. Keeler, A. Krzesinski, and P. Taylor, “Bitcoin blockchain dynamics: The selfish-mine strategy in the pres- Ls = Lh +1. Hence, the pool will publish its private ence of propagation delay,” Performance Evaluation, vol. 104, branch and the new block becomes a stale block. pp. 23 – 41, 2016. 2) i − j ≥ 3. In this case, the system state becomes [19] L. Bahack, “Theoretical Bitcoin attacks with less than either (i, j +1) or (i−j, 1). The private branch has an half of the computational power (draft),” arXiv preprint advantage of at least 3 blocks (since i−j ≥ 3). Hence, arXiv:1312.7013, 2013. it will be published with probability 1. In other words, [20] S. Solat and M. Potop-Butucaru, “Zeroblock: Preventing the new block will be a stale block with probability 1. selfish mining in Bitcoin,” Sorbonne Universites, UPMC University of Paris 6, Amherst, MA, USA, Tech. Rep., 2016. We are now ready to analyze every state transition. We [21] S. Lerner, “Uncle mining, an Ethereum consensus protocol flaw,” Bitslog blog, Apr, 2016. call a new block associated with a transition a target block. β [22] F. Ritz and A. Zugenmaier, “The impact of uncle rewards Case 1: (0, 0) → (0, 0) on selfish mining in Ethereum,” in 2018 IEEE European In this case, the target block generated by some honest Symposium on Security and Privacy Workshops (EuroS PW). miners will be adopted by all the miners. Thus, it will be a London, UK: IEEE, April 2018, pp. 50–57. regular block and receive a static reward Ks. α APPENDIX Case 2: (0, 0) → (1, 0) In this case, the selfish pool produces the target block, A. The Multiple Summations Function keeps it private, and continues mining on it. First, we analyze The function f(x,y,z) used in Sec. IV-C involves multi- the static reward by determining whether the target block ple summations when z > 1. We provide several examples will be a regular block or not. To this end, we consider the to explain this function. following two subcases, which are illustrated in Fig. 11. Example 1 (z =1, x ≥ y +2). A1 A1 B1 A1 A1 x f(x, y, 1) = 1 s1=y+2 X = x − y − 1. A2 Example 2 (z =2, x ≥ y +2). Case 1: Subcase 1 Case 1: Subcase 2 Selfish miners' secret block Honest miners' block x s2 f(x, y, 2) = 1 Selfish miners' published block s2=y+2 s1=y+1 Xx X Figure 11. The two subcases of Case 1: 1) the selfish pool mines a subsequent block; 2) some honest miners mine a new block. = (s2 − y) s2=y+2 X 1) Subcase 1: The subsequent block is mined by the pool, =2+ ··· + (x − y) which happens with probability α. As a result, the (x − y − 1)(x − y + 2) pool owns a lead of two blocks. By Lemma 1, the = . 2 target block will be a regular block and receive a static B. Reward Analysis reward of Ks. 2) Subcase 2: The subsequent block is mined by some Lemma 1. Consider a new block associated with a state honest miner, which happens with probability β. Then, transition from state (i, j) with i−j ≥ 2. It will be a regular the pool will publish this target block. To determine block with probability 1 if and only if it is mined by the whether it will be a regular block, we need to consider selfish pool. the following three subsubcases. See Fig. 12 for an Proof: Suppose that the current system state is (i, j) illustration. with i − j ≥ 2. If the selfish pool mines a new block, then Subsubcase 1: The pool mines a new block on its the state becomes (i +1, j). Now, the private branch has an private branch and publishes it immediately. (This advantage of at least 3 blocks (since i+1−j ≥ 3) over public happens with probability α.) Now, the target block branches. As the system evolves, the private branch will be becomes a regular block. published with probability 1 and become part of the system Subsubcase 2: Some honest miners mine a new block main chain, according to Algorithm 1. In other words, the on the target block. (This happens with probability new block will be a regular block with probability 1. On βγ.) Now, the target block becomes a regular block. A1 B1 A1 A1 A1 B1 A1 A1

A2 A2 B2A2 B2 A2 A2 B2A2 B2

Case 1: Subsubcase 1 Case 1:Subsubcase 2 Case 1: Subsubcase 3 Case 4: Subcase 1 Case 4:Subcase 2 Case 4: Subcase 3

Selfish miners' secret block Honest miners' block Selfish miners' secret block Honest miners' block

Selfish miners' published block Uncle blocks' reference Selfish miners' published block Uncle blocks' reference

Figure 12. The three subsubcases of Case 1: 1) the selfish pool mines a Figure 13. The three subcases of Case 4: 1) the selfish pool mines a new new block and publishes it; 2) the honest miners find a new block on the block on its branch and references the target block; 2) some honest miners target block; 3) some honest miners mine a new block and reference the find a new block not on the target block and reference the target block; 3) target block. some honest miners mine a new block on the target block.

Subsubcase 3: Some honest miners mine a new block block with probability β(1 − γ), and be an uncle block with and reference the target block. (This happens with probability α + βγ. probability β(1 − γ).) Now, the target block becomes Next, we analyze the uncle and nephew rewards associ- an uncle block. ated with the target block. Based on our previous case-by- To sum up, the target block in Case 2 will eventually be case discussion, the target block will become an uncle block a regular block with probability α + αβ + β2γ and be an only in subcases 1 and 2, where the distance is 1. Thus, the uncle block with probability β2(1−γ). (Note that these two target block will bring honest miners an uncle reward of probabilities sum up to 1.) Ku(1). As for the nephew reward, in Subcase 1, the pool Next, we analyze the uncle and nephew rewards associ- receives it, and in Subcase 2, some honest miners receive ated with the target block. Based on our previous case-by- it. To sum up, honest miners will receive an uncle block case discussion, only in subsubcase 3, the target block will reward of Ku(1) with probability α + βγ, receive a nephew be an uncle block. Also, the distance between the target reward of Kn with probability βγ, and the pool will receive block and its nephew block is 1. As such, the target block a nephew reward of Kn with probability α. 1 will bring the pool an uncle reward of Ku(1) and some Case 5: (1, 1) → (0, 0) honest miners will receive a nephew reward of Kn. (This In this case, the target block will always be a regular happens with probability β2(1 − γ).) block no matter who mines it. Hence, the pool receives a α Case 3: (1, 0) → (2, 0) static reward with probability α, and some honest miners In this case, the pool produces the target block, keeps it receive a static reward with probability β. α private, and continues mining on it. By Lemma 1, the target Case 6: (i, j) → (i +1, j) with i ≥ 2 and j ≥ 0 block will be a regular block and receive a static reward of In this case, the pool mines the target block, keeps it Ks. private, and continues mining. By Lemma 1, the target block β Case 4: (1, 0) → (1, 1) will eventually become a regular block, receiving a static In this case, some honest miners mine the target block, reward of Ks. βγ then the pool publishes its private block. First, we analyze Case 7: (i, j) → (i − j, 1) with i − j ≥ 3 and j ≥ 1 the static reward by determining whether the target block In this case, some honest miners mine the target block on is a regular block. To this end, we consider the following a public branch that is a preﬁx of the private branch. Then, subcases. See Fig. 13 for an illustration. the pool publishes its ﬁrst unpublished block. By Lemma 1, 1) Subcase 1: The pool mines a new block on its private the target block will eventually become an uncle block. branch, references the target block, and publishes its Next, we analyze the uncle and nephew rewards associ- private branch. (This happens with probability α.) ated with the target block. We begin with the special case Now, the target block becomes an uncle block. of (4, 1) → (3, 1) before discussing the general case. We 2) Subcase 2: Some honest miners mine a new block consider the following three subcases. not on the target block and reference the target block. 1) Subcase 1: The pool mines a subsequent block and (This happens with probability βγ.) Now, the target references the target block. See Fig. 14 for an illustra- block becomes an uncle block. tion. (This happens with probability α.) By Lemma 1, 3) Subcase 3: Some honest miners mine a new block the target block will become an uncle block, receiving on the target block. (This happens with probability an uncle reward of Ku(3). The pool will receive a β(1 − γ).) Now, the target block becomes a regular nephew reward. block. 2) Subcase 2: Some honest miners mine a subsequent To sum up, the target block will eventually be a regular block on the target block. (This happens with proba- E1 A1 B1 C1 D1 A1 B1 C1 D1 E1 A1 B1 C1 D1 A1 B1 C1 D1

E2 F2

A2 B2 A2 B2 A2 B2 C2 A2 B2 C2

Selfish miners' secret block Honest miners' block Selfish miners' secret block Honest miners' block

Uncle blocks' reference Selfish miners' published block Uncle blocks' reference Selfish miners' published block

Figure 17. The subsubcase 2 of Case 7, in which the selﬁsh pool mines Figure 14. The subcase 1 of Case 7, in which the pool mines a subsequent a new block in state (0, 0), but ﬁnally loses to the nephew reward. block, references the target block and eventually wins the associated nephew reward. 3) Subcase 3: Some honest miners mine a subsequent bility β(1−γ).) Then, the pool will publish its private block, not on the target block. (This happens with branch. See Fig. 15 for an illustration. To determine probability βγ.) In terms of the analysis of uncle and the uncle and nephew rewards, we need to consider nephew rewards, Subcase 3 is the same as Subcase 2. the following subsubcases. To sum up, for the special case of (4, 1) → (3, 1), the target block will always receive an uncle reward of Ku(3).

A1 B1 C1 D1 A1 B1 C1 D1 As for the nephew reward, one can draw a tree diagram summarizing all the subcases discussed above and conclude that it will be received by honest miners with probability 2 A2 B2 A2 B2 C2 β (1 + αβ(1 − γ)) and by the pool with probability 1 − 2 Selfish miners' secret block Honest miners' block β (1 + αβ(1 − γ)). 2 Selfish miners' published block Uncle blocks' reference Here, we note that the probability β (1 + αβ(1 − γ)) (that the nephew reward will be received by honest miners) Figure 15. The subcase 2 of Case 7, in which some honest miners mine can be explained as follows. First, the honest miners have a subsequent block on the target block. to “push” the system state from (3, 1) to (0, 0) while the pool mines nothing. (Otherwise, the pool will receive the Subsubcase 1: Some honest miners mine a new block nephew reward by Lemma 1.) This happens with probability and reference the target block. See Fig. 16. This β. Second, starting from (0, 0), the honest miners can win subsubcase happens with probability β(1 − γ)β. The the nephew reward with probability β(1 + αβ(1 − γ)). This honest miner receives a nephew reward, and the target interpretation allows us to analyze the general case. block receives an uncle reward of K (3) since the u First, the honest miners have to “push” the system state distance is 3. from (i − j, 1) to (0, 0) while the pool mines nothing. This happens with probability βi−j−2. Second, starting A1B1 C1 D1 A1B1 C1 D1 from (0, 0), the honest miners can win the nephew reward with probability β(1 + αβ(1 − γ)). Therefore, the nephew

E2 reward will be received by honest miners with probability i−j− A2 B2 C2 A2 B2 C2 β 1(1 + αβ(1 − γ)) and by the pool with probability i−j−1 Selfish miners' secret block Honest miners' block 1 − β (1 + αβ(1 − γ)). βγ Selfish miners' published block Uncle blocks' reference Case 8: (i, j) → (0, 0) with i − j =2 and j ≥ 1 In this case, some honest miners mine the target block. Figure 16. The subsubcase 1 of Case 7, in which some honest miners Then, the pool publishes its private branch. Now, the target mine a block in state and win the associated nephew reward. (0, 0) block becomes an uncle block. Similar to Case 7, the target Subsubcase 2: The pool mines a new block and keeps block will receive an uncle reward of Ru(2), and the nephew it private. This subsubcase happens with probability reward will be received by honest miners with probability β(1 − γ)α. Now, if the new block later becomes a β(1+αβ(1−γ)) and by the pool with probability 1−β(1+ regular block (with probability α + αβ + β2γ due to αβ(1 − γ)). β the discussion for Case 2), the pool will receive a Case 9: (2, 0) → (0, 0) with i ≥ 2 nephew reward and the target block will receive an In this case, some honest miners mine the target block. uncle reward of Ku(3). Otherwise, if the new block Then, the pool publishes its private branch. The remaining later becomes a stale block (with probability β2(1−γ) discussion is the same as Case 8. β due to the discussion for Case 2), some honest miners Case 10: (i, 0) → (i, 1) with i ≥ 3 will receive a nephew reward and the target block will In this case, some honest miners mine the target block. again receive an uncle reward of Ku(3). Then, the pool publishes its ﬁrst unpublished block. By Lemma 1, the target block will eventually become an uncle block. Similar to the discussion for Case 7, we conclude that the target block will receive an uncle reward of Ku(i), and the nephew reward will be received by honest miners with probability of βi−1(1 + αβ(1 − γ)) and by the pool with probability 1 − βi−1(1 + αβ(1 − γ)). β(1−γ) Case 11: (i, j) → (i, j + 1) with i − j ≥ 3 and j ≥ 1 In this case, some honest miners mine the target block. Then, the pool publishes its ﬁrst unpublished block. By Lemma 1, the target block will eventually become a stale block. Since its parent block is not in the system main chain, the target block will not be an uncle block. β(1−γ) Case 12: (i, j) → (0, 0) with i − j =2 and j ≥ 1 In this case, some honest miners mine the target block. Then, the pool publishes its private branch. Similar to Case 11, the target block will neither be a regular block nor an uncle block.