By: Brian Huisman (@CryptoWyvern)
Selfish Mining (SM) is a proposed scheme described in a 2013 paper by Ittay Eyal and Emin Gün Sirer, whereby a dishonest miner with sufficient hashpower on the Bitcoin network can exploit the protocol to mine more blocks than an honest miner with identical hashpower.
SM has become a hot topic again recently, since Dr. Craig S. Wright (CSW) came out in a hard line article asserting that it doesn't exist, and the mere idea of it is a 'cancer.' The main thrust of CSW's argument seems to be that the SM algorithm "excludes orphans and ignores the time distribution of blocks." The simulator in this article attempts to account for this by concentrating on the period of time between when the SM begins to operate, and the time when the mining difficulty changes due to SM's affect on the network. The simulator does not account for the mathematics and/or algorithm CSW claims better describes the SM situation (or non-situation, as it may be). I look forward to reviewing such an algorithm in light of the output of this simulator.
A key concept in this simulator is that 'hashpower' is additive. A network with X hashpower all working honestly will mine Y blocks in Z time. If X is divided into pools, or even down to individual nodes/machines, the entire network will still mine Y blocks in Z time; its potency is not diminished by division into groups. If some percentage of X is diverted to mining on a hidden chain, as long as the mining difficulty remains equal for both chains, the entire network will still mine Y blocks in Z time, but due to the nature of hidden chains, a proportion of Y will be discarded as orphans. Saying it in a different way, the same number of Y blocks are being mined in Z time, but fewer are ending up in the public, concensus-validated blockchain. Ergo, the rate of block generation by the network has decreased, or the Effective Network Hashpower has been reduced.
I define Effective Network Hashpower (ENH) as hashpower working with the potential to find a block that gets added to the public blockchain. Honest Miner (HM) hashpower working on top of a block while the SM is more than a hidden block ahead is effectively 100% wasted via diversion. Chain reorganizations mean the ENH associated with orphaned blocks is zero. When hashpower is split between two blocks, only the hashpower pointed towards the chain tip where the accepted block gets mined and added is counted towards ENH. In this fashion, the ENH of a completely honest chain is never quite 100% because bifurcations do occur rarely.
Using the default values for alpha (α = 0.35) and gamma (γ = 0.5) it can be seen from the simulator that a SM strategy is not initially profitable. When a pool begins to SM, the entire network suffers a reduction in efficiency, thereby reducing the block output rate. This reduction in block output rate affects both the SM and the honest miners (HM), despite the SM earning more blocks by percentage. By numerical quantity, the SM earns fewer blocks in the same period of time than the number of blocks that it would have earned had it used all of its hashpower honestly.
In my personal opinion, this is why many people consider the profitability of the SM strategy non-intuitive. It would seem the wasted hashpower must mean that the SM strategy is a net loss for all involved, however, this is not so.
The unprofitable state described above exists only until the mining difficulty is adjusted downwards to match the loss in efficiency due to SM. After the difficulty has been adjusted, the rate of orphan generation and the "time distribution of blocks" are no longer applicable since the rate at which valid blocks are added to the blockchain returns to one every ten minutes on average, despite the reduced ENH. Mining gets easier for everyone on the network, HM and SM alike, and this exactly counters the expense of the hashpower wasted on orphaned blocks and futile chains.
Therefore SM is a realistic strategy once the difficulty hurdle is passed.
Under the original Bitcoin Difficulty Adjustment Algorithm (DAA) the SM would need to operate at a loss for up to 2016 blocks (~2 weeks) due to increased block generation time. During this period, the HMs would have every incentive to find and block/censor/inhibit the SM by any means possible, as their profitibility would be similarly damaged. Once the difficulty is lowered, the SM strategy assumes the profitability exactly as described by Eyal and Sirer. It's very important to realize that the new dynamic DAA used on the Bitcoin Cash (BCH) network changes this scenario by making a SM strategy profitable almost immediately as the difficulty adjusts downwards quickly to match the efficiency loss of the network.
One of the arguments against the legitimacy of SM is that HMs are incentivized to avoid SM blocks when the blockchain has bifurcated, giving them a choice. However, one of the main conclusions of the original paper is that even using a gamma (γ) value of zero, meaning 100% of HMs succeed in avoiding working on the SM block, the SM strategy is still profitable with alpha (α) at ⅓ and above. This is a mindblowing result. It shows that a SM with sufficient hashpower doesn't even need to race the propagation of HM blocks in order for the strategy to succeed. A "small world" network where every node is connected to every other node, and blocks propagate at the absolute fastest possible speed, is no barrier to the SM strategy. A sufficiently large pool can employ it now without any further connectivity changes.
Only by making gamma (γ) negative does SMs profitability disappear. Yet when the meaning of the value is well-understood, it is obvious that it cannot possibly be negative in this context. A negative gamma (γ) would mean that more than 100% of HMs are avoiding the SM block. It would indicate that even the SM is avoiding mining on its own block, sabotaging its own efforts. A properly configured SM pool would find it trivial never to allow such a thing.
We can go further to examine the mathematical absurdity of these claims by setting gamma (γ) in the simulator to -1. At a gamma (γ) of -1, not only are all the HMs avoiding the SM block, but more than all the SM hashpower has been 'tricked' into mining on top of the HM block as well. In other words, more hashpower than actually exists on the network is mining the HM block! In this case, a SM with ≥42% of total hashpower still succeeds in garnering more blocks than their hashpower would normally allow.
When all miners are acting honestly, orphans occur only when two blocks are generated almost simultaneously. This happens about once every 60 blocks. However, when one α = 0.35 mining pool adopts the SM strategy with γ = 0.5, the rate of orphan generation skyrockets to about once every three blocks. By this means, while it may be very difficult to know which pool is doing the SM, knowing that SM is going on on the network is trivial.
SM can be made perpetually unprofitable for α < 0.5 by basing the DAA not just on valid blocks added to the chain, but on all valid blocks found, including those that get orphaned. This would keep the difficulty from dropping due to a drop in ENH. By including orphaned blocks in calculating the DAA, it would become possible to attack the network by slowing down the rate of block generation, but it would never become simultaneously profitable to do so.
There are, however, numerous issues with this strategy that preclude it being used without major changes to the protocol, the least of which being that orphans are not propagated to other nodes in the network. As well, by incorporating orphan blocks in a calculation of the DAA, the timing of arrival of propagated orphans may cause a fraction of nodes to calculate a different DAA than the rest of the network.
Discussing potential vulnerabilities in the Bitcoin protocol is eminently valuable. Satoshi Nakamoto, for all of his prescience, could not possibly have foreseen all the ways in which his invention might be exploited. Attributing a sort of divine incorruptibility to the Bitcoin blockchain, and an infallability to Satoshi Nakamoto, is a dangerous mindset that sets the community up for a rude awakening.
That being said, what are my personal thoughts on the threat of SM to Bitcoin? While I know with absolute certainty that the SM math checks out, I'm confident the probability of it ever being used on the network, while non-zero, is very small.
Any mining pool considering the switch to SM must contend with several risk factors that exist above and beyond the Bitcoin protocol itself. For instance, it would be quite difficult for a potential SM pool to estimate the gamma (γ) value it would be able to manage before actually beginning to SM. This single factor is the difference between needing just a few percent of the hashpower to be profitable and needing 30% or more to do the same. An assumption of γ = 0 would be any SM's safest bet, which excludes all but the very largest pools from attempting it profitably.
Likewise, because the use of SM vastly increases orphan generation, any outsider could see plainly that SM is taking place on the network and that reward distribution is no longer a fair game. As Eyal and Sirer explain, a successful SM scheme incentivizes all other miners to join the SM pool. The threat of this happening would almost certainly cause a decrease in trust of the network, which would inevitably lead to a loss of value. Over the long term, a SM scheme is likely to damage the value of any network on which it is used beyond repair. Any mining pool considering the SM scheme would recognize this.
Generally, this would make the use of SM more desirable for pools with the intent to damage or destroy the network, rather than profit. The larger and more valuable the network becomes, it appears less likely SM would be employed as a profit strategy. However, the risk of SM remains and we shouldn't willfully blind ourselves to it.