Bitcoin has emerged as the most successful cryptographic currency in history. Within two years of its quiet launch in 2009, Bitcoin grew to comprise billions of dollars of economic value despite only cursory analysis of the system’s design.
- Incentive compatibility and game theory : In game-theoretic terms, if universal compliance were shown to be a Nash equilibrium, this would imply incentive compatibility for Bitcoin as no miner would have any incentive to unilaterally change strategy. This would imply a notion of weak stability if other equilibria exist and strong stability if universal compliance were the sole equilibrium. If on the other hand non-compliant strategies dominate compliance, we must ask whether the resulting strategy equilibrium leads to stability for the consensus protocol.
- Simple majority compliance may not ensure fairness : An interesting non-compliant mining strategy is temporary block withholding. If the miner finds itself two blocks ahead of the longest publicly-known chain, it can then effectively mine unopposed until the remainder of the network has caught up to within one block at which point the withheld blocks can be published. If temporary withholding were performed, this would undermine fairness.
- Majority compliance is an equilibrium with perfect information : Kroll et al. analysed a simplified model in which miners have perfect information about all discovered blocks (precluding any withholding). In this model, universal compliance is a Nash Equilibrium (although not unique), implying that Bitcoin is (weakly) stable.
- Majority compliance implies convergence, consensus, and liveness : It can be shown that with a majority of miners behaving compliantly, a single longest (correct) chain will rapidly emerge.
- With a majority miner, stability is not guaranteed : The majority miner could undermine both convergence and eventual consensus by introducing arbitrarily long forks in the block chain, potentially to reverse and double-spend transactions for profit. All of these strategies would result in nominal profits, but since these behaviours are detectable, they may not be in a rational miner’s long-term interest.
- If miners can collude, stability is not known : Even in the absence of a majority miner, smaller miners could potentially collude to form a cartel controlling a majority of mining power and emulating any strategy available to a single majority miner.
- Stability is not known as mining rewards decline : The planned transition of miner revenue from block rewards to transaction fees will negate this assumption and require more complex models which take into account the distribution of available transaction fees
- Liquidity limits. Currently, exchanges which trade Bitcoin for external currencies typically have low liquidity. Thus, an attacker may obtain a large number of bitcoins but be unable to convert them all into external value, or can only do so at a greatly reduced exchange rate.
- Exchange rates in the face of attack. Some noncompliant strategies, particularly those that would affect stability in a visible way, might undermine public confidence and hence weaken demand for bitcoins in the short run
If a majority miner’s goal is explicitly to destroy Bitcoin’s stability and hence its utility as a currency, they can easily do so.
For example, a state wishing to damage Bitcoin to avoid competition with its own currency, or an individual heavily invested in a competing currency, may be motivated to attempt such an attack. Arguably, these attacks have already been observed through altcoin infanticide, in which deep-forking attacks against new competing currencies with low mining capacity have been successfully mounted by Bitcoin miners.
A miner attempts to censor a blacklist of transactions by publicly promising that if a blacklisted transaction is included in the block chain, the attacker will retaliate by ignoring the block containing the targeted transaction and attempting to fork the block chain. The attacker’s fork will continue until it either outraces the main branch and wins, or falls behind by k blocks at which point the attacker will concede publication of the targeted transaction. An attacker with α < 50% of the mining power will, on expectation, lose money, but will succeed in blocking a blacklisted transaction with positive probability.
Stability of mining pools
Mining pools rely on participants to submit valid blocks when they are found and are vulnerable to participants submitting partial shares in exchange for compensation but withholding valid blocks to lower the pool’s profitability.
Stability of the peer to peer layer
However, Babaioff demonstrated that information propagation at the peer-to-peer layer is not always incentive compatible. It remains unknown whether participants internalize sufficient value from the peer-to-peer network as a public good to justify the opportunity costs of propagating information Babaioff et al. identified, or whether the information propagation equilibrium observed in the wild.
Concluding, mining pools have an incentive to engage in attacks, that larger pools are better to attack than smaller pools and that larger pools have a greater incentive than smaller pools to attack at all.