Towards Overcoming the Undercutting Problem

Abstract

Mining processes of Bitcoin and similar cryptocurrencies are currently incentivized with voluntary transaction fees and fixed block rewards which will halve gradually to zero. In the setting where optional and arbitrary transaction fee becomes the prominent/remaining incentive, Carlsten et al. [CCS 2016] find that an undercutting attack can become the equilibrium strategy for miners. In undercutting, the attacker deliberately forks an existing chain by leaving wealthy transactions unclaimed to attract petty complaint miners to its fork. We observe that two simplifying assumptions in [CCS 2016] of fees arriving at fixed rates and miners collecting all accumulated fees regardless of block size limit are often infeasible in practice and find that they are inaccurately inflating the profitability of undercutting. Studying Bitcoin and Monero blockchain data, we find that the fees deliberately left out by an undercutter may not be attractive to other miners (hence to the attacker itself): the deliberately left out transactions may not fit into a new block without “squeezing out” some other to-be transactions, and thus claimable fees in the next round cannot be raised arbitrarily.

This work views undercutting and shifting among chains rationally as mining strategies of rational miners. We model profitability of undercutting strategy with block size limit present, which bounds the claimable fees in a round and gives rise to a pending (cushion) transaction set. In the proposed model, we first identify the conditions necessary to make undercutting profitable. We then present an easy-to-deploy defense against undercutting by selectively assembling transactions into the new block to invalidate the identified conditions. Indeed, under a typical setting with undercutters present, applying this avoidance technique is a Nash Equilibrium. Finally, we complement the above analytical results with an experimental analysis using both artificial data of normally distributed fee rates and actual transactions in Bitcoin and Monero.

M. Minaei—Part of this work was done while the author was at Purdue University.

Giving Up After Two Blocks Behind

Fig. 3.

State transition for \(D=2\). Notations are the same as Fig. 1. Now we have infinite state transitions. \(\delta '\) and \(\delta ''\) are the amount of rational mining power shifting from one chain to another.

We present major steps for analyzing the \(D=2\) case and the complete analysis can be found in the full report. Rational miners now make decisions at states \(S^*=\{(1,1),\) \((1,2),(2,1),(2,2),...\}\). The winning probabilities now comprise infinite series. Without loss of generality, we let \(F_{1}^0=1\), \(F_2^0=F_3^0=\gamma \), \(F_1^1=a,F_2^1=b\) and \(F_3^1=1+2\gamma - a - b \) (where \(a\in [0,1],\gamma \ge 0\)). \(F_2^0,F_3^0\) can be of different values in reality but here we use the same value to highlight the wealthiness of \(F_1^0\). Suppose eventually we derive an attacking condition T for setting \(D=2\) as well, then the undercutter would want to set a and b to satisfy \(\frac{1+\gamma -a}{a} > T\) and \(\frac{1+2\gamma -a-b}{b} > T\) to avoid being undercut.

We take the same route as in the \(D=1\) case. We know that if there is no attack, the undercutter expects to receive \(E[R_{\overline{u}}]=2\beta _u\gamma \). If it starts the attack, its expected return from the right branches (shown in Fig. 3) when the undercutter succeeds and no rational miners assist is

$$\begin{aligned} E[R_u]&=\beta _u(2\gamma +1)\sum _{i=0}^{\infty } \beta _u^{i+2}(1-\beta _u)^i = \frac{\beta _u^3(2\gamma +1)}{1-\beta _u(1-\beta _u)} \end{aligned}$$

The limited bandwidth set condition, \(\gamma <\frac{\beta _u^2}{2(1-\beta _u)}\), is more demanding than the one for \(D=1\). For \(\beta _u=0.5\), the upper bound is now 0.25 instead of 1. For \(\beta _u=0.2\), the bound is 0.025 instead of 0.25. Overall, for weak attackers, the condition is way more demanding than before.

Next, we consider \(\gamma \ge \frac{\beta _u^2}{2(1-\beta _u)}\) (with sufficient bandwidth set) and the undercutter needs rational miners to join \(C_1\). Same as before, rational miners allocate their mining power among the two chains to maximize their expected returns:

$$\begin{aligned} \mathop {\mathrm {arg\,max}}\limits _{x\in [0,1]} E[R_r]&= \mathop {\mathrm {arg\,max}}\limits _{x\in [0,1]}\bigg ( \mathbbm {1}_{owner} \cdot p_0+ \frac{(1-x)\beta _r}{\beta _h+(1-x)\beta _r} p_0 \cdot 2\gamma \nonumber \\&+ \frac{x\beta _r}{x\beta _r+\beta _u} p_1\cdot b +\frac{x\beta _r}{x\beta _r+\beta _u+\beta _h} p_1 \cdot (1+2\gamma -a-b) \bigg ) \end{aligned}$$

(4)

where \(p_0\le (1-\beta _u-x\beta _r)^2\) is the probability of \(C_0\) leading by 2 blocks first and \(p_1\ge (\beta _u+x\beta _r)(\beta _u+x\beta _r+\beta _h)\) is the probability of \(C_1\) leading by 2 blocks first. Here we only consider the leftmost and rightmost branch in Fig. 3 because they are the two most significant paths. We can observe that the objective function is convex. By Jensen’s inequality, the expected returns reach maximum at either of the two ends. Again we let \(E[R_{r|x=0}]<E[R_{r|x=1}]\) and obtain

$$\begin{aligned} 2(1-\beta _u)\gamma< b + (\beta _u+\beta _r) (1+2\gamma - a - b) {\mathop {\Rightarrow }\limits ^{\beta _h > \beta _u}} \gamma < \frac{ (\beta _u + \beta _r) (1 - a ) + \beta _h b }{2(\beta _h - \beta _u)} \end{aligned}$$

When \(\beta _h\le \beta _u\), flexible rational miners move to the fork if \(b> 0\). With rational miners joining, the expected return for undercutter on the rightmost branch is now \(E[R_{u}] = \big ( a + \frac{\beta _u}{\beta _u+\beta _r} b + \beta _u (1+2\gamma - a - b )\big ) \cdot \beta _u(\beta _u+\beta _r)\). We let \(E[R_{u}] > E[R_{\overline{u}}]\) and obtain the condition on \(\gamma \) for profitable undercutting:

$$\begin{aligned} \gamma < \min \{\frac{ (\beta _u + \beta _r) a + \beta _u b + \beta _u(\beta _u + \beta _r) (1-a-b) }{2 ( 1 - \beta _u (\beta _u + \beta _r) ) }, \qquad \qquad \qquad \qquad \nonumber \\ \mathbbm {1}^*_{\beta _h > \beta _u} \frac{ (\beta _u + \beta _r) (1 - a ) + \beta _h b }{2(\beta _h - \beta _u)} \} \end{aligned}$$

(5)

where \(\mathbbm {1}^*_{\beta _h > \beta _u} = \infty \) if \(\beta _h \le \beta _u\) and 1 otherwise. Same as before, we denote the right-hand side condition as T and solve for a and b numerically by considering the strongest potential undercutter the attacker is facing.

$$\begin{aligned} a\le \frac{1+\bar{\gamma }}{1+T}, a_2 \le \frac{1+\bar{\gamma }'}{1+ T'}, b \le \frac{1+2\tilde{\gamma }-a}{1+T}, b_2 \le \frac{1+2\tilde{\gamma }'-a}{1+T'} \end{aligned}$$

(6)

where T and \(T'\) are the attack conditions for the undercutter under discussion and its strongest opponent. Here, \(\tilde{\gamma }, \tilde{\gamma }'\) are the fee totals in the respective third bandwidth set measured relative to the respective next bandwidth set.

We present the algorithm for \(D=2\) below.