Block Double-Submission Attack: Block Withholding Can Be Self-Destructive

BY KEYHUNTER 05.03.2025
Block Double-Submission Attack: Block Withholding Can Be Self-Destructive

Proof-of-Work (PoW) is a Sybil control mechanism adopted in blockchain-based cryptocurrencies. It prevents the attempt of malicious actors to manipulate distributed ledgers. Bitcoin has successfully suppressed double-spending by accepting the longest PoW chain. Nevertheless, PoW encountered several major security issues surrounding mining competition. One of them is a Block Withholding (BWH) attack that can exploit a widespread and cooperative environment called a mining pool. This attack takes advantage of untrustworthy relationships between mining pools and participating agents. Moreover, detecting or responding to attacks is challenging due to the nature of mining pools. In this paper, however, we suggest that BWH attacks also have a comparable trust problem. Because a BWH attacker cannot have complete control over BWH agents, they can betray the belonging mining pool and seek further benefits by trading with victims. We prove that this betrayal is not only valid in all attack parameters but also provides double benefits; finally, it is the best strategy for BWH agents. Furthermore, our study implies that BWH attacks may encounter self-destruction of their own revenue, contrary to their intention.

CCS CONCEPTS

• Security and privacy
• Distributed systems security
• Theory of computation
• Algorithmic game theory and mechanism design

KEYWORDS

blockchain, block double-submission attack, block withholding attack, game theoretic analysis, proof-of-work

1 INTRODUCTION

The effort to create true electronic cash, which began with David Chaum [4], has borne fruit with the emergence of blockchain. The blockchain technology enabled decentralized cryptocurrency systems, attracting several attempts to exploit the systems for illicit gain due to its nature — the anonymity and very low participation barrier of cryptocurrency. One of the most fatal threats against a cryptocurrency system is double-spending, which spends the same digital asset more than once. To put it differently, one transaction effectively cancels out an earlier transaction, allowing the attacker to use their money twice. In such a case, the value of the cryptocurrency may plummet as consumers lose trust in the system’s transactions.

The consensus of multiple entities controls a single blockchain system. As such, Sybil attacks can play a critical role in carrying out a double-spending attack. A Sybil attack occurs when an attacker gains control of many identities in a network to exert undue influence [5]. There are now a variety of control techniques to mitigate Sybil attacks. The Proof-of-Work (PoW) algorithm used in Bitcoin is the key protection against such attacks. PoW, or Proof-of-Effort, was initially developed to combat spam e-mails [6]. Because e-mail senders must spend sufficient time for hashing computation, PoW forces spammers to consume energy.

On the Bitcoin blockchain, block generators, i.e., miners, are required to propose a block with a cryptographic solution on the blockchain, which requires miners to burn a significant amount of energy. A miner receives a specific quantity of Bitcoin as compensation. By design, the difficulty of PoW gradually increases as time goes on and more miners participate. As a result, generating even a single block is nearly impossible for an individual miner. This barrier to entry enables Bitcoin to maintain trust in the face of a double-spending attack.

While PoW was effective at preventing a Sybil attack, several research studies have revealed that potential attacks could harm the incentive compatibility of a PoW-based blockchain system (§2). Particularly, the selfish mining attack allowed the attacker to gain greater rewards than their mining power by purposely dissimulating a PoW block. Furthermore, there are various attack techniques between mining pools or miners that consider real-world mining conditions, in which a few leaders established dominant possession as mining difficulty increased [7, 9, 13, 19, 20, 22, 23].

An attacker can expect additional rewards even in a cooperative environment, mainly mining pools. For example, Block Withholding (BWH) attacks are effective strategies. An attacker infiltrates to another mining pool for a better profit. Using the victim’s trust, BWH attackers only submit partial solutions (pPoW), not full solutions (fPoW), that directly reward victims — establishing mutual trust within a mining pool is a critical issue. There are a few methods methods to avoid such attacks [1, 8, 14, 17, 22, 26, 27]; however, they cannot be fundamental remedies due to the restricted visibility of individual miners. Due to the same reason, the trust issue exists within the attacking pool.

In this study, we propose a novel attack technique called Block Double Submission (BDS) (§3). Under BWH attacks, a PoW block discovered by an infiltrating agent is withheld. We found that the victim pool needs the block. If the infiltrated agent, who is not supposed to withhold blocks, sells the block to the victim pool, both parties will benefit from this trade: the infiltrated agent and the victim pool. As illustrated in Figure 3, a BDS attack can happen when two mining pools are engaged in a BWH attack. While the infiltrated miner delivers fPoWs only to the BWH-attacking pool, the miner sells fPoWs simultaneously to two mining pools — hence the name.

The pivotal factor for the attack is the lack of trust between the BWH-attacking pool and its infiltrating miners, which it exploits. More generally, this attack relies on lack of trust between a mining pool and its miners like the BWH attack does. Compared to the benefits from a BWH attack, which are limited to 10%, the rewards from a BDS attack can reach nearly 100%. This double reward strongly motivates the BDS attackers. The victim pool can recover its losses from the BWH attack through this new trade by publishing fPoWs, and the traitor agent can make a substantial profit.

As previously stated, this new strategy damages Block Withholding (BWH)-attacking pools. Numerous research has explored a BWH-based counterattack to the BWH attack [1, 14, 18, 22]. Detecting and assessing the infiltration power of a BWH attack is a critical prerequisite for conducting the counterattack. However, detecting a BWH attack from a private pool is nearly impossible [14]. Big private mining pools exist in the real world, for example, BitFury. We cannot join this pool freely and cannot get proof of attacks even if an attack is underway. On the other hand, betrayal from inside is possible even in a closed group. In other words, traitors in a BWH-attacking pool can ruin the pool’s strategy for their additional benefit.

To demonstrate that such a betrayal deal is viable, we establish three BDS attack conditions and prove that trades satisfying the criteria always exist (§4). Then, using game-theoretic approaches, we show that mining agents’ dominant strategy is to betray the BWH attacking pool and participate in a BDS attack (§5). Consequently, we demonstrate that a BWH attacker suffers a loss due to the principal-agent problem between a BWH attacking pool and mining agents. The quantitative study (§6) and simulations (§7) indicate the BDS attack’s impact and corroborate our theoretical analysis. BDS is a subtle attack scheme that damages another attacker while compensating for the victim’s loss. Finally, we examine BDS’s multilateral aspects and applications in discussion (§8).

This paper presents the BDS attack, raising the question of whether a mining pool can trust its miners unconditionally. Our contributions are as follows:

  • We propose a novel attack technique, the BDS attack, in which a mining agent betrays the BWH attacking pool in pursuit of more rewards.
  • We demonstrated that a BDS attack could reward the betrayed agent with twice as much benefit as merely participating in a BWH attack.
  • We discovered that a BWH attack could result in significant losses to a BWH attacking pool due to BDS attacks.

2 RELATED WORK

This section reviews two related attacks, selfish mining and BWH attacks, on PoW mining.

2.1 Selfish Mining

Selfish mining is the process of retaining blocks to force other miners to squander computational power. In brief, the attacker discovers ( N(N > 2) ) blocks first and then publishes them when other miners discover ( K(K > N) ) blocks. Due to the long chain rule, the blocks broadcasted by other miners do not belong to the main chain. Therefore, the attacker can publish blocks above their proportional mining power. As a block rewards the miner who published it, the attacker can make a disproportionate profit.

Eyal and Sirer initially proposed the concept of selfish mining [9]. This study shows that selfish mining can generate disproportionate revenue for attackers. Sapirshtein et al. [23] found the optimal conditions for selfish mining. It demonstrated that selfish miners could generate more revenue by employing dynamic methods. An eclipse attack isolates a particular peer-to-peer network node. Nayak et al. [20] suggested a mining strategy incorporating an eclipse attack and selfish mining to increase revenue. Ethereum used a modified version of the Greedy Heaviest Object Subtree (GHOST) protocol and rewards of uncle blocks for its safe, high-throughput environment [27]. Liu and Feng demonstrated that Ethereum is similarly susceptible to selfish mining.

There are studies on the countermeasures against selfish mining [25], [21]. They are primarily associated with negating or delayed-publication blocks. Lee and Kim [15] suggested a selfish mining detection and mitigation technique in a mining pool environment. Like the BWH attack detailed in the following section, selfish mining involves the withholding of blocks. Also, as the BWH attack does not require much CPU power, it may be more viable in a real-world mining setting.

2.2 Block Withholding Attack

A BWH attack is a strategy that miners delay the submission of blocks in PoW mining environments, generalizing selfish mining. Specifically, a BWH-attacking pool delays the submission of blocks in the target mining pool. Our research focuses solely on the latter concept, namely mining pool behavior.

The concept of a mining pool is to enable collaboration, as it is exceedingly unusual for individuals to discover blocks. Mining pools facilitate PoW tasks for miners. Miners discovering nonces for a hash value in the mining pool are compensated for them, even if the nonces do not satisfy the networks’ difficulty requirements. This is known as a pPoW, and a valid nonce in the network is referred as fPoW. Mining pools get rewards from the PoW blockchain network via fPoW and distribute them to their miners.

Rosenfeld [22] conceived the initial idea for a BWH attack. The study presented an attack concept sabotaging the mining pool by submitting only pPoWs, unrelated to miners receiving rewards from the Bitcoin network. Eyal [7] proposed an attack strategy advantageous to the attacker but detrimental to the target. This attack strategy comprises mining pools infiltrating other mining pools and some miners submitting only pPoWs to indirectly diminish the effectiveness of other mining pools. When two mining pools engage in attacks, each suffers a loss. Kwon et al. [13] addressed this dilemma by employing the Fork After Withholding (FAW) technique. Their work introduced advantageous attack technique since it only submits blocks under forking situations rather than always withholding them. In addition, Liu et al. [16] and Chang et al. [3] examined an attack technique leveraging an uncle block rewarded in Ethereum.

Countermeasures against the BWH attack can be classified primarily into those that modify mining mechanisms and others. In order to prevent miners from distinguishing between fPoW and pPoW, Bag et al. [1] and Eyal [8] recommended cryptographically splitting the mining mechanism into two stages. Lee and Kim [14] developed a strategy for detecting and responding to the BWH attack by installing sensor miners in different mining pools. Sarker et al. [24] presented a mining pool-wide anti-withholding reward system to minimize BWH attacks’ efficacy by increasing honest miners’ rewards.

Our research uses a significantly different strategy than the previous studies. The study provides both an offensive and a defensive technique aimed towards attackers. In addition, our solution is realistic because it does not require alterations to the fundamental PoW mining procedures. The following section details a system model and problem statements.

3 SYSTEM MODEL AND PROBLEM STATEMENT

This section illustrates the system model under consideration by explaining Bitcoin PoW miners and mining pools. Then we define the problem statement that raises a trust concern about the BWH attack.

3.1 System Model

The analysis presented in this paper assumes that at least two mining pools exit on the Bitcoin network. Miners and mining pools can easily enter and exit a mining pool. Algorithm 1 depicts the algorithm for mining in a mining pool. A mining pool assigns a miner a task, including an information set block to mine. The miner attempts to solve the cryptographic puzzle using hash functions and nonce values. The miner can submit two types of PoW, including pPoW and fPoW. Miners receive rewards proportional to their PoW contribution from the mining pool.

Algorithm 2 outlines the mining pool rewards mechanism. A mining operation offers miners fPoW and pPoW, and then it publishes fPoW as a legitimate block to the Bitcoin network. The block contains the coinbase transaction of the mining pool, which mints new Bitcoins for the mining pool. The payout for miners is proportional to the number of pPoW. In other words, submitting fPoW does not result in a greater reward than submitting pPoW.

In the BWH attack, a mining pool infiltrates another pool of miners. The former is known as a BWH-attacking pool, whereas the latter is known as a victim mining pool or victim pool. In a BWH-attacking pool, miners performing BWH mining are called BWH miners. Infiltrated miners do not contribute fPoW to the victim pool. Consequently, both the victim pool’s earnings and the infiltrating miners’ incentive from the victim pool decrease. As the total mining power diminishes; however, the BWH-attacking pool’s revenue increases more than the loss in infiltrating miners.

3.2 Problem Statement

The BWH attack exploits the lack of trust between a mining pool and its users. The attack can succeed if the infiltrating miners send only pPoW to the BWH-attacking pool in cooperation. We suspect, however, that the level of trust between the BWH-attacking pool and BWH miners is sufficient to lead such cooperation. The BWH-attacking pool cannot fully regulate the operations of infiltrated miners, given the current structure of mining pools. For instance, by submitting fPoW to the victim pool and disobeying the Figure 1: Structure of the naïve BWH attack: The miners infiltrate Pool B (the victim pool), following the order of Pool A (the BWH attacker). The BWH-attacking pool cannot observe nor can expect trustworthy BWH behaviors from the infiltrated miners.

Figure 2: Structure of the fixed BWH attack: The miners infiltrate Pool B (the victim pool) through Pool A (the BWH attacker), where the BWH-attacking pool can control the BWH behaviors of the infiltrated miners and fPoWs are not submitted to Pool B. The infiltrated miners may betray the attacking pool, and Pool B requires the withheld fPoWs.

Figure 3: BDS Attack: The miners infiltrate Pool B (victim), following the order from Pool A (the BWH attacker). The infiltrated miners submit PoWs to Pool A and Pool B simultaneously, and Pool B can publish fPoWs, which might also be withheld, making an extra profit. The infiltrated miners can share the extra profit by selling fPoWs to the victim pool. direction from the attacking pool, the infiltrated miners can still receive rewards from the BWH-attacking pool. With this behavior, the infiltrating miners likely generate more revenue than the intended BWH attack. Consequently, the BWH mining attack against the pool will be in vain.

Nevertheless, there is still a significant problem. Even though the BWH-attacking pool directly penetrates the victim pool, internal miners can still trade fPoWs with the victim pool. A mining task contains coinbase information, which indicates which mining pool is currently under attack. Based on this information, miners can submit fPoW independently of the BWH-attacking pool they belong to. Existing mining pools’ incentive schemes typically do not differentiate between fPoW and pPoW. In this case, however, additional awards for fPoWs may be necessary because they provide an incentive to deviate from their ordinary behavior. It would also allow BWH miners who merely benefited from utilizing the reduced mining power via sabotage to make significantly more rewards than BWH attack-only cases.

Figure 3 illustrates this strategy. We refer to the strategy as a Block Double-Submission (BDS) Attack in which PoW is submitted to both a BWH-attacking pool and a victim pool. BDS miners receive concurrent payments from both mining pools through such a method. Specifically, the BDS miners submit only pPoW to the BWH-attacking pool, provided they have successfully identified the victim pool. If the victim pool publishes a fPoW previously submitted to the BWH-attacking pool, the BWH-attacking pool could identify the traitor. The victim pool receives pPoW and fPoW from BDS miners but does not require fPoW to mint coins. In this instance, pPoWs measure the mining power of traitors. In the following section, we examine the rationality of the BDS attack.

4 BLOCK DOUBLE-SUBMISSION ATTACK

This section will explain the rationale behind the BDS attack. First, we identify the conditions that must be met for the attack to be reasonable, and then prove that they are feasible. Second, we present algorithms for the BDS attack.

4.1 Rationality of the Block Double-Submission

For this attack to be reasonable, it must be mutually advantageous and have a minimal boundary. The block double-submission attack must provide BDS miners greater benefits (C1). Similarly, it ought to be profitable for the victim pool (C2). In addition, we require that the victim pool cannot provide higher rewards than a BWH miner receives for mining with integrity (C3). Accordingly, we summarize three requirements as follows:

  • (C1) The trade generates greater profits for the victim pool than the honest mining under a BWH attack.
  • (C2) The trade provides the BWH miner greater revenue than cooperation for a BWH attack.
  • (C3) The trade is established with rewards less than the ones given to the BWH miner by honest mining.

Let a price function for purchasing a valid block from a BWH miner with mining power ( p ) where ( p \leq \tau \alpha ) be ( T(p) ), and the revenue generated by a victim pool is:

[ \frac{\beta + p}{1 – \tau \alpha + p} – T(p) ]

The BWH-attacking pool is still infiltrating

[ \frac{\beta}{\beta + \tau \alpha}. ]

(4)

Then, the revenue of a BWH miner with the trade is calculated as follows:

[ \text{revenue from the trade} = \frac{p}{\alpha} \left( 1 – \frac{\tau \alpha}{\beta} – T(p) \right) + \left( \frac{\beta + p}{1 – \tau \alpha + p} – T(p) \right) \frac{\tau \alpha}{\beta + \tau \alpha}. ]

(5)

Using the above, we obtain the boundaries of ( T(p) ) that satisfies C1, C2, and C3, respectively.

Lemma 1. There exists a boundary of ( T(p) ) for C1.

Proof. For C1, ( T(p) ) must satisfy ( R_{t,v} > R_{b,v} ), where ( R_{t,v} ) is the revenue with the trade and ( R_{b,v} ) is the revenue without the trade. ( R_{t,v} ) is given in (4). ( R_{b,v} ) is provided as (2) in Section 3. Therefore, the following should hold:

[ \frac{\beta}{1 – \tau \alpha} \cdot \frac{\beta}{\beta + \tau \alpha} < \left( \frac{\beta + p}{1 – \tau \alpha + p} – T(p) \right) \frac{\beta}{\beta + \tau \alpha}. ]

(6)

[ T(p) < \frac{p}{(1 – \tau \alpha \beta) (1 – \tau \alpha)}. ]

(7)

Lemma 2. There exists a boundary of ( T(p) ) for C2.

Proof. For C2, ( T(p) ) must satisfy ( R_{t,m} > R_{b,m} ), where ( R_{t,m} ) is the revenue with the trade and ( R_{b,m} ) is the revenue without the trade.

( R_{t,m} ) was shown previously in (5). ( R_{b,m} ) is given as follows:

[ R_{b,m} = \frac{p}{\alpha} \left( \frac{(1 – \tau \alpha)}{1 – \tau \alpha + p} + \frac{\beta}{\beta + \tau \alpha} \right). ]

(8)

Therefore, the following must hold:

[ T(p) > \frac{p}{\alpha} \left( \frac{1}{1 – \tau \alpha} + \frac{\beta}{\beta + \tau \alpha} \right). ]

(9)

[ T(p) > \frac{p(1 – \tau \alpha) + \tau \alpha}{\beta + \tau \alpha} \cdot (p \beta – p(1 – \tau \alpha)). ]

(10)

Then we prove that $C_3$ is satisfied comprehensively when $\mathcal{T}(p)$ is already within the boundary for $C_1$.

Lemma 3. If $\mathcal{T}(p)$ satisfies $C_1$, $\mathcal{T}(p)$ also satisfies $C_3$.

Proof. From Lemma 1, the boundary of $\mathcal{T}(p)$ is given as follows:

$$ \mathcal{T}(p) < \frac{p \cdot (1 – \tau \alpha – \beta)}{(1 – \tau \alpha + p)(1 – \tau \alpha)} $$

$$ = p \cdot \frac{1 – \tau \alpha – \beta}{1 – \tau \alpha + p – \tau \alpha + \tau^2 \alpha^2 – p \tau \alpha}. $$

(11)

By using the chain of inequality, which is:

$$ p \leq \tau \alpha < \beta < 0.5, $$

(12)

then we attain the following:

$$ \beta > -p + \tau \alpha + p \tau \alpha – \tau^2 \alpha^2. $$

(13)

Therefore, the following relation holds:

$$ p \cdot \frac{1 – \tau \alpha – \beta}{1 – \tau \alpha + p – \tau \alpha + \tau^2 \alpha^2 – p \tau \alpha} < p. $$

(14)

As $\mathcal{T}(p) < p \leq \tau \alpha < \beta$, the maximum of $\mathcal{T}(p)$ is not greater than $\tau \alpha$.

$\square$

From the previous results, we can prove that all the conditions are satisfied under our system model.

Theorem 1. There exists $\mathcal{T}(p)$ satisfying all the conditions $C_1$–$3$ at the same time.

Proof. With Lemma 3, we only need to prove that there exists $\mathcal{T}(p)$ that satisfies $C_1$ and $C_2$ at the same time. According to Lemma 1 and Lemma 2, $\mathcal{T}(p)$ must satisfy the below inequality:

$$ \frac{p \cdot (1 – \tau \alpha – \beta)}{(1 – \tau \alpha + p)(1 – \tau \alpha)} > \mathcal{T}(p) > \frac{1}{\beta + \tau \alpha – p \tau} \left(1 – \tau \alpha \right) \frac{p}{(1 – \tau \alpha) \alpha} $$

$$ \left[p \left(1 – \tau \alpha \right) + \frac{\tau \alpha}{\beta + \tau \alpha – p \tau} \cdot (p \beta – p(1 – \tau \alpha))\right] $$

(15)

By simplifying the above equation, we obtain the following relation:

$$ 1 – \tau \alpha – \beta > \frac{p \cdot \beta + \tau \alpha}{\beta + \tau \alpha – p \tau} \left(1 – \tau \alpha \right) + \frac{\tau \alpha}{\beta + \tau \alpha – p \tau} \cdot (p \beta – p(1 – \tau \alpha)) $$

(16)

$$ \left[p \cdot \frac{\beta + \tau \alpha}{\beta + \tau \alpha – p \tau} \left(1 – \tau \alpha \right) + \frac{\tau \alpha}{\beta + \tau \alpha – p \tau} \cdot (p \beta – p(1 – \tau \alpha))\right] $$

(17)

Using $\tau < 0.5$ (See Appendix A for a proof), we can prove the following:

$$ 1 – \tau \alpha – \beta > \tau \alpha \geq p > p + \frac{p – 1 < 0}{\tau (p – 1)} \frac{p}{\beta + \tau \alpha – p \tau} $$

(18)

Using (12), we finish the proof.

$$ 1 > \alpha + \beta > 2 \tau \alpha + \beta $$

(19)

$\square$

Eventually, we proved the existence of a rational deal that satisfies all the given conditions. The BDS attack block is advantageous for both parties. The victim mining pool can acquire fPoW without paying the total rewards associated with its publishing. As a result, the BDS attack can reasonably be contracted and executed between BWH miners and a victim pool.

4.2 Algorithms for Block Double-Submission Attack

We briefly explained the mechanism of the block-double submission attack in a problem statement. Now, we will discuss specific algorithms. Although the block-double submission has been proven reasonable, the current mining pool model needs to be modified for the BDS trade. The BDS attacker, for example, submits fPoW to the BWH victim pool. According to Algorithm 1, fPoW does not affect a miner’s rewards. Moreover, even though a mining pool counts an fPoW as the rewards by a certain number of pPoWs, the proper calculation of the rewards boundary demands the BWH miner’s mining power. The BWH victim pool will, therefore, only accept the block-double submission if fPoW exists and the reward is proportional to the number of pPoWs.

Algorithm 3 describes the BDS miner. The BDS deal is established only when $fPoW$ already exists. When the miner discovers $fPoW$, he sends both $pPoW$ and $fPoW$ to both the BWH-attacking pool and the victim pool. If not, only $pPoW$ is submitted to the BWH-attacking pool.

Algorithm 4 explains how the BWH victim pool computes the rewards for a BDS miner. First, the victim pool disregards the miner’s rewards if $fPoW$ is omitted. Otherwise, the mining pool calculates the mining payout using the number of $pPoW$. The number of $pPoW$ directly indicates the miner’s computational power in a probabilistic manner.

5 GAME-THEORETICAL ANALYSIS

This section examines the double-submission block attack from a game-theoretic perspective. First, we investigate the strategies employed by miners in the BWH-attacking pool. The second step is investigating the pricing of fPoW submitted to the victim pool. Using the preceding findings, we demonstrate that a BWH attack may be detrimental to the BWH attackers. In short, the dominant strategies of BWH miners are to execute BDS attacks for profit, resulting in the loss of the BWH-attacking pool.

5.1 A Cooperation Game between BWH Miners

The previous section showed that the BDS trade between a miner and a victim pool can be established reasonably. Given that multiple ALGORITHM 3: BDS between the BWH-attacking pool A and the BWH victim pool B

Function Mining

| task ← newTask(w); | | (pPoW, fPoW) ← work(task); | | if fPoW ≠ null then | | send(A, (pPoW)); | | send(B, (pPoW, fPoW)); | | else | | send(A, (pPoW)); | | end | | revenue ← revenue + recv(A) + recv(B); | | end |

ALGORITHM 4: Rewards from the BDS attack

Function Reward

| forall Miner w ∈ Miners do | | (pPoW, fPoW) ← recv(w); | | if fPoW = null then | | quit(); | | end | | revenue ← revenue + publish(pPoW); | | reward(a) ← tradeCount(pPoW); | | end |

Table 1: Payoff table of two miners in a BWH-attacking pool

CB
Cooperate (C)R, R’D, H’
Betray (B)H, D’L, L’

BWH miners may exist in a BWH-attacking pool, it is important to analyze the dominant strategy as the collective actions of multiple miners to better understand the miners’ behaviors.

We begin by analyzing a simple model with two miners. Assuming the simplest set of BWH miners, denoted by ( M = { m_1, m_2 } ), each miner is assigned the action set ( A = { C, B } ) where ( C ) represents ‘Cooperate’ and ( B ) represents ‘Betray’ (i.e., the BDS). Table 1 is the payoff matrix for the two BWH miners game. Specifically, we represent the mining power of ( m_1 ) as ( p ) and ( m_2 ) as ( q ), where ( p + q \leq \tau \alpha ).

Lemma 4. In Table 1, the boundary of ( T(\cdot) ) by Theorem 1 satisfies the following chains of inequalities:

[ H > R > D \text{ and } L > R > D ]

[ H’ > R’ > D’ \text{ and } L’ > R’ > D’ ]

Proof. First, for ( H > R, T(\cdot) ) by Lemma 1 and 2 satisfies it.

Second, for ( R > D, R ) and ( D ) are as the following:

[ R = \frac{p}{\alpha} \cdot \frac{(1 – \tau)\alpha + \frac{\beta}{1 – \tau\alpha} \cdot \frac{\tau\alpha}{\beta + \tau\alpha}}{1 – \tau\alpha + q} ]

[ D = \frac{p}{\alpha} \cdot \frac{(1 – \tau)\alpha + \frac{\beta + q}{1 – \tau\alpha + q} \cdot \frac{1 – \tau\alpha}{\beta + \tau\alpha}}{1 – \tau\alpha + q} + T(q) ]

[ R – D = \frac{p}{\alpha} \cdot \frac{\left( \frac{1}{1 – \tau\alpha} – \frac{1}{1 – \tau\alpha + q} \right) \cdot (1 – \tau)\alpha + \left( \frac{\beta}{1 – \tau\alpha} – \frac{\beta + q}{1 – \tau\alpha + q} \right) \cdot \frac{\tau\alpha}{\beta + \tau\alpha} + T(q) \cdot \frac{p\tau}{\beta + \tau\alpha}}{1 – \tau\alpha + q} ]

[ \frac{p}{\alpha} \cdot \frac{q}{(1 – \tau\alpha)(1 – \tau\alpha + q)} \cdot \frac{\beta}{\beta + \tau\alpha} + T(q) \cdot \frac{p\tau}{\beta + \tau\alpha} ]

( R > D ) is always satisfied with ( T(\cdot) > 0 ). Therefore, by Lemma 1 and Lemma 2, the boundary of ( T(\cdot) ) satisfies ( H > R > D ). ( H’ > R’ > D’ ) is satisfied likewise.

Third, we show ( L > R ). In the strategy ((B, B)), BWH miners ( m_1 ) and ( m_2 ) betray their mining pool. For the sake of analysis, we consider it as that a miner with a collective BWH mining power of ( p’ = p + q ) betrays the BWH-attacking pool. By Lemma 1 and 2, the relationship ( L > R ) holds. We already showed ( R > D ); thus, ( L > R > D ) is satisfied.

Lemma 5. In the game in Table 1, ((B, B)) is the only pure Nash equilibrium.

Proof. By Lemma 4, ((C, C)) is dominated by ((C, B)) and ((B, C)). ((B, B)) dominates ((B, C)) and ((C, B)). Therefore, only ((B, B)) is the Nash equilibrium.

For advanced analysis, we assume a general set of BWH miners given as ( M = { m_1, m_2, …, m_N } ) where ( N > 1 ).

More generally, we can prove the strategy set that all BWH miners choose the betrayal action is only Nash equilibrium.

Theorem 2. In the BWH miners game with ( N ) miners ( (N > 1) ), the only Nash equilibrium is for all miners to choose ‘betray.’

Proof. We can split the set of the BWH miners into two sets based on their actions. Assume there is at least one BWH miner who chooses the action ( C ). Then, we denote the set of BWH miners with the action ( C ) as ( M_1 = { m_1, m_2, …, m_k } ), and the set of BWH miners with the action ( B ) as ( M_2 = { m_{k+1}, …, m_N } ). Then, for a miner ( m_1 ), we can change the game to a set of BWH miners ( M’ = { m_1, m_{k+1}, …, m_N } ). It is the case when ( m_1 )’s computing power is ( p ) and the other miners’ computing power is ( q ) in Theorem 5. Therefore, for the miner ( m_1 ), changing the action to betrayal ((B)) is motivated. Consequently, all the pure strategy sets, including any cooperation ((C)), are not Nash equilibria. 5.2 Pricing on Blocks

We have already proved that reasonable BWH miners would conduct BDS attacks. Both parties will make a profit or incur no loss due to a result of this trade. Nonetheless, the price of the trade between BDS miners and the victim pool is a range rather than a fixed value. Now we determine an equilibrium price between the BDS miners and the victim pool using a game-theoretic model.

Revisiting the assumption for our system model in Section 3, the victim pool cannot identify or respond to a BWH attack effectively. Therefore, the BDS trade should be proposed by BWH miners within the BWH-attacking pool. If the price of BDS blocks falls within the range specified in Section 4, it will always generate more revenue than a BWH attack, which can be regarded as the ultimatum game [11].

Figure 4 illustrates the suggested block pricing game. Let $a$ be the lowest boundary, $b$ be the highest boundary in Theorem 1, and the proposed price by a BDS miner be $p$. If the victim pool accepts the offer, the BDS miner receives $p$, and the victim pool receives $b – p$. Otherwise, they earn nothing. This ultimatum game can be described as follows:

$$f : [a, b] \rightarrow {\text{Accept}, \text{Reject}} \quad (25)$$

This game has innumerable Nash equilibria; thus, we refined them using the concept of subgame perfect equilibrium, a refinement framework for dynamic games.

Theorem 3. In the BDS ultimatum game, $(b, \text{Accept})$ is the only subgame perfect equilibrium.

Proof. Since the range of proposed prices is continuous, it is evident that there is an infinite number of Nash equilibria. The BDS miner proposes $p$, and the victim pool accepts the proposal only if $p$ is included; otherwise, the victim pool rejects the proposal. Nobody can alter their strategies in this situation. Among these Nash equilibria, the strategy where the BDS miner proposes $b$ maximizes his earnings. Therefore, $(b, \text{Accept})$ is the only subgame perfect equilibrium. □

5.3 A Principal-Agent Problem in the BWH Attack

We analyzed how BWH miners behave in the block-double submission attack situation. Our research indicates that the BWH miners will betray for more profits. If this is the case, the outcome of a BWH attack may differ totally from what the attacker anticipated.

We now construct a new game between a BWH-attacking pool and BWH miners, as illustrated in Figure 5, which is referred to as a BWH-attacking pool and mining agents game. The mining pool may select one of two strategies: the BWH attack (A) or Honest mining (H), with the two sets of BWH miners from the previous game.

The BWH attack was designed assuming miners would collaborate with the BWH-attacking pool. The strategy set $(A, C, C)$ with increased profit represents the ideal case (from BWH attacking pool’s perspective). The strategy set $(A, B, B)$ is when miners choose the BDS attack. As shown in Section 5.1, the subgame of BWH miners has the only Nash equilibrium to carry out BDS attacks. Therefore, the strategy set $(A, C, C)$ cannot be a Nash equilibrium.

Theorem 4. The strategy set $(H, B, B)$ is the only subgame Nash equilibrium in the BWH-attacking pool and mining agents game.

It implies that mining pools would not want to conduct a BWH attack. The mining pool employs a BWH attack to increase its earnings; however, joining the BWH attack may not be the best decision for BWH miners. It does not work as intended by the BWH-attacking pool. Game theory refers to this type of dilemma as the principal-agent problem. Contrary to the intention of the BWH-attacking pool, a BWH attack will be a strategic failure because reasonable miners seek greater rewards.

6 QUANTITATIVE ANALYSIS

This section offers a quantitative study of the BDS attack based on different mining power distributions and participation ratios for BDS attacks.

$$RER = \frac{R_a – R_h}{R_h} \quad (26)$$

We provide theoretical results demonstrating the effectiveness of BDS attacks in BWH environments. To analyze miners’ revenue, we employ the relative extra reward (RER), defined as the ratio. Figure 6: Quantitative analysis results from the BDS with three participation ratios (20%, 50%, 100%): From left to right, each column shows the RERs of the BWH-attacking pool, RERs of the BDS miner, and RERs of the victim mining pool, respectively. It shows that the BDS attack is very profitable. In addition, as the miners betraying the BWH-attacking pool increases, the loss of the BWH attacking pool increases up to nearly 20%.

Table 2: Approximate Bitcoin power distribution for a month by BTC.com

RankMining PoolComputational Power
1Foundry USA18 %
2AntPool15 %
3F2Pool14 %
4Poolin12 %
5Binance Pool11 %

of extra revenue to revenue from honest mining. We may derive the following expression, given $R_a$ as the miner’s revenue with an attack and $R_h$ as the miner’s revenue with honest mining.

Figure 6 displays, from left to right, the RERs of the BWH-attacking pool, BDS miners, and victim pool. 20% of BWH miners participate in the BDS attack in the first row (a) — (c), 50% in the second row (d) — (f), and 100% in the third row (g) — (i). First, we can see intuitively that BDS attackers can generate enormous profits. The number of BWH miners who betray the BWH-attacking pool and join the BDS decreases the benefit to be shared; nonetheless, the greatest figure in graph (b) was rounded to the first decimal place, reaching 99.9% RER. Considering that BWH attacks provide gains of up to 10% or less, their earnings are astoundingly huge.

Examining the profitability of the BWH-attacking pool reveals that the greater the participation rate in BDS attacks, the lower the effect of BWH, and the lower the RER falls to a negative value. At a BDS participation rate of 100%, the BWH-attacking pool will experience a loss of up to 20% and substantial collateral damage. According to our study, involvement in a BDS attack is likely to be a sensible decision from a game-theoretic standpoint, resulting in the BWH attack eventually causing damage to themselves.

Lastly, the RERs of the victim pool have constant fixed values. There are two main factors: First, we have the condition that double-submission of a block does not result in the victim mining pool being lost. Second, according to the analysis in the preceding section, BDS attacks always benefit BDS miners the most from the equilibrium of the ultimatum game; therefore, the victim mining pool neither loses nor gains revenues as a result of existing BWH attacks. Simulations verify the validity of the preceding theoretical analysis in the following section.

7 SIMULATION

This section confirms our analysis of the BDS attack by comparing theoretical expectations with simulated results.

We built a Python Monte Carlo simulator to simulate the double-submission attacks from one pool to another. We employed the actual mining pool environment for simulations. Table 2 approximates the computing power distribution among the top five mining pools, with which we simulated two BDS attacks. The first case is when Foundry USA (18%) attacks AntPool (15%), and the second case is when Poolin (12%) attacks Foundry USA (18%).

Two simulation results are shown in Figure 7. The blue lines represent theoretical expectations. The RERs fall as the participation ratio increases. The $x$ symbols represent the results from $10^7$ repetitions of the simulation. To validate the effect of the BDS attack, we recreated each scenario with five different BDS participation ratios (20%, 40%, 60%, 80%, and 100%). The numbers in Table 3 provide more precise values up to two decimal places than those shown in Figure 7. The simulation results validated the theoretical predictions as depicted in the table and the figures.

Table 3: The RERs of a BDS miner when the participation ratio is 100%. Each A (B) number indicates the RERs from the theoretical analysis and simulation, respectively.

Case20%40%60%80%100%
# 186.3685.8085.2384.6784.11
# 282.9882.5682.1481.7381.32

8 DISCUSSION

This section discusses four aspects of BDS attacks: Adaptability to the FAW attack, viability of the optimal block price, mitigation of BDS attacks, and deception under BDS attacks.

8.1 Block Double-Submission under Fork After Withholding Attacks

As introduced in Section 2, various BWH attack strategies have been studied. Even though this study focuses mainly on the BWH attack, the FAW attack presented by Kwon et al. [13] is also remarkable. In the FAW attack, an adversary mining pool infiltrates a victim pool but does not always withhold blocks. If miners who do not belong to the attacking mining pool and the victim mining pool publish a block, the attacking mining pool publishes a delayed fPoW, invoking a fork. If the attacker or the victim wins the fork, the attacker receives additional income. In this way, the FAW attack generates greater revenue than the BWH attack.

The FAW attacks resolved the Prisoners’ Dilemma posed by the BWH attacks and provided superior performance. The FAW attacks…

Useful information for enthusiasts:

Contact me via Telegram: @ExploitDarlenePRO