Novel Bribery Mining Attacks in the Bitcoin System and the “Bribery Miner’s Dilemma”

Mining attacks allow adversaries to obtain a disproportionate share of the mining reward by deviating from the honest mining strategy in the Bitcoin system. Among them, the most well-known are selfish mining (SM), block withholding (BWHT), fork after withholding (FAW) and bribery mining. In this paper, we propose two novel mining attacks: bribery semi-selfish mining (BSSM) and bribery stubborn mining (BSM). Both of them can increase the relative extra reward of the adversary and will make the target bribery miners suffer from the “bribery miner dilemma”. All targets earn less under the Nash equilibrium. For each target, their local optimal strategy is to accept the bribes. However, they will suffer losses, comparing with denying the bribes. Furthermore, for all targets, their global optimal strategy is to deny the bribes. Quantitative analysis and simulation have been verified our theoretical analysis. We propose practical measures to mitigate more advanced mining attack strategies based on bribery mining, and provide new ideas for addressing bribery mining attacks in the future. However, how to completely and effectively prevent these attacks is still needed on further research.

KEYWORDS

Bitcoin, blockchain, mining attacks, selfish mining, block withholding, fork after withholding, bribery mining.

1 INTRODUCTION

Bitcoin [1] is a decentralized cryptocurrency based on blockchain technology, which is proposed by Satoshi Nakamoto in November 2008. Unlike most currencies, Bitcoin does not rely on specific currency institutions for issuance. It is generated through a large amount of calculations according to specific algorithms. The Bitcoin system uses a distributed database composed of numerous nodes in the entire peer-to-peer network to confirm and record all transactions, and adopts cryptographic design to ensure the security of the whole process of currency circulation. The decentralization of peer-to-peer network and consensus algorithms can ensure that currency value cannot be artificially manipulated through the mass creation of Bitcoin. Cryptographic-based designs allow Bitcoin only to be In the Bitcoin system, participants (miners) can get rewards by adding transaction records to the ledger (blockchain), which requires miners to solve cryptographic puzzles as a proof of work (PoW) [36]. The first miner to solve the puzzle and generate a valid block can obtain block rewards (6.25 Bitcoins in 2023). The process of miners solving cryptographic puzzles and generating blocks is called “mining process”. When two or more blocks are generated and published simultaneously in the system (due to network communication delay), forking occurs. To maintain consistency, one of the branches will be selected by the system and eventually become the main chain. Once miners on other branches receive the longest chain, they will shift their attention and mining power to the main chain. In the Bitcoin system, the difficulty of solving cryptographic puzzle is adjusted per two weeks to maintain the average generation time of blocks as a constant (10 minutes). However, due to the current mining power’s hash rate exceeding $3.3 \times 10^{20}$ Hash/s [35], it probably takes a single miner several months or even years to solve a password puzzle [2]. Therefore, to attain stable income, miners tend to unit to form a miner pool. Most mining pools have a pool manager responsible for assigning work and rewards. When a mining pool finds a block, the miners in the mining pool will share rewards in terms of their contributions (the number of shares submitted).

Since cryptocurrencies have monetary value, they naturally become a valuable target for attack. Although the design of Bitcoin ensures security, previous studies have shown that adversaries can increase their rewards when deviating from honest mining strategies, such as selfish mining [8], block with holding (BWH) [20], fork after withholding (FAW) [24], and bribery attacks [26]. In selfish mining attacks, adversaries intentionally hide discovered blocks to form a private chain and continue to mine on the private chain. When a block is generated on the public chain, adversaries selectively publish blocks on the private chain, and get disproportionate rewards by wasting the mining power of honest miners. Semi-selfish mining (SSM) [18] is a mining strategy constructed on the basis of SM which divides mining power into two parts. The consumptions of two parts of mining power are similar to selfish and honest pools, respectively. Most of mining power is applied to mining on the private chain while the other small portion is utilized to mine on public chain. The design of SSM can significantly reduce the system forking rate while only slightly reducing the profit of selfish miners. Briefly, SSM can balance benefit and forking rate. In the BWH attack, the adversaries divides their mining power into innocent pool and infiltration pool. When infiltration pool finds a valid block (full proof of work, FPoW), he withholds it and continues to submit other shares (partial proof of work, PPoW) to obtain the share reward. [20] has shown that BWH attacks are more profitable than honest mining (HM) when adversaries segment their mining power appropriately. However, when two pools use BWH attacks against each other (both pools have lower reward than HM), they will encounter the “miner’s dilemma”. The design principle of FAW attack is similar to BWH attack. More specifically, the only difference is that in BWH attack, the adversary will discard the discovered FPoW, while in FAW, the attacker will reserve this FPoW. When other miners (not in the victim pool) find a valid block, the adversary will release and submit the previously reserved FPoW, causing a fork (similar to SM) to win in the forking competition and obtain share reward. Compared with BWH, FAW can get more reward while avoiding the miner’s dilemma. In bribery mining attack, once forking occurs, the adversary will try to win in the forking competition by bribing part of honest miners (called target bribery pool) to extend its branch and paying the bribe to the target bribery pool to obtain higher profits.

In this paper, we propose two novel strategies of mining attack to increase the reward of the adversary. Moreover, We model multi-target bribery pools and prove target pools would suffer “the bribery miner’s dilemma” in BSSM and BSM. Finally, we put forward practical measures to mitigate the high-level attacks based on bribery mining. However, how to prevent such attacks completely remains an unresolved issue.

We summarize our contributions as follows:

Adversaries can get higher reward through bribery attacks in semi-selfish mining attack and stubborn mining attack. We discussed the situation where adversaries launch bribery attacks. In a forking competition…

situation, adversaries can bribe other honest miners to extend the attacker’s branch, increasing the probability of successful forking competition and hence obtaining higher profits.

We further proposed bribery semi-selfish mining (BSSM) and bribery stubborn mining (BSM). BSSM combines bribery mining and SSM. Simulation experiment results indicate that BSSM can result in 6% relative extra reward for adversaries in comparison with SSM with the same chain growth rate.
The target bribery pools will suffer the “bribery miner’s dilemma” in BSSM and BSM under the multi-target bribery pool model. On the one hand, from the perspective of each target bribery pool, his optimal strategy is to accept bribes and extend attacker’s branch. However, he will suffer losses if all target bribery pools reject bribes. On the other hand, from the standpoint of target bribery pools, their optimal strategy is to reject bribes.
We proposed practical countermeasures to mitigate higher-level bribery attacks, and provided new ideas for mitigating bribery mining in the future.

2 PRELIMINARIES

2.1 Bitcoin Background

Mining Process. The issuance process of Bitcoin is implemented by the Bitcoin system generating a certain number of Bitcoins as rewards for miners, in which miners play the role of currency issuers. The process of generating new blocks is also known as mining. All Bitcoin transactions need to be packaged into blocks and recorded in the ledger. The miner who first finds the nonce that meets the difficulty requirements can get the coinbase reward. The mining process motivates miners to maintain the security of blockchain. The total number of bitcoins was initially set to 21 million. Each miner who publishes a block can get 50 Bitcoins as a coinbase reward initially, which halves per 4 years. It is expected that the coinbase reward will no longer be able to be further subdivided until 2104, which results in completing the issuance of all Bitcoins.

Forks. When multiple miners broadcast the blocks discovered by them simultaneously, blockchain forking occurs, since other miners will consider the first received valid block as the header [33]. One branch will compete successfully thus becoming the main chain eventually. Miners who publish blocks on the main chain will obtain corresponding coinbase rewards, while others will not get any rewards. Note that forks may also occur intentionally, such as SM attack [8] or FAW attack [24].

Mining Pool. With the increasing investment of mining power in Bitcoin, the probability of a miner discovering a valis block becomes extremely small. Nowadays, miners tend to participate in an organization called mining pool. In general, a mining pool consists of a pool manager and multiple peer miners. All participants collaborate to solve the same cryptographic puzzle. Once the mining pool generates a valid block successfully, participants will share rewards according to the distribution protocol, such as Pay Per Share (PPS), Pay Per Last N Shares (PPLNS), Pay Proportionally (PROP) [3] and so on. In theory, the rewards of miners are proportional to their mining power directly. Therefore, miners who participate to the mining pool can reduce the difference in profits significantly. Currently, most of the blocks in Bitcoin are generated by mining pools, such as AntPool [4], Poolin [5], and F2Pool [6].

2.2 Related Work

Selfish Mining. Attackers can generate a fork through selfish mining (SM) intentionally to obtain additional rewards [7,8]. Specifically, in SM attack, adversaries hide discovered blocks intentionally, forming a private chain and continuing to extend it. Once a new valid block is generated in public chain, attackers selectively publish blocks on the private chain, and obtain disproportionate rewards by wasting the mining power of honest miners. It is expected that the motivation to mine will rely more on transaction fees rather than block rewards due to the continuous decline in coinbase rewards. Once the transaction volume of Bitcoin decreases, these transaction fees will not be enough to compensate miners for their investment in computing resources. Consequently, some miners may stop mining…

temporarily, which will threaten the security of Bitcoin system. [9] introduces the incentive mechanism of Bitcoin when the total computing power of the system decrease. [16] expands the underlying model of ( SM ) attack, further optimizes the upper bound of optimal strategy rewards, and lowers the minimum threshold for obtaining extra returns from ( SM ). [17] supplements the action space of ( SM ), models as Markov Decision Process (MDP), and pioneers a new technology to solve the nonlinear objective function of MDP, resulting in a more powerful ( SM ) strategy. Under the same assumption, relevant studies conduct a series of discussions on the mining strategies of rational mining pools [10,11,12,13]. [14] provides some simulation results when involving multiple independent selfish mining pools or stubborn mining pools. [15] theoretically studies the equilibrium of multiple independent selfish mining pools. [37] focuses on the classic selfish mining attacks in the blockchain, explores the strategies to deal with the attacks from the perspective of game theory, and further depicts the equilibria state of the system under the competition of various strategies. However, due to the high forking rate caused by ( SM ), these attacks are not practical. Once honest miners discover abnormal forking rate, they may exit the blockchain system. ( SM ) attack is no longer meaningful with the departure of honest miners. [18] proposes semi-selfish mining (SSM) attack, which can achieve a balance between revenue and forking rate. [19] proves that honest miners do not choose to advocate for SSM attack without being detected.

BWH Attacks. Attackers can adopt ( BWH ) attack to destroy rewards for the victim pool [20,21]. Attackers divide their mining power into innocent mining pool and infiltration mining pool. When infiltration pool finds a valid block (full proof of work, FPoW), he withholds it and continues to submit other shares (partial proof of work, PPoW) to obtain the share reward. The victim mining pool will never get rewards from the attacker’s infiltration mining. Hence, the victim pool will suffer losses. Other miners, including innocent mining pool of adversary, will gain more rewards for the loss of the victim pool. [22] indicates that when attackers partition their mining power correctly, ( BWH ) attack is more profitable than ( HM ). However, when multiple independent pools adopt ( BWH ) attack against each other (all pools have lower returns than ( HM )), they will encounter the “miner’s dilemma” [23].

FAW Attacks. ( FAW ) attack combines ( SM ) and ( BWH ) attacks [24]. In brief, ( BWH ) attackers will discard the discovered FPoW, while in ( FAW ), the attackers will reserve the FPoW. When other miners (not in the victim pool) find a valid blocks, the adversary will release and submit the previously reserved FPoW, causing a fork (similar to ( SM )) to win in the forking competition and obtain share reward. In other cases, ( FAW ) attack strategy is consistent with ( BWH ). ( FAW ) can get more rewards and avoid miner’s dilemma compared with ( BWH ). Attackers may succeed in forking competition, thereby obtaining the share reward. When attacker’s branch is never selected as the main chain, ( FAW ) will degenerate into ( BWH ). Attackers with lower mining power will always fall into the miner’s dilemma and lose profits when two attackers use ( FAW ) attacks against each other, which is independent of their network environment. Conversely, attackers with higher mining power may avoid the miner’s dilemma and gain higher profits, which is related to their network environment. [25] combines mining power adjustment strategies with ( FAW ) attack (( PAW )), allowing attackers to adjust mining power dynamically between innocent mining and infiltration mining. Therefore, attackers can always increase their profits by allocating more mining power to more attractive mining strategies.

Bribery Attacks. Bribery attacks can increase the probability of the attacker’s branch being selected as the main chain in forking competition [26]. Bribery attacks can only help the attacker win in the forking competition rather than bringing any profit to the attacker. Attackers can adopt original bribery attack to win in forking competition, without obtaining any extra reward, instead. Therefore, original bribery attacks are always considered to combine with other attacks, such as double spending attack [27]. Bribery attack can be launched in a less visible way [28]. [25] combines bribery attack with ( SM ). It indicates that compared with ( SM ), bribery selfish mining (BSM) could bring 10% extra rewards to attackers. However, BSM may cause the “venal miner’s dilemma”. [29] proposes an optimal ( BSM ) to avoid the “venal miner’s dilemma”, where miners are considered perfectly rational. Attackers have lower mining power thresholds when making extra profits compared with SM. [30] proposes a mixed scenario where attackers alternate their strategy between BWH, FAW, and PAW. The mixed strategy is proved to be much higher in revenue than HM.

3 THREAT MODEL AND ASSUMPTION

3.1 Threat Model

An adversary can be an individual miner, or a mining pool formed by a collection of miners. Honest miners are profit-driven and could adopt the optimal mining strategy to increase their own profits without launching any mining attacks. Besides, adversaries can create different identities through sybil attacks and participate in multiple open mining pools with different accounts and IDs. Meanwhile, the adversary’s mining power is limited to avoid 51% attack. He can allocate their mining power to innocent mining pool (similar to HM strategy), selfish mining pool (similar to SM strategy), or other mining attack strategies. More specifically, in BSSM model, the adversary allocates their mining power to innocent mining pool and selfish mining pool. In BSM model, adversaries only adopt SM. Finally, the adversary can create sybil nodes in the network to prioritize the propagation of their generated blocks, which increases the probability of selecting the attacker’s branch as the main chain when forking occurs.

3.2 Assumption

To simplify our analysis, we make some reasonable assumptions. Our assumptions are similar to those of other selfish mining attacks, such as selfish mining [8], stubborn mining [16], semi-selfish mining [18] and bribery attacks [26, 34].

We normalized the total mining power of the system to 1. The (normalized) mining power of adversary is a value greater than 0 but less than 0.5, which is designed to avoid 51% attacks.
Miners are profit-driven. Honest miners can adopt the optimal mining strategy they consider to increase their profits, but will not launch mining attacks. This is reasonable because miners are honest but selfish. When the blockchain forks and the lengths of each branch are equal, miners could choose any branch.
There are no unintentional forks in the Bitcoin system. This assumption is rational because the probability of unintentional forks occurring in the Bitcoin system can be negligible, approximately 0.41% [31]. Therefore, combined with Assumption 1, the expected reward for a miner is equal to the probability of finding a valid block in each round. Due to the exponential distribution of the time for miners to find a valid block [32], average value is inversely proportional to their mining power, the probability of miners finding a valid block is equal to their normalized mining power.
We will normalize the coinbase reward for finding a valid block to 1 instead of 6.25 Bitcoins. In our analysis, miner’s rewards are expected as well as normalized.

4 OBSERVATION AND MOTIVATION

4.1 Semi-selfish Mining

In semi-selfish mining, the adversary allocates mining power to the honest pools (similar to the honest mining strategy: mining as individual honest miners) and the selfish pools (similar to the selfish mining strategy: mining as selfish miners). In each round, the probability of honest pools generating a valid block is (\rho \alpha), and the probability of selfish pools generating a valid block is ((1 – \rho)\alpha). Therefore, the probability of other pools generating a valid block is (1 – \alpha). The state transition process of semi-selfish mining is shown in Figure 1. The meanings of states 0, 0′, 1, 2, 3, 4, … are exactly the same as the states in selfish mining. On the basis, the states 1′, 2′, 3′, 4′, … indicate that the last block in the public chain is generated by the adversary through honest pools, where the specific number represents the length of the private chain that the adversary reserves or hides.

Actually, there is a certain problem in analyzing the rewards of adversary while modeling semi-selfish mining, which ignores the specific situations in which adversary may receive rewards. For example, when an attacker finds a valid block through honest pools, he will publish the block on the public chain and two blocks that are reserved (hidden) by selfish pools at once. The adversary will receive two block rewards regardless of which chain wins eventually (with probability $\alpha \rho$). In $\textit{BSSM}$ reward analysis, we will revise this issue, as detailed in Section 6.2.

4.2 Stubborn Mining

Stubborn mining extends the underlying model of selfish mining attacks. Its mining strategy is more “stubborn”, which does not easily give up when leading, falling behind, and advancing together. In each round, the probability of selfish pools generating a valid block is $\alpha$, and the probability of other pools generating a valid block is $(1 – \alpha)$. In addition, when the blockchain forks and the lengths of two branches are equal (one is a private chain of selfish pools, and the other is a public chain of other honest mining pools), the probability of other pools discovering a valid block and publishing it on the private chain of adversary is $\gamma(1 – \alpha)$. Correspondingly, the probability of other pools publishing the block to public chain is $(1 – \gamma)(1 – \alpha)$.

Stubborn mining introduces three strategies by varying the degree of stubbornness of adversaries, which is designated as lead stubborn mining, equal-fork stubborn mining, and trail stubborn mining. The state transition process of three strategies of stubborn mining is shown in Figure 2. To simplify our analysis, we only discuss lead stubborn mining strategy. The meanings of states $0, 0′, 1, 1′, 2, 2′, 3, 3′, …$ are exactly the same as the states in selfish mining. The states $1′, 2′, 3′, …$ indicate that the blockchain forks and the lengths of two branches are equal (one is an adversary’s private chain, and the other is a public chain of other honest mining pools), where the specific number indicates the length of hidden private chain of adversaries.

4.3 Bribery Attack

When the blockchain forks and the lengths of two branches are equal, the adversaries may bribe some honest miners in other pools, which brings about the selfish branch of adversary a higher probability of successful competition thus becoming the main chain eventually. The process of bribery attack as shown in Figure 3. The part of bribed honest miners is called the target bribery pools. The reason why the target bribery pools are willing to accept bribes from the adversary is that the attackers will give a portion of the bribery money to the target bribery pools, which ensures that the total reward for the target bribery pools accepting bribes and expanding adversary’s branches is no less than refusing bribes. Furthermore, the reward of adversary increases as the probability of the adversary’s branch eventually becoming the main chain increases. When the adversaries choose to provide appropriate bribe money, they can obtain higher rewards than honest mining.

More specific, (1) when adversaries or target bribery pools find a valid block, they will publish it on private chain of adversary. Adversary’s private chain wins and becomes the main chain with probability ((\alpha + \beta \gamma)). (2) When other pools find a valid block, if they publish it on the public chain of other pools, other pools’ public chain wins and becomes the main chain with probability ((1 – \gamma)(1 – \alpha – \beta \gamma)). (3) If they publish it on the private chain of adversary, adversary’s private chain wins and becomes the main chain with probability (\gamma(1 – \alpha – \beta \gamma)).

5 BRIBERY SEMI-SELFISH MINING (BSSM)

5.1 Overview

We introduce bribery semi-selfish mining (BSSM) attack that combines bribery attack with semi-selfish mining. In the observation of bribery attack in Section 4.3, we point out that when the blockchain forks and the lengths of private branch of adversaries and public branch of other pools are equal, the adversaries may bribe some honest miners in other pools, increasing the probability of the private branch of adversary becoming the main chain. Therefore, BSSM combines bribery attack with semi-selfish mining, which could increase the reward of adversary by adding bribery transactions on adversary’s private branch.

Similar to SSM, adversary allocates mining power to the honest pools and selfish pools. We adopt (a) to represent all adversary pools, (a_i) to represent adversary’s honest pools, and (a_s) to indicate adversary’s selfish pools. Accordingly, we use (b) to represent target bribery pools, and (o) to indicate other pools. When (a_s) finds a valid block, he will reserve it. When another miner ((o, b, \text{or } a_i)) finds a valid block and publish it on public chain, adversaries will release a reserved block on the private chain at once, which brings about forking. (b) will choose to mine on public branch (denying bribes) or mine on private branch of adversary (accepting bribes). Once (b) chooses to expand private branch, he will claim to adversary that he accepts bribes. Otherwise, (b) cannot claim to accept bribes from adversary. After the end of each round, adversary pays bribes to (b) who accepts bribes.

5.2 Modeling BSSM

State Transitions and probability. We model the state transition process of BSSM as shown in Figure 4. The meanings of states (k(k \geq 0)) are exactly the same as the states in selfish mining. The states (k'(k \geq 1)) indicate that the latest block on public chain is generated by (a_i), and the private chain is reserved by (a_s) before the block, where the number (k) represents the difference between the length of the private chain and the public chain. More specifically, the length of the private chain reserved by (a_s) is ((k + 1)). Note that the difference between states…

It is precisely for this reason that the difficulty of analyzing rewards for ( a, b, ) and ( o ) has greatly increased. We observe from Figure 4 that states ( k(k \geq 2) ) and states ( k'(k \geq 2) ) will eventually transition to state 2 with probability ( \frac{1-\alpha}{1-\alpha+\rho a} ) or state ( 2′ ) with probability ( \frac{\rho a}{1-\alpha+\rho a} ). Therefore, based on states 2 and 2′, we analyze the winning probability of private chain of ( a ) and public chain of ( o ) respectively in states ( k(k \geq 2) ) or ( k'(k \geq 2) ). Before analysis, we need to add two entities ( P_b^s ) (represents the winning probability of public branch of ( o ) in states ( k(k \geq 2) ) or ( k'(k \geq 2) ) ) and ( P_o^s ) (represents the winning probability of private branch of ( a ) in states ( k(k \geq 2) ) or ( k'(k \geq 2) ) ).

According to Figure 4 of the state transition process of ( BSSM ), we obtain the following equations:

[ \begin{align*} p_0 &= (1-\alpha + \rho a)p_0 + (1-\alpha)(p_2 + p_2′) + p_0′ + p_0” + p_0”’ p_1 &= (1-\rho)ap_0\np_1′ &= \rho \alpha (p_2 + p_2′)\np_0” &= (1-\alpha – \beta b)(p_1 + p_1′)\np_0”’ &= \beta b (p_1 + p_1′)\np_0”” &= \rho \alpha (p_1 + p_1′) p_k &= (1-\rho)\alpha p_{k-1} + (1-\alpha)(p_{k+1} + p_{(k+1)’})\text{when} \ k \geq 2\np_k’ &= (1-\rho)ap_{(k+1)} + \rho \alpha (p_{k+1} + p_{(k+1)’})\text{when} \ k \geq 2\sum_{k=0}^{\infty}p_k + \sum_{k=0}^{\infty}p_k’ + p_0” + p_0”’+p_0”” = 1 \end{align*} ]

We observe event (o’_o) in Figure 5: (1) when (o) finds a valid block, he will publish it on public branch with probability ((1 – \gamma)(1 – \alpha – \beta^b)) (public branch wins) or publish it on private branch with probability (\gamma(1 – \alpha – \beta^b)) (private branch wins); (2) when (b) finds a valid block, he will publish it on public branch with probability (\beta^b) (public branch wins); (3) when (a_i) finds a valid block, he will publish it on private branch with probability ((1 – \rho)\alpha) (private branch wins); (4) when (a_i) finds a valid block, he will publish it on public branch with probability (\rho \alpha) (public branch wins). Similarly, we observe event (o’_o): (1) when (o) or (b) finds a valid block, they will publish it on public branch with probability ((1 – \gamma)(1 – \alpha – \beta^b) + (1 – \gamma)\beta^b) (public branch wins), or publish it on private branch with probability (\gamma(1 – \alpha – \beta^b) + \gamma \beta^b) (private branch wins); (2) when (a_i) finds a valid block, he will publish it on private branch with probability ((1 – \rho)\alpha) (private branch wins); (3) when (a_i) finds a valid block, he will publish it on public branch with probability (\rho \alpha) (public branch wins). Finally, we observe event (o’_o): (1) when (o) or (b) finds a valid block, they will publish it on public branch with probability ((1 – \gamma)(1 – \alpha – \beta^b) + (1 – \gamma)\beta^b) (public branch wins), or publish it on private branch with probability (\gamma(1 – \alpha – \beta^b) + \gamma \beta^b) (private branch wins); (2) when (a_i) finds a valid block, he will publish it on public branch with probability ((1 – \rho)\alpha) (private branch wins); (3) when (a_i) finds a valid block, he will publish it on public branch with probability (\rho \alpha) (public branch wins).

Table 1: The state transitions of bribery initiation stage in BSSM

State (k \geq 2) and (k’ \geq 2)	State (s)	State (\delta)	(P_{o’_o})
(k \geq 2) and (k’ \geq 2)	(0’_a)	(0’_o)	(0’_b)
(k \geq 2) and (k’ \geq 2)	(0’_a)	(0’_o)	(0’_b)
(k \geq 2) and (k’ \geq 2)	(0’_a)	(0’_o)	(0’_b)

[ P_{o’_o} = \frac{\rho \alpha}{\rho \alpha} = \frac{1 – \alpha – \beta^b + \beta^b + \rho \alpha}{1 – \alpha – \beta^b + \beta^b + \rho \alpha} ]

[ P_{o’_o} = \frac{\rho \alpha}{\beta^b} = \frac{1 – \alpha + \rho \alpha}{1 – \alpha – \beta^b + \beta^b + \rho \alpha} ]

Based on Figure 4, we can get the state transitions of bribery initiation stage in Table 1. Furthermore, we obtain the winning probability $P_{b}^p$ of private branch and $P_{b}^p$ of public branch in states $k(k \geq 2)$ and $k'(k \geq 2)$ as follows:

$$P_{b}^p = P_0 \cdot ((1 – \gamma)(1 – \alpha – \beta^b) + \beta^p + \rho \alpha) + P_{o} \cdot ((1 – \gamma)(1 – \alpha – \beta^b) + (1 – \gamma)\beta^b + \rho \alpha)$$

$$P_{b}^f = \frac{1 – \alpha}{1 – \alpha + \rho \alpha} + P_0 \cdot (\gamma(1 – \alpha – \beta^b) + (1 – \rho)\alpha) + P_{o} \cdot (\gamma(1 – \alpha – \beta^b) + \gamma \beta^b + (1 – \rho)\alpha)$$

$$+ P_{o} \cdot (\gamma(1 – \alpha – \beta^b) + \gamma \beta^b + (1 – \rho)\alpha)$$

(2)

(3)

Observing Figure 5, we continue to analyze the rewards of each event. For event $0$: (1) when it transitions to event 0-1, $a$ gets 1 reward (probability $\rho \alpha$); (2) when it transitions to event 0-2, the rewards of $a$, $o$ and $b$ are determined later (probability $(1 – \rho)\alpha$); (3) when it transitions to event 0-3, $o$ gets 1 reward (probability $(1 – \alpha – \beta^b)$); (4) when it transitions to event 0-4, $b$ gets 1 reward (probability $\beta^b$). For event $0_0^e$: (1) when it transitions to event $0_0^e$-1, $o$ and $b$ get 1 reward (probability $(1 – \gamma)(1 – \alpha – \beta^b)$); (2) when it transitions to event $0_0^e$-2, $b$ gets 2 rewards (probability $\beta^b$); (3) when it transitions to event $0_0^e$-3, $a$ gets 2 rewards (probability $(1 – \rho)\alpha$); (4) when it transitions to event $0_0^e$-4, $a$ and $b$ get 1 reward (probability $\rho \alpha$); (5) when it transitions to event $0_0^e$-5, $a$ and $o$ get 1 reward (probability $\gamma(1 – \alpha – \beta^b)$). For event $0_0’$: (1) when it transitions to event $0_0’$-1, $a$ gets 2 rewards (probability $\rho \alpha + (1 – \rho)\alpha$); (2) when it transitions to event $0_0’$-2, $a$ and $b$ get 1 reward (probability $\beta^b$); (3) when it transitions to event $0_0’$-3, $a$ and $o$ get 1 reward (probability $(1 – \alpha – \beta^b)$). For event $1’$: (1) when it transitions to event 1′-1, $a$ gets 1 reward (probability $(1 – \alpha – \beta^b)$); (2) when it transitions to event 1′-4, the rewards of $a$, $o$ and $b$ are determined later (probability $(1 – \rho)\alpha$). For event $2’$: (1) when it transitions to event 2′-1, $a$ gets 3 rewards (probability $(1 – \alpha – \beta^b)$); (2) when it transitions to event 2′-2, $a$ gets 3 reward (probability $\beta^b$); (3) when it transitions to event 2′-3, $a$ gets 1 reward (probability $\rho \alpha$); (4) when it transitions to Event 2′-4, the rewards of $a$, $o$ and $b$ are determined later (probability $(1 – \rho)\alpha$). For event $3’$: (1) when it transitions to event 3′-1, $a$ gets $(1 + P_b^p)$ rewards, $o$ gets $P_b^p$ reward (probability $(1 – \alpha – \beta^b)$); (2) when it transitions to event 3′-2, $a$ gets $(1 + P_b^p)$ rewards, $b$ gets $P_b^p$ reward (probability $\beta^b$); (3) when it transitions to event 3′-3, $a$ gets 1 reward (probability $\rho \alpha$); (4) when it transitions to event 2′-4, the rewards of $a$, $o$ and $b$ are determined later (probability $(1 – \rho)\alpha$). The reward analysis of events $k(k > 3)$ is similar to event 3′. For event 1: regardless of whether event 1 transitions to event 1-1 (probability $(1 – \alpha – \beta^b)$), event 1-2 (probability $\beta^b$), event 1-3 (probability $\rho \alpha$), or event 1-4 (probability $(1 – \rho)\alpha$), the rewards of $a$, $o$ and $b$ are determined later. For event 2: (1) when it transitions to event 2-1, $a$ gets 2 rewards (probability $(1 – \alpha – \beta^b)$); (2) when it transitions to event 2-2, $a$ gets 2 rewards (probability $\beta^b$); (3) when it transitions to event 2-3 (probability $\rho \alpha$) or event 2-4 (probability $(1 – \rho)\alpha$), the rewards of $a$, $o$ and $b$ are determined later. For event 3: (1) when it transitions to event 3-1, $a$ gets $P_b^p$ reward, $o$ gets $P_b^p$ reward (probability $(1 – \alpha – \beta^b)$); (2) when it transitions to event 3-2, $a$ gets $P_b^p$ reward, $b$ gets $P_b^p$ reward (probability $\beta^b$); (3) when it transitions to event 3-3 (probability $\rho \alpha$) or event 3-4 (probability $(1 – \rho)\alpha$), the rewards of $a$, $o$ and $b$ are determined later. The reward analysis of events $k(k > 3)$ is similar to event 3.

Useful information for enthusiasts:

[1]YouTube Channel CryptoDeepTech
[2]Telegram Channel CryptoDeepTech
[3]GitHub Repositories CryptoDeepTools
[4]Telegram: ExploitDarlenePRO
[5]YouTube Channel ExploitDarlenePRO
[6]GitHub Repositories Keyhunters
[7]Telegram: Bitcoin ChatGPT
[8]YouTube Channel BitcoinChatGPT
[9] Bitcoin Core Wallet Vulnerability
[10] BTC PAYS DOCKEYHUNT
[11] DOCKEYHUNT
[12]Telegram: DocKeyHunt
[13]ExploitDarlenePRO.com
[14]DUST ATTACK
[15]Vulnerable Bitcoin Wallets
[16] ATTACKSAFE SOFTWARE
[17] LATTICE ATTACK
[18] RangeNonce
[19] BitcoinWhosWho
[20] Bitcoin Wallet by Coinbin
[21] POLYNONCE ATTACK
[22] Cold Wallet Vulnerability
[23] Trezor Hardware Wallet Vulnerability
[24] Exodus Wallet Vulnerability
[25] BITCOIN DOCKEYHUNT

Contact me via Telegram: @ExploitDarlenePRO