Bitcoin Magazine

Show Menu

Selfish Mining: A 25% Attack Against the Bitcoin Network

One of Bitcoin’s core security guarantees is that, for an attacker to be able to successfully interfere with the Bitcoin network and block and reverse transactions, they need to have more computing power than the rest of the Bitcoin network combined. The reason for this is that the Bitcoin network builds up its transaction history in the form of a “blockchain”, with a random node adding a new block on top of the previous block every ten minutes. To reverse a transaction, an attacker would need to make a transaction and then “fork” the blockchain one block behind the block the transaction was included in – from which point the attacker would be in a computation race against all of the other miners combined as he attempts to catch up. A new paper by Cornell University researchers Ittay Eyal and Emin Gun Sirer, however, significantly reduces Bitcoin’s security guarantee by introducing another type of attack – an economic attack. The economic attack does not allow hostile miners to mount successful attacks against Bitcoin unilaterally, but it does change the incentives such that normally honest, profit-maximizing nodes would want to join the attacker’s coalition, potentially allowing for 51% attacks as a second stage.

The high-level overview of the attack is this: rather than acting as a normal miner and publishing blocks to the network immediately upon finding them, the attacker selectively publishes blocks, sometimes sacrificing his own revenue but also often publishing many blocks all at once and thus forcing the rest of the network to discard blocks and lose revenue. This does reduce the attacker’s revenue in the short term, but it reduces everyone else’s revenue even more, so neutral nodes now have the incentive to join the attacker’s coalition to increase their own revenue. Eventually, the attacker’s coalition would expand to above 50% in size, potentially giving the attacker a high degree of control over the network.

The attacker’s precise strategy is as follows. The attacker keeps track of its own “private chain”, which is separate from the “public chain” that the rest of the network works on. At first, the private chain and the public chain start out the same. The attacker always mines on the private chain and keeps any blocks that he finds private. The strategy dictates exactly when the attacker should publish blocks. Suppose the attacker’s portion of the network hashpower is X, and when there are two competing public chains the portion of the network that picks up on the attacker’s chain is Z.

  • State 0: If the attacker’s private chain is the same as the public chain, mine on the private chain. With probability X, the attacker discovers a block and advances to state 1 (private chain 1 block ahead). With probability 1-X, the public network discovers a block, and the attacker resets his private chain to the public chain.
  • State 1: If the attacker’s private chain is 1 longer than the public chain, mine on the private chain. With probability X, the attacker advances to state 2 (private chain 2 blocks ahread). With probability 1-X, the public network discovers a block, setting the system to state 0′.
  • State 0′: The attacker publishes his block. There are now two competing chains, both one block long. With probability X, the attacker will discover another block, causing the network to switch over to the private chain. The attacker gains a revenue of 2, and the system resets to state 0. With probability (1-X)Z, the network finds a block on top of the attacker’s block. The attacker and the network gain a revenue of 1, and the system resets to state 0. With probability (1-X)(1-Z), the network finds a block on top of its own block, the network gains a revenue of 2 and the system resets to state 0.
  • State 2: With probability X, the attacker advances to state 3 and earns a revenue of 1 (technically, the attacker will earn the revenue later, but it’s easier to account for it here). With probability 1-X, the network finds a block, so the attacker publishes his 2-block private chain, which is still one block longer than the public chain, so the network will switch to the attacker’s chain. The attacker earns a revenue of 2.
  • State n (n > 2): with probability X, the attacker advances to state n+1 and earns a revenue of 1. With probability 1-X, the attacker falls back to state n-1.

To see why this strategy works, suppose that Z is close to one. In this case, there is never any chance that the attacker has to discard a block; the only time that might happen is from state 0′, and if Z ~= 1 almost all of the network, attacker and other nodes included, is mining on the attacker’s block so the attacker’s block will not be discarded. Thus, the attacker is mining at full efficiency. However, the public network might see blocks discarded at state 0′ and state 2, so the public network is mining at partial efficiency. Thus, neutral (profit-maximizing) nodes have the incentive to join the attacker’s coalition to increase their revenue. As Z decreases, the attacker’s advantage goes down; at Z = 0.5, Eyal and Sirer showed that the attacker becomes more efficient than the public network at X > 1/4, and if X > 1/3 the attacker is more efficient than the public network at any Z.

So how do we calculate Z? Currently, the Bitcoin network is set to follow a simple rule: every node only mines and propagates the first block that it sees. Against attackers with only mining power, this is a successful defense; because the attacker’s strategy is reactive, publishing blocks only after the public network does, Z is close to zero. However, well-funded attackers (or attackers controlling botnets) can mount a “Sybil attack”, creating millions of nodes and inserting them into the network in as many places as possible. During an attack, the Sybil nodes would propagate only the attacker’s blocks. In this case, the Eyal and Sirer conjecture, Z can potentially get very close to one. In reality, that is not quite true; at the minimum, every mining pool will be the first to hear about its own blocks, so Z <= 0.8 is essentially guaranteed, but it is a matter of debate just how much a Sybil attack can do. To make Bitcoin secure against Sybil attacks, Eyal and Sirer argue, honest miners should switch to the strategy of propagating all blocks and if they receive multiple competing chains of the same length mining on a random one. If all miners implement this, we would have Z = 0.5, creating a reasonably threshold of X >= 1/4 for this attack to work.

Is this a fatal threat to Bitcoin? Not really. The idea behind the attack is not new; very similar attacks were theorized about on the Bitcoin forums as early as 2010, and lead Bitcoin developer Gavin Andresen himself participated in the discussion. However, at the time no action was taken – largely because everyone at the time considered the attack to be not worth worrying about compared to the other threats that Bitcoin has to face. In practice, most Bitcoin miners act altruistically to support the network, both out of ideological considerations and because they do not want to destabilize the source of their own revenue. Such higher-level economic concerns are beyond the scope of Eyal and Sirer’s paper, but they seriously reduce the chance that this economic attack will work in practice.

Furthermore, unlike a standard 51% attack, which only becomes obvious after the fact, this economic attack would need to be announced in advance to let neutral miners know that they have the opportunity to join the attacking coalition for their own benefit. Thus, mining pools cannot practically pull this off; as soon as one announces its intention to cheat the network, its users will leave out of ideological considerations, and even if they do not other mining pools will likely offer heavy discounts on fees to that mining pool’s users to convince even profit-maximizing participants to switch away. But nevertheless, Eyal and Sirer’s result, as well as the work of others in the years before, are an important and under-appreciated part of the game-theoretic research around Bitcoin, showing us that Bitcoin’s network security is slightly less infallible than we at first might think it is.

Get Top Stories Weekly

We respect your email privacy

  • Nathan Scott

    Very interesting. A third factor to consider is the variability in mining rewards. In the future as the automatic reward drops, transaction fees will be the primary revenue source. Since bitcoin usage is wildly variable over any time period, any blocks that have higher than average rewards will greatly increase the incentives to attempt to privately mine, even after the public network is already ahead.

  • Zyo

    Good luck getting 25% of the network processing power of Bitcoin. It’s a very “academic” scenario, next to impossible in real life.

    • x3notif

      BTC Guild has over 25% of the network processing. Others are not too far away.

      • Zyo

        Yeah but BTC Guild admin would destroy its entire business for doing that… after a few block, the real blockchain would take over and reverse everything (profit or double spent).

        The article need also to ” creating millions of nodes and inserting them into the network in as many places as possible”. That’s not something easy… the interconnection between the user is very strong and I don’t think this is possible.

        • Nathan Scott

          I don’t think you really understand what is going on. It’s not necessarily any more or less possible than anyone else who discovers a block. The millions of nodes part just makes the chances of preempting the public block higher.

          This is the argument in short form: Pool “Selfish Mine” mines in the dark and gets ahead by one block. Now they don’t want to help anyone else in getting caught up, so they continue to mine in the dark. If they continue to get ahead, even better. More often than not the public network will produce a new block and catch up. What Selfish Mine must do is then publish theirs as quickly as possible in an attempt to have the network legitimize it over the public block. It is reasonable to assume something like a 50% chance of telling other nodes first, and since they themselves are accepting their own block, the majority of the time the network will pick up the private block. If they develop a set of supernodes that push their block over the public one they can have a chance approaching 100%. To combat this any pool operators must serve their block discoveries to as many large nodes as possible at one time.

          • Zyo

            Heu, 25% will never have more block that the 75%… only for a short period of time… Read the forbes article that destroyed this study… I’m not alone that doesn’t buy it.

          • Nathan Scott

            It didn’t “destroy” anything. Andresen only said it wasn’t peer reviewed. Also, this attack doesn’t stop bitcoin from working. It just makes mining more annoying.

    • Bitcoin IT

      I think so too it’s “academic” scenario; we will see if it is attempted this type of attack with some altcurrency

    • agilob

      > Good luck getting 25% of the network processing power of Bitcoin. It’s a very “academic” scenario, next to impossible in real life.

      BTC is sooo incredibly unpredictable…

    • Tymat

      China could most definitely do this with very little effort. Most of the ASIC manufacturers are already there so all they do is seize the factories and ramp up manufacturing to the point that they can get enough hashing power while still making it economically viable. It definitely puts the whole economic sovereignty argument that has made Bitcoin popular at great risk.

    • Dario Alvarez

      As of June 2014, GHash nears 51% of the network’s mining power

  • igl00

    hmm very interesting, chances are small but imagine china doign that

    • kroll

      You mean U.S.

  • Spotted Marley

    if it can be done then it most certainly will be tried by some very serious people. i hope a safeguard will be thought up and implemented in a future build.

  • makerofthings7

    Won’t Microsoft’s paper on Bitcoin and Red Baloons ensure full propagation of the Tx?

  • James

    Although many miners would never join a selfish pool, once a selfish pool attack got started, some miners would get sucked into it because they would think it was the end of Bitcoin, and they would want to wring as much profit as possible out of the system before it died.

  • Lear

    This shellfish-mining attack is not applicable to pools, since the attack requires
    the secrecy of the new mined blocks, which cannot be guaranteed while they are
    shared with all pool’s miners.

    The only thing a (centralized) pool could do is to withhold a new block someone in
    the pool have found, while the other pool members keep trying to mine on top of
    the older block (the last to be published), until a competitive block of
    non-pool miner have been released. Then the one or more blocks the pool has
    found will be released too – and hopefully win the race over the non-pool
    competitor. By doing so the pool’s relative share out of all mining rewarding
    is unchanged (or even decreased, since sometimes the competitors will win the
    race), so the attack is unreasonable.

    So…as long as there is no solo miner (or small coalition of corrupted miners) with
    more than 25% of the total hash-rate, Bitcoin is equally safe.


  • Dusty

    Thanks for this excellent article Vitalik, it puts the (real) problem on the right perspective.

  • Ade

    It needs evaluation and safeguards building in if it’s a real threat, Central Bankers and Govt’s might try it.

  • Markus Virba

    The hash would drop by 25% if they wanted to take the calculation off line. A red flag for exchanges to shut down automatically.

  • Peter

    The only coin with 51% attack protection built in already is Feathercoin due to its ACP (Advance Checkpoint) feature. Makes it safer now (they had an attack early on) than other coins but also technically decentralizes it a bit with that single register – but that could work in its benefit in the future if we see regulations appear requiring some type of centralization by governments for some transaction checking – e.g. anti-laundering/terrorism uses.

    • Solo Atkinson

      In other words, a new kind of normal bank and this is their database.