## Abstract

Mining processes of Bitcoin and similar cryptocurrencies are currently incentivized with voluntary transaction fees and fixed block rewards which will halve gradually to zero. In the setting where optional and arbitrary transaction fee becomes the prominent/remaining incentive, Carlsten et al. [CCS 2016] find that an undercutting attack can become the equilibrium strategy for miners. In undercutting, the attacker deliberately forks an existing chain by leaving wealthy transactions unclaimed to attract petty complaint miners to its fork. We observe that two simplifying assumptions in [CCS 2016] of fees arriving at fixed rates and miners collecting *all* accumulated fees regardless of block size limit are often infeasible in practice and find that they are inaccurately inflating the profitability of undercutting. Studying Bitcoin and Monero blockchain data, we find that the fees deliberately left out by an undercutter may not be attractive to other miners (hence to the attacker itself): the deliberately left out transactions may not fit into a new block without “squeezing out” some other to-be transactions, and thus claimable fees in the next round cannot be raised arbitrarily.

This work views undercutting and shifting among chains rationally as mining strategies of rational miners. We model profitability of undercutting strategy with block size limit present, which bounds the claimable fees in a round and gives rise to a pending (cushion) transaction set. In the proposed model, we first identify the conditions necessary to make undercutting profitable. We then present an easy-to-deploy defense against undercutting by selectively assembling transactions into the new block to invalidate the identified conditions. Indeed, under a typical setting with undercutters present, applying this avoidance technique is a Nash Equilibrium. Finally, we complement the above analytical results with an experimental analysis using both artificial data of normally distributed fee rates and actual transactions in Bitcoin and Monero.

M. Minaei—Part of this work was done while the author was at Purdue University.

## Access this chapter

Tax calculation will be finalised at checkout

Purchases are for personal use only

### Similar content being viewed by others

## Notes

- 1.
The next halving event to 3.125 BTC is scheduled for May 2024 [10].

- 2.
When there is a tie, they choose the chain with the oldest timestamp. If timestamps should be the same, they select a chain at random.

## References

Monero pools since 2016 (2020). http://moneropools.com/

Akerlof, G.A.: The market for “lemons”: quality uncertainty and the market mechanism. In: Uncertainty in Economics, pp. 235–251. Elsevier (1978)

Bitcoin.org: Memory pool. https://developer.bitcoin.org/devguide/p2p_network.html#memory-pool

Carlsten, M., Kalodner, H., Weinberg, S.M., Narayanan, A.: On the instability of bitcoin without the block reward. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 154–167. ACM (2016)

Courtois, N.T., Bahack, L.: On subversive miner strategies and block withholding attack in bitcoin digital currency. arXiv preprint arXiv:1402.1718 (2014)

Eyal, I.: The Miner’s dilemma. In: 2015 IEEE Symposium on Security and Privacy, pp. 89–103. IEEE (2015)

Abdolmaleki, B., Baghery, K., Lipmaa, H., Siim, J., Zajac, M.: UC-secure CRS generation for SNARKs. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 99–117. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_6

Gong, T.: Bitcoin core source code updated to account for undercutting avoidance. https://github.com/haas256/bitcoin

Gong, T., Minaei, M., Sun, W., Kate, A.: Towards overcoming the undercutting problem. arXiv preprint arXiv:2007.11480 (2020)

Half, B.B.: Bitcoin halving 2024 (2020). https://www.bitcoinblockhalf.com/. Accessed 22 July 2020

Heilman, E.: One weird trick to stop selfish miners: fresh bitcoins, a solution for the honest miner (Poster Abstract). In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014. LNCS, vol. 8438, pp. 161–162. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44774-1_12

Koutsoupias, E., Papadimitriou, C.: Worst-case equilibria. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 404–413. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49116-3_38

Kwon, Y., Kim, D., Son, Y., Vasserman, E., Kim, Y.: Be selfish and avoid dilemmas: fork after withholding (FAW) attacks on bitcoin. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 195–209. ACM (2017)

Kwon, Y., Kim, H., Yi, Y., Kim, Y.: An eye for an eye: economics of retaliation in mining pools. In: Proceedings of the 1st ACM Conference on Advances in Financial Technologies, pp. 169–182 (2019)

Lavi, R., Sattath, O., Zohar, A.: Redesigning bitcoin’s fee market. In: The World Wide Web Conference, pp. 2950–2956. ACM (2019)

Luu, L., Saha, R., Parameshwaran, I., Saxena, P., Hobor, A.: On power splitting games in distributed computation: the case of bitcoin pooled mining. In: 2015 IEEE 28th Computer Security Foundations Symposium, pp. 397–411. IEEE (2015)

Luu, L., Teutsch, J., Kulkarni, R., Saxena, P.: Demystifying incentives in the consensus computer. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 706–719 (2015)

Minaei, M., Gong, T.: Source code of the blockchain simulation and undercutting experiments. https://github.com/haas256/UP

Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)

Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 305–320. IEEE (2016)

Pass, R., Shi, E.: FruitChains: a fair blockchain. In: Proceedings of the ACM Symposium on Principles of Distributed Computing, pp. 315–324. ACM (2017)

Rosenfeld, M.: Analysis of bitcoin pooled mining reward systems. arXiv preprint arXiv:1112.4980 (2011)

Rosenfeld, M.: Analysis of hashrate-based double spending. arXiv preprint arXiv:1402.2009 (2014)

Blockchain Luxembourg S.A.: Bitcoin blockchain API (2020). https://www.blockchain.com/api. Accessed 26 Sept 2022

Blockchain Luxembourg S.A.: Bitcoin miners mining power (2020). https://www.blockchain.com/en/pools. Accessed 27 Feb 2020

Sapirshtein, A., Sompolinsky, Y., Zohar, A.: Optimal selfish mining strategies in bitcoin. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 515–532. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_30

Won, D.: 2020’s best monero pools (2020). https://www.exodus.io/blog/best-monero-pools/

Zhang, R., Preneel, B.: Publish or perish: a backward-compatible defense against selfish mining in bitcoin. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 277–292. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_16

## Acknowledgement

We would like to thank our shepherd Marko Vukolic and anonymous reviewers for their valuable comments. We thank Dankrad Feist for his feedback in the early stage of this project. This work has been partially supported by the National Science Foundation under grant CNS-1846316.

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## Giving Up After Two Blocks Behind

### Giving Up After Two Blocks Behind

We present major steps for analyzing the \(D=2\) case and the complete analysis can be found in the full report. Rational miners now make decisions at states \(S^*=\{(1,1),\) \((1,2),(2,1),(2,2),...\}\). The winning probabilities now comprise infinite series. Without loss of generality, we let \(F_{1}^0=1\), \(F_2^0=F_3^0=\gamma \), \(F_1^1=a,F_2^1=b\) and \(F_3^1=1+2\gamma - a - b \) (where \(a\in [0,1],\gamma \ge 0\)). \(F_2^0,F_3^0\) can be of different values in reality but here we use the same value to highlight the wealthiness of \(F_1^0\). Suppose eventually we derive an attacking condition *T* for setting \(D=2\) as well, then the undercutter would want to set *a* and *b* to satisfy \(\frac{1+\gamma -a}{a} > T\) and \(\frac{1+2\gamma -a-b}{b} > T\) to avoid being undercut.

We take the same route as in the \(D=1\) case. We know that if there is no attack, the undercutter expects to receive \(E[R_{\overline{u}}]=2\beta _u\gamma \). If it starts the attack, its expected return from the right branches (shown in Fig. 3) when the undercutter succeeds and no rational miners assist is

The limited bandwidth set condition, \(\gamma <\frac{\beta _u^2}{2(1-\beta _u)}\), is more demanding than the one for \(D=1\). For \(\beta _u=0.5\), the upper bound is now 0.25 instead of 1. For \(\beta _u=0.2\), the bound is 0.025 instead of 0.25. Overall, for weak attackers, the condition is way more demanding than before.

Next, we consider \(\gamma \ge \frac{\beta _u^2}{2(1-\beta _u)}\) (with sufficient bandwidth set) and the undercutter needs rational miners to join \(C_1\). Same as before, rational miners allocate their mining power among the two chains to maximize their expected returns:

where \(p_0\le (1-\beta _u-x\beta _r)^2\) is the probability of \(C_0\) leading by 2 blocks first and \(p_1\ge (\beta _u+x\beta _r)(\beta _u+x\beta _r+\beta _h)\) is the probability of \(C_1\) leading by 2 blocks first. Here we only consider the leftmost and rightmost branch in Fig. 3 because they are the two most significant paths. We can observe that the objective function is convex. By Jensen’s inequality, the expected returns reach maximum at either of the two ends. Again we let \(E[R_{r|x=0}]<E[R_{r|x=1}]\) and obtain

When \(\beta _h\le \beta _u\), flexible rational miners move to the fork if \(b> 0\). With rational miners joining, the expected return for undercutter on the rightmost branch is now \(E[R_{u}] = \big ( a + \frac{\beta _u}{\beta _u+\beta _r} b + \beta _u (1+2\gamma - a - b )\big ) \cdot \beta _u(\beta _u+\beta _r)\). We let \(E[R_{u}] > E[R_{\overline{u}}]\) and obtain the condition on \(\gamma \) for profitable undercutting:

where \(\mathbbm {1}^*_{\beta _h > \beta _u} = \infty \) if \(\beta _h \le \beta _u\) and 1 otherwise. Same as before, we denote the right-hand side condition as *T* and solve for *a* and *b* numerically by considering the strongest potential undercutter the attacker is facing.

where *T* and \(T'\) are the attack conditions for the undercutter under discussion and its strongest opponent. Here, \(\tilde{\gamma }, \tilde{\gamma }'\) are the fee totals in the respective third bandwidth set measured relative to the respective next bandwidth set.

We present the algorithm for \(D=2\) below.

## Rights and permissions

## Copyright information

© 2022 International Financial Cryptography Association

## About this paper

### Cite this paper

Gong, T., Minaei, M., Sun, W., Kate, A. (2022). Towards Overcoming the Undercutting Problem. In: Eyal, I., Garay, J. (eds) Financial Cryptography and Data Security. FC 2022. Lecture Notes in Computer Science, vol 13411. Springer, Cham. https://doi.org/10.1007/978-3-031-18283-9_22

### Download citation

DOI: https://doi.org/10.1007/978-3-031-18283-9_22

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-031-18282-2

Online ISBN: 978-3-031-18283-9

eBook Packages: Computer ScienceComputer Science (R0)