Question about selfish mining

[stdo]

The attacker’s precise strategy for selfish mining is stated by Vitalik Buterin at bitcoinmagzine.com, which is excerpted below:
Suppose the attacker’s portion of the network hashpower is X, and when there are two competing public chains the portion of the network that picks up on the attacker’s chain is Z.
State 0: If the attacker’s private chain is the same as the public chain, mine on the private chain. With probability X, the attacker discovers a block and advances to state 1 (private chain 1 block ahead). With probability 1-X, the public network discovers a block, and the attacker resets his private chain to the public chain.
State 1: If the attacker’s private chain is 1 longer than the public chain, mine on the private chain. With probability X, the attacker advances to state 2 (private chain 2 blocks ahread). With probability 1-X, the public network discovers a block, setting the system to state 0′.

At state 0, with probability X, the attacker will be 1 block ahead and keep it unexposed. So the public network will work on the block continuously. When it comes to State 2, I doubt that the probability is still X, because the public network has been working all along, while the attacker starts after 1 block ahead and he/she may needs some time to collect transactions.

[1714104662]

1714104662

[1714104662]

1714104662

[aleksej996]

I find this post very confusing. First, as I can see, you declared an unused variable Z, which is pretty weird.

Also as I understand, selfish mining is when a miner finds a block he keeps it secret for some time, just to have a head start at finding the other block. It would be quite risky if he was just waiting for another block, he would have to have more than half of the hashpower to be sure that the block he found doesn't go to waste.

It is more profitable to publish a block, then to try to race the entire network, But it is pretty safe to keep it for few seconds. In the long run, I am not sure that this strategy is profitable, but it is maybe possible that sometimes it is.

I can tell you that if an attacker waited to find the second block before he publishes his fist one, he will have to throw away at least 100% - X of his blocks he finds, just to get two block rewards, because for each one he will have at most X chance of finding another block before the network. So if he throws away more then 2 blocks for every time he finds a second block on his secret one, he will be at a loss. That would mean that this has to happen at least one in three blocks, that he finds a second one. That would suggest he has at least  1/3 of the network hashrate. That is assuming he finds a block in a fist second, as with time his chances decrease. If he finds it in a 10th minute, he might as well publish it. Maybe... It is a risky business...

[DannyHamilton]

When it comes to State 2, I doubt that the probability is still X, because the public network has been working all along, while the attacker starts after 1 block ahead and he/she may needs some time to collect transactions.

Transactions are continuously collected. There is no delay for collecting transactions.  The "selfish miner" can immediately begin the next block as soon as they complete one.

[Swagtoshi]

Unless the attacker has over 50% of the hash power, there is no reason for him to not broadcast the block since his block chain is just going to be overtaken by the rest of miners.

[ranochigo]

Unless the attacker has over 50% of the hash power, there is no reason for him to not broadcast the block since his block chain is just going to be overtaken by the rest of miners.

Not needed. All you need is a node with an extremely good connection to many network peers.

When you find a block, you hold it and keep it to yourself. Next, when someone mines a block, your very well connected node will be one of the first to hear about it and you can broadcast your own block instead. If your block somehow gets propagated faster than the other pools (ie. Being directly connected to large mining pools), they will build on top of yours. If another block is found on top of yours, you don't lose anything.

[Swagtoshi]

Unless the attacker has over 50% of the hash power, there is no reason for him to not broadcast the block since his block chain is just going to be overtaken by the rest of miners.

Not needed. All you need is a node with an extremely good connection to many network peers.

When you find a block, you hold it and keep it to yourself. Next, when someone mines a block, your very well connected node will be one of the first to hear about it and you can broadcast your own block instead. If your block somehow gets propagated faster than the other pools (ie. Being directly connected to large mining pools), they will build on top of yours. If another block is found on top of yours, you don't lose anything.

That's a very interesting concept. But that strategy is very risky though. If the someone else broadcast his block and you aren't one of the first to hear about it, you could very well lose your block. I don't think that the big mining pools wouldn't be well connected. Also, you are wasting your hash power by not broadcasting and immediately mining the next block.

[stdo]

I find this post very confusing. First, as I can see, you declared an unused variable Z, which is pretty weird.

Also as I understand, selfish mining is when a miner finds a block he keeps it secret for some time, just to have a head start at finding the other block. It would be quite risky if he was just waiting for another block, he would have to have more than half of the hashpower to be sure that the block he found doesn't go to waste.

It is more profitable to publish a block, then to try to race the entire network, But it is pretty safe to keep it for few seconds. In the long run, I am not sure that this strategy is profitable, but it is maybe possible that sometimes it is.

I can tell you that if an attacker waited to find the second block before he publishes his fist one, he will have to throw away at least 100% - X of his blocks he finds, just to get two block rewards, because for each one he will have at most X chance of finding another block before the network. So if he throws away more then 2 blocks for every time he finds a second block on his secret one, he will be at a loss. That would mean that this has to happen at least one in three blocks, that he finds a second one. That would suggest he has at least  1/3 of the network hashrate. That is assuming he finds a block in a fist second, as with time his chances decrease. If he finds it in a 10th minute, he might as well publish it. Maybe... It is a risky business...

Sorry about the weird Z. In the long run the honest nodes that want to maximize their profit may join the local chain, potentially allowing for 51% attacks as a second stage.

[stdo]

Unless the attacker has over 50% of the hash power, there is no reason for him to not broadcast the block since his block chain is just going to be overtaken by the rest of miners.

He may not have over 50% of the hash power, but he has a chance to gathering that much.

[stdo]

When it comes to State 2, I doubt that the probability is still X, because the public network has been working all along, while the attacker starts after 1 block ahead and he/she may needs some time to collect transactions.

Transactions are continuously collected. There is no delay for collecting transactions.  The "selfish miner" can immediately begin the next block as soon as they complete one.

Even without the collecting time, I still doubt about the probability X. When the "selfish miner" begin the next block, they are not at the same base point as the public network.

[DannyHamilton]

Even without the collecting time, I still doubt about the probability X. When the "selfish miner" begin the next block, they are not at the same base point as the public network.

There is no base point.  Every hash is unique with the same probability of success.

[cz3kit]

The attacker’s precise strategy for selfish mining is stated by Vitalik Buterin at bitcoinmagzine.com, which is excerpted below:
Suppose the attacker’s portion of the network hashpower is X, and when there are two competing public chains the portion of the network that picks up on the attacker’s chain is Z.

So X is the hashpower of the attacker and Z is the probability that honest miners decide to join the adversaries chain.

State 0: If the attacker’s private chain is the same as the public chain, mine on the private chain. With probability X, the attacker discovers a block and advances to state 1 (private chain 1 block ahead). With probability 1-X, the public network discovers a block, and the attacker resets his private chain to the public chain.

This does not make sense to me. Why would the adversary have a private chain? There is no advantage for him.
In State 0 should be only one chain where everyone mines on top of it. The rest of your statement is correct. The adversaries probability to find a new block is X (State 1). He won't publish it but keep it to himself. He will also start to mine on top on his new 'private' chain. The rest of the network is still trying to find a new block and therefore wasting hashingpower. In case the honest miners find a new block (probability 1-X), we remain in State 0 and the game starts from the beginning.

State 1: If the attacker’s private chain is 1 longer than the public chain, mine on the private chain. With probability X, the attacker advances to state 2 (private chain 2 blocks ahread). With probability 1-X, the public network discovers a block, setting the system to state 0′.

The attacker's chain is 1 longer.

At state 0, with probability X, the attacker will be 1 block ahead and keep it unexposed. So the public network will work on the block continuously. When it comes to State 2, I doubt that the probability is still X, because the public network has been working all along, while the attacker starts after 1 block ahead and he/she may needs some time to collect transactions.

In State 0 the attacker and the honest miners are working on the same chain. The attacker is not 1 block ahead. That is the definition of State 0.

When you are in State 2, the attacker has already 2 blocks and holds them back. The probability that the adversary finds a new block is still X and the honest miners probability to find a new block is 1-X.
In case the adversary finds a new block, he will be 3 blocks in front and hold them back (State 3).
If the honest miners find a block they will be 1 block behind. What the adversary does is to release his 2 blocks. Since his chain is longer, we is going to win and receives the reward.

[senseless]

Makes sense, but it's risky as others say. It could be 50 minutes or 50 seconds before another pool finds a block. You could increase your chances of success by running multiple full nodes and having each full node be aware of the block being held back. The full nodes could then all broadcast your block whenever another block is discovered. With some modifications to the client on the full nodes and running a large number of full nodes all over the world, I could see this giving a miner a large advantage on the next block in the chain after they've found a block. You could further your chances of success by communicating only your nodes to other nodes when they ask for ip addresses of nodes to connect to. If all other nodes are only communicating with your nodes you can effectively denial of service and be the only miner on the network (assuming you're able to stop data you don't want from being broadcast over the network). Another possibility to increase chances of success are to use your full nodes to delay a block being broadcast to the network allowing you to start mining on the new block before other nodes are aware of it. Giving you an advantage over some other miners even if you didn't mine the last block.

Yet another reason to support master nodes that are paid for their service. There are already less than 10,000 full nodes. A nefarious actor with the backing could easily setup more than 10,000 nodes causing transaction and new block DoS.

[-ck]

Unless the attacker has over 50% of the hash power, there is no reason for him to not broadcast the block since his block chain is just going to be overtaken by the rest of miners.

Not needed. All you need is a node with an extremely good connection to many network peers.

When you find a block, you hold it and keep it to yourself. Next, when someone mines a block, your very well connected node will be one of the first to hear about it and you can broadcast your own block instead. If your block somehow gets propagated faster than the other pools (ie. Being directly connected to large mining pools), they will build on top of yours. If another block is found on top of yours, you don't lose anything.

That's totally and utterly impossible. All the pools and big miners are heavily interconnected via extremely high bandwidth low latency connections. Any delays in propagating your own block today is guaranteed suicide. This is a very finely tuned network that has evolved over many years, not some script kiddy quality p2p network, and such an assumption is guaranteed dry anal sex for those delaying their own propagation.

[emmanux]

This is a very finely tuned network that has evolved over many years, not some script kiddy quality p2p network, and such an assumption is guaranteed dry anal sex for those delaying their own propagation.

LOL

Good to know.

[stdo]

Even without the collecting time, I still doubt about the probability X. When the "selfish miner" begin the next block, they are not at the same base point as the public network.

There is no base point.  Every hash is unique with the same probability of success.

Let's say the nonce is from 0~100, and each node has to find one nonce to satisfy the requirement. The attacker has to start at 0, maybe it's just the one he needs, maybe not. The probability is 1%. While for the public network, they may start at 50(cause they try the nonce all along), and the probability is 2% now. It seems clearly that they have different base point.

[DannyHamilton]

Let's say the nonce is from 0~100, and each node has to find one nonce to satisfy the requirement. The attacker has to start at 0, maybe it's just the one he needs, maybe not. The probability is 1%. While for the public network, they may start at 50(cause they try the nonce all along), and the probability is 2% now. It seems clearly that they have different base point.

That's not how mining works.

Each miner is working on a different nonce, because each miner is working on a different block.

There is no guarantee that any of the nonce values will work. The miner that is "at 50" could continue all the way to 100 and still not find a working nonce. The miner that is starting at 0 may find their nonce before they get to 100.

Prior to calculating the hash, each hash has the same chance of success.  It doesn't matter it this is the 1,000,000,000,000,000th hash that you've computed or the first hash that you've computed. The chances that the hash will be successful are the same.

[coinmachina]

@stdo

Listen to what DannyHamilton said, he's right.

Unless the attacker has over 50% of the hash power, there is no reason for him to not broadcast the block since his block chain is just going to be overtaken by the rest of miners.

Not needed. All you need is a node with an extremely good connection to many network peers.

When you find a block, you hold it and keep it to yourself. Next, when someone mines a block, your very well connected node will be one of the first to hear about it and you can broadcast your own block instead. If your block somehow gets propagated faster than the other pools (ie. Being directly connected to large mining pools), they will build on top of yours. If another block is found on top of yours, you don't lose anything.

That's totally and utterly impossible. All the pools and big miners are heavily interconnected via extremely high bandwidth low latency connections. Any delays in propagating your own block today is guaranteed suicide. This is a very finely tuned network that has evolved over many years, not some script kiddy quality p2p network, and such an assumption is guaranteed dry anal sex for those delaying their own propagation.

Why is it impossible? All big pools are well connected but one of them might be just slightly better connected then the others.
Moreover selfish mining even increases your relative share of blocks if you have a poor connectivity to the network but a minig power of about 33%.

[-ck]

Why is it impossible? All big pools are well connected but one of them might be just slightly better connected then the others.
Moreover selfish mining even increases your relative share of blocks if you have a poor connectivity to the network but a minig power of about 33%.

No such thing. Once the data has left the miner it propagates across the internet at the same rate these days. That's like saying you will shoot a missile after someone else shoots one when you see it and it will arrive first, even though they both travel at the same rate. By the time you've seen it it has already travelled some distance, possibly even all the distance to its targets. It takes a maximum of 200ms to get to anywhere on the internet these days except during network outages and connectivity failures. There is latency involved between one bitcoin node receiving a block and propagating it to another bitcoin node, but no miner is only connected to just one node.

[stdo]

Let's say the nonce is from 0~100, and each node has to find one nonce to satisfy the requirement. The attacker has to start at 0, maybe it's just the one he needs, maybe not. The probability is 1%. While for the public network, they may start at 50(cause they try the nonce all along), and the probability is 2% now. It seems clearly that they have different base point.

That's not how mining works.

Each miner is working on a different nonce, because each miner is working on a different block.

There is no guarantee that any of the nonce values will work. The miner that is "at 50" could continue all the way to 100 and still not find a working nonce. The miner that is starting at 0 may find their nonce before they get to 100.

Prior to calculating the hash, each hash has the same chance of success.  It doesn't matter it this is the 1,000,000,000,000,000th hash that you've computed or the first hash that you've computed. The chances that the hash will be successful are the same.

Get it. Thanks a lot. Each hash will generate a random 256-bit number, so the probability that the number is smaller than the target is a constant.

[Quickseller]

I find this post very confusing. First, as I can see, you declared an unused variable Z, which is pretty weird.

Also as I understand, selfish mining is when a miner finds a block he keeps it secret for some time, just to have a head start at finding the other block. It would be quite risky if he was just waiting for another block, he would have to have more than half of the hashpower to be sure that the block he found doesn't go to waste.

It is more profitable to publish a block, then to try to race the entire network, But it is pretty safe to keep it for few seconds. In the long run, I am not sure that this strategy is profitable, but it is maybe possible that sometimes it is.

I can tell you that if an attacker waited to find the second block before he publishes his fist one, he will have to throw away at least 100% - X of his blocks he finds, just to get two block rewards, because for each one he will have at most X chance of finding another block before the network. So if he throws away more then 2 blocks for every time he finds a second block on his secret one, he will be at a loss. That would mean that this has to happen at least one in three blocks, that he finds a second one. That would suggest he has at least  1/3 of the network hashrate. That is assuming he finds a block in a fist second, as with time his chances decrease. If he finds it in a 10th minute, he might as well publish it. Maybe... It is a risky business...

Sorry about the weird Z. In the long run the honest nodes that want to maximize their profit may join the local chain, potentially allowing for 51% attacks as a second stage.

It would not make sense for non-attacking miners to join the private chain because chances are that any block found on this chain will get orphaned (if it is not already behind the public chain).

Also, if the attacker shares his withheld blocks with any non-attacker miners, then he is risking (and will most likely happen) the non-attacking miners broadcast the block to the rest of the network.

A selfish mining attack will always be unprofitable over the long run if he is a solo-miner or a collective pool (it would be unprofitable in terms of how much BTC block rewards the pool earns). There is a risk to a pool admin (especially a PPS pool admin/owner) that a troll miner with a large mining capacity mines on a pool, and withholds found blocks, depriving the pool of the revenue -- the troll miner would not gain anything from this, although he would cause harm to the pool.