I am preparing the relaunch of http://ethereumlottery.io - a lottery which determines the winner based on the hash of a specific Bitcoin block (accessed via BTCRelay). This has the advantage that it's a very transparent source of randomness and anyone can easily confirm the results using a block explorer.

A Bitcoin block is currently worth around $30k in mining rewards, so a miner usually doesn't want to mess with it for fear of losing out on that money. But if we wager the outcome of a lottery on that block then one has to consider the incentives for a malicious miner to try to mess with the process. Specifically, a miner could buy a number of tickets for the lottery and then, if they happen to be the one who mines the specific block, check if they have the winning ticket. If not, they now have the option of simply discarding that block (at the cost of $30k) and then another block will be found and they get a second chance at maybe having the winning ticket.

Using the calculation below I'd like to figure out how low the jackpot needs to be so that it's not profitable to try to influence the result in this way. I'm using SymPy to solve the equations. First, start out with some symbols:

from sympy import * # J - jackpot (in USD) # T - total cost of all tickets (in USD) # f - fraction of all tickets bought by the attacker # h - fraction of hashing power of the attacker # B - block reward (in USD) J, T, f, h, B = symbols('J T f h B')

Define the cost of all tickets combined in terms of the jackpot - we'll pick 110 % for now:

T = 1.1 * J

The attacker is buying fraction f of all tickets and has some upfront cost for that:

cost_of_tickets = f * T

The attacker might simply win with one of the tickets:

ev_honest_win = f * J

In the case where the attacker does not win directly with one of the tickets (1 - f) and if the deciding block happens to be under their control (chance is fraction of hashing power h), they can throw that block away (forfeiting B), but gaining another shot at the jackpot (f * J).

ev_withhold_block = (1 - f) * h * (-B + f * J)

In total:

ev = ev_honest_win + ev_withhold_block - cost_of_tickets

If we let SymPy put together that equation it's some unwieldy thing that depends on all those symbols. So I'm going to substitute in some assumptions to look at a concrete scenario and then let SymPy simplify the result:

# Scenario to consider: # Jackpot is 300000 USD # Block reward is 12.5 * 2500 USD # Attacker controls 20 % of the hashing power scenario = ev.subs({J: 300000, B: 12.5 * 2500, h: 0.2}) pprint(simplify(scenario))

This gives us a curve now that describes the payoff for the attacker for different values of f (the fraction of tickets bought):

-60000 * f^2 + 36250 * f - 6250

And it looks like this: http://imgur.com/a/Av8YU

The maximum is somewhere around f = 0.3, so the optimal amount of tickets to buy is around 30 % of them. But even in this case the attacker is still losing money (payoff is negative).

So my conclusion would be that jackpots up to 300000 USD are currently safe against malicious miners who control up to 20 % of Bitcoin's hashing power, as messing with the process would risk losing more mining rewards than the increased chance at winning the lottery is worth.

I'd appreciate any input! Is this a reasonable approach to model this? Any errors in my thinking or things that I missed? Would be happy about feedback!

View the RAW markdown.