1. Introduction

On March 24, the Bitcoin Cash mining concern, Coingeek, pledged not to build on top of blocks that contained "obvious double-spends" of unconfirmed transactions. The intent of the pledge was to improve the security of unconfirmed transactions--a noble and important goal for Bitcoin Cash. However, whether such a pledge helps achieve that goal is unclear. In this article we show how any mining opponent with more hash power than Coingeek can "game" this pledge. By applying the simple strategy described below, an opponent can increase her profit at the expense of Coingeek and its owner, Mr. Ayre.

To begin, we define the following three mining strategies:

A. Coingeek's stategy:

Examine newly-mined blocks for mempool conflicts. If a conflict exists, and if the conflicting transaction had been hidden, do not mine directly on this block (but if another block is added above that block, give up). If no conflict exists, use the default strategy.

B. Opponent's stategy:

Use the default strategy AND trigger Coingeek's strategy by announcing a transaction publicly while including a hidden double-spend in the mined block.

C. Default strategy:

Mine on the longest chain. If two chains of equal length exist, mine on the one first seen.

2. Analysis

Let A , B and C , respectively, represent the fraction of hash power adopting Coingeek's, the Opponent's, and the Default strategy. Since there are no other miners, A + B + C = 1.

For B > 0, both Coingeek and the Opponent will suffer increases in their orphan rates (we'll derive this in detail below). For example, Coingeek will have a block orphaned when it succeeds in mining a single block but fails to mine the second block required to trigger the reorg. The Opponent will have a block orphaned when Coingeek succeeds in triggering the reorg.

The orphan rate can be defined as

r = number of blocks orphaned / number of blocks found,

from which it follows that the rate at which blocks are committed to the blockchain is

1 - r = number of blocks committed to the blockchain / number of blocks found.

The expected number of blocks committed to the blockchain by each group over time T is

N a = A T (1 - r a),

N b = B T (1 - r b),

N c = C T.

The total blocks added to the blockchain over this period is

N = N a + N b + N c = A T (1 - r a) + B T (1 - r b) + C T

The fraction of blocks won by the Opponent miner is clearly

N b / N = B (1 - r b) / ( A (1 - r a) + B (1 - r b) + C ). (Eq. 1)

This is an important result. Since the network difficulty target adjusts so that the total number of blocks added to the blockchain per unit time remains approximately constant, if the opponent can increase her share of blocks then she will see a corresponding increase in revenue per unit time. That is, if application of her strategy results in

N b / N > B / ( A + B + C ),

she will come out ahead.

It is straightforward from Eq. (1) to show that the above inequality is equivalent to

r a / r b > (1 - B ) / A . (Eq. 2)

Next we calculate r a and r b and then prove, using the above equation, that any miner with more hash power than Coingeek can profitably game Coingeek's pledge.

3. What are the orphan rates for Coingeek and the opponent miner?

In order for Coingeek to succeed in triggering a reorg around the Opponent's block, it must solve two blocks before the other miners solve one. If Coingeek solves only one, they will lose that block. If they solve none, then neither Coingeek nor the Opponent will lose a block. When the Opponent finds a block (probability B ), there are thus three possible ways for the situation to resolve:

Opponent loses a block (probability A ^2)

Coingeek loses a block (probability A (1 - A ))

Neither lose a block (probability 1 - A )

The probabilities above assume that block propagation time is negligible and that both Coingeek and the Opponent have equal connectivity to the other miners on the network.

Coingeek finds blocks at a rate of A and loses them at a rate of B A (1 - A ), for an orphan rate of

r a = B ( 1 - A )

The opponent finds blocks at a rate of B and loses them at a rate of B A ^2, for an orphan rate of

r b = A ^2.

Substituting these equations into Eq. (2) (the equation that describes when the Opponent comes out ahead) gives

B (1 - A ) / A ^2 > (1 - B ) / A ,

which simplifies to

B > A.

In other words, any miner controlling more hash power than Coingeek can profitably game Coingeek's orphaning pledge.

4. Why is Coingeek's strategy weak?

Coingeek's strategy is weak because it requires solving two blocks before the rest of the network solves one block. This means it hurts itself more than it hurts the cheaters. It has been argued that miners may still adopt such strategies in order to disincentive bad behaviour on the network -- to "take one for the team" so-to-speak.

But the counterintuitive result derived in this article--due to the fact that difficulty readjusts lower--is that an Opponent with more hash power than Coingeek will come out ahead by intentionally triggering Coingeek's pledge. Instead of discouraging blocks with hidden transactions, Coingeek's pledge arguably encourages them!

5. How much hash power does Coingeek have?

Over the last 7 days, Coingeek was estimated to control 3.3% of the network hash power. This means that at least 6 other mining groups could independently game Coingeek's pledge to increase their revenue (SBI Crypto, BTC.top, AntPool, Bitcoin.com, BTC.com and ViaBTC).

6. Some numbers

Let's take ViaBTC as the Opponent. We then have B = 0.177, A = 0.033. Plugging in these numbers to calculate the change in revenue we find that ViaBTC would earn 0.48% more blocks per unit time by adopting the Opponent strategy, while Coingeek would earn 16.6% fewer blocks.

(It is interesting to note that ViaBTC could adopt this strategy and no miner (acting alone) could profitably game the pledge (at least according to this simplified model). However, deeper analysis may reveal that the network itself may become at risk of fracturing if too much hash power behaves this way).

7. Conclusion

I applaud Coingeek for this act of altruism. They pledged to take a hit to their profits in order to thwart double-spend fraud. However, what this article has shown is that their pledge is likely to backfire. Rather than discouraging miners from including hidden double-spend transactions in their blocks, Coingeek's pledge actually encourages them to do so. Indeed, any miner who controls more hash power than Coingeek can increase her revenue by intentionally gaming Coingeek's pledge.

Further reading

Here is a related article by Jason Cox that looks at the flaws in Coingeek's pledge from a more general point of view: https://www.yours.org/content/why-orphaning-blocks-with-double-spend-transactions-is-dangerous-f09f16779603

Here is a second article by im_uname that also illustrates problems with this approach https://www.yours.org/content/why-orphaning-doublespends-in-mempool-doesn-t-work-c5e07d0775d6

Here is a video by the author describing a scientific way of detecting and reacting to unconfirmed-transaction fraud: https://www.youtube.com/watch?v=yXFuNkaYcPQ