Incentives in the Ether: Practical Cryptocurrency Economics & Security

Cryptocurrencies are becoming increasingly important for the modern economy. Prior literature focuses on aligning actor incentives to ensure the secure and efficient operation of cryptocurrencies against adversarial threats that are unobserved in the wild. In this work, we address the gap between the theory and practice of cryptocurrencies by advancing realistic approaches to analyze the economics and security of key cryptocurrency components: consensus mechanisms, transaction fee mechanisms (TFMs), and the application layer. We present novel models of these components that we evaluate both theoretically and using cryptocurrency clients. We augment our evaluation with the first evidence of an in-the-wild attack on a major cryptocurrency, highlighting our approach's practicality. Results contained in our work were adopted by cryptocurrency platforms that hold user assets worth over 300 billion.


INTRODUCTION
Cryptocurrencies are central to the burgeoning Web3 economy: Ethereum alone processes transactions worth billions of USD every day and is also home to a vibrant decentralized finance (DeFi) ecosystem that stores value measured in hundreds of billions of USD [22].Cryptocurrencies are operated by a decentralized network of "miners", who may manipulate the system for profit.The interplay between mining incentives and system security has been widely explored; e.g., prior art shows that popular cryptocurrency consensus mechanisms are vulnerable to block withholding attacks that increase an attacker's share of block rewards [4,12].
However, previous work did not find conclusive evidence of such attacks occurring in the wild against major cryptocurrencies [12,9,1].Given the frequency of security incidents in the cryptocurrency application layer [22], and as block rewards converge to 0 in Bitcoin and other tokens, these findings imply that there is a gap between the theoretical and practical security of consensus mechanisms.Recent work highlights similar gaps for other mechanisms, such as TFMs [8].Thus, it is natural to ask: can we create and analyze realistic cryptocurrency models that capture real-world settings?
This Work.We propose realistic approaches to analyze the economic incentives of cryptocurrency actors and their impact on the security of several cryptocurrency mechanisms.We model the economics of consensus mechanisms [19], and present two novel attacks that allow miners to increase their profits from both block rewards and other revenue sources, such as transaction fees and cryptocurrency applications [18,17].Beyond consensus mechanisms, we show that one can relax some modeling assumptions made by works that model TFMs as auctions [8], and extend their models to a non-myopic setting [7].Moreover, we analyze the vulnerability of existing TFMs to attacks that allow adversarial transactions to pay lower-than-expected fees [20].Finally, we examine the cryptocurrency application layer [18,3,11,21,16], and show that applications may incentivize actions that harm the system's security.The practicality of our attacks is shown by evaluating them using cryptocurrency clients, and by our discovery that a miner was employing similar techniques to attack Ethereum for two years [17], making this the first discovery of an in-the-wild attack against the consensus layer of a major cryptocurrency.We hope that our work paves the way for more realistic cryptocurrency threat models, thus improving the practical security of cryptocurrencies.

PROBLEM
Cryptocurrencies usually prescribe an "honest" mining protocol that upholds the system's security, yet miners may be incentivized to deviate from the protocol and attack the system if it is profitable for them, putting user funds at risk.Some deviations explored in the literature were not observed in the wild, raising doubts about the threat they pose.This leads to our main research question: RQ 1. Are the deviations explored by the literature applicable to real-world settings, and if not, which realistic deviations do exist?
However, an analysis of actor incentives and their impact on security is hampered by the complexity and variety of cryptocurrency mechanisms.Thus, we refine RQ 1 by taking into account the layered structure of cryptocurrencies (see Fig. 1):

Application Layer
Task: user-created programs that operate "on top" of a cryptocurrency.Incentives: set by applications (e.g., pay interest for user liquidity).

Consensus Layer
Task: coordinates the miners operating the cryptocurrency.
Figure 1: An overview of several core cryptocurrency "layers", and the threats on each that we explore in this work.
RQ 2. For each layer and combination of layers, how can actors deviate to increase their profits in real-world scenarios?
We follow with an overview of each layer: Consensus layer.Consensus mechanisms allow a network of miners to agree on the identity and order of transactions that were processed by the system.Miners collect user transactions in batches called blocks, and receive a block reward for each batch.proof-ofwork (PoW)-based mechanisms (like Bitcoin's) require that blocks contain a solution to a difficult puzzle and a pointer to a previous block, thus resulting in a blockchain.Bitcoin's whitepaper claims that if no adversarial miner controls more than 51% of the network's mining power, then it is incentive compatible to mine honestly, namely: to extend the chain where the puzzles' total difficulty is the largest, and publish mined blocks to others immediately.
Transaction layer.The amount of transactions that can be included in a block is limited.When the capacity is reached, an auction on blockspace ensues: users can incentivize their transactions' inclusion by paying fees that are collected by the first miner to include these transactions in a block.TFMs determine how much fees are charged from users and paid to miners.Ideally, TFMs should be user incentive compatible (UIC) (users should attach fees that are equal to their value for having their transactions allocated to a block), miner incentive compatible (MIC) (miners should adhere to the honest transaction allocation strategy), and collusion proof (CP) (users and miners should not profit from collusion).
Application layer.Cryptocurrencies like Ethereum support decentralized applications.Applications may incentivize user participation; e.g., lending protocols can pay interest on supplied funds.

STATE OF THE ART
Consensus Mechanisms.The "Selfish Mining" attack [4] and its extensions [12,9] show that Bitcoin-esque mechanisms are vulnerable to block withholding, where adversarial miners increase their profits by publishing blocks later than the honest protocol requires.Some attribute the lack of observed selfish mining attacks to the waiting period until they become profitable [12] and to the damages that can be incurred if attacks are discovered [1], while others show deviating is unprofitable when multiple miners are selfish [9].Notably, if mining costs are mostly variable (e.g., electricity costs that can be saved by not mining), it is profitable to mine intermittently (i.e., repeatedly switch between mining and not mining), even when other miners do the same [5].
TFMs.The UIC, MIC and CP properties were proposed by [14] as the desired properties that TFMs should satisfy.The impossibility results of [2] show that TFMs which are both UIC and CP produce at most 0 revenue from fees.Two works show Ethereum's TFM was insecure: the "DETER" attacks of [10] create invalid transactions that occupy memory space but pay low fees, and the "Broken Metre" attack of [13] creates low-fee transactions that are costly for miners to execute.Both were observed in the wild and mitigated.

PROPOSED APPROACH
Timestamp Manipulations.Intuitively, selfish mining attacks increase an adversary's share of the rewards as hiding blocks and publishing them later can discard blocks created by others.We note that the same can be achieved without withholding: honest miners should extend the chain with the largest total difficulty, with difficulty determined by the time between blocks.Thus, miners can manipulate their clocks to create high-difficulty blocks that discard others' blocks (see Fig. 2).In [17], we devise and analyze timestamp manipulation attacks that are more profitable than mining honestly.
Application Layer Rewards.Our examination shows that intermittent mining is supported by mining software and thus realistic [19].However, the results of [5] on intermittent mining hold if mining costs are significant relative to block rewards, while in some cryptocurrencies rewards converge to 0. To account for low rewards, in [18] we show profits can be extracted from the application layer: attackers can mine intermittently to manipulate the block-rate and create arbitrage between two types of lending applications (see Fig. 3), as some give interest on deposits according to block timestamps, while others accrue per new block under the assumption that the block-creation rate is constant in expectation.
Mining Value.Prior work analyzes the expected revenue of miners, but ignores its volatility: While electricity is paid for in some fiat currency (e.g., USD), mining profits are denoted in a cryptocurrency (e.g., BTC), which may have a volatile exchange rate.As [5] examine cases where costs are significant, even minor fluctuations in the exchange rate lead to losses.In [19], we account for the impact of the volatility of mining rewards on the value of mining, while noting that real miners prevent losses by turning off their mining machines when the exchange rate makes mining unprofitable, implying that the value of mining hardware can be modeled as a bundle of European financial options.
Relaxed TFMs.TFM designs analyzed by previous works [14,2] utilize sophisticated techniques to partially satisfy the TFM desiderata, resulting in added complexity and lower revenue.This desiderata is strict and thus naturally leads to impossibility results, while classical auction theory works have shown that relaxed equivalents of some properties circumvent similar impossibilities.Thus, in [8] we show that even simple TFM designs can achieve good performance, when considering reasonably relaxed properties.In [6] we show that prior work conflated two CP notions called side-contract-proof (SCP) and off-chain-agreement (OCA), while SCP is stricter than OCA.This leads us to conduct an analysis of OCA TFMs, as SCP was previously found to drastically restrict revenue.
Non-myopic TFMs.The literature analyzes TFMs in a myopic setting, where users only care about having their transactions processed in the upcoming block, and miners only care about their profits from the next block.However, users are known to pay low fees if they are patient: popular cryptocurrency wallets have "fee calculators" that suggest fees as a function of a transaction's urgency.Moreover, various cryptocurrency services support "expiring" transactions that become invalid after a user-specified time.Myopic transaction allocation ignores such long-term considerations, potentially leading to lower revenue.In [7], we analyze non-myopic allocation strategies when transactions are characterized by both their fees and expiration dates.Due to the economic setting, we also account for the possibility of miners having some preference to receive profits earlier rather than later, i.e., that miners discount future transactions according to some discount rate.
TFM DoS Attacks.Previous attacks on Ethereum's TFM were mitigated [13,10].We note that miners often "speculatively" process transactions without being compensated for their work.Moreover, speculation is necessary, otherwise one would have to invest even more resources to evaluate each transaction's profitability.We identify several important factors that serve to further hinder an actor's ability to correctly speculate on transaction profitability: the separation of actor roles in Ethereum's proposer-builder separation (PBS) ecosystem, the prevalence of censorship in Ethereum [15], and Ethereum's requirement that transactions by each user be executed in a user-specified order.In [20], we show that these factors can be used to trick victims into spending their computational resources on adversarial transactions that appear lucrative but are costly to execute and pay low fees (if any).Successful manipulations in this vein are essentially denial-of-service (DoS) attacks, as they can prevent miners from processing honest transactions.

METHODOLOGY
We evaluate our approaches using established benchmarks, where applicable.Importantly, we augment these benchmarks and highlight the practicality of our threat models by implementing some of our attacks in geth, Ethereum's most popular execution client.
Timestamp Manipulations & Application Layer Rewards.In [18,17], we model mining as a Markov process (MP), which is analyzed to compare the profits made by our attacks relative to mining honestly.While prior art assumes mining difficulty converges to some value, our attacks manipulate difficulty.Thus, for "Timestamp Manipulations", we show in [17] that our attack is profitable for all historic Ethereum difficulty values, and for "Application Layer Rewards", in [18] we analytically solve simple cases, while for complex ones we include mining difficulty in our MP and solve it using machine learning techniques, primarily reinforcement learning.
Mining Value.We apply financial option theory to measure the value of mining in [19].The literature prescribes a method to "imitate" the value of the asset that is measured by trading in related assets (i.e., the mined cryptocurrency), thus allowing one to evaluate the proposed approach on historical data.
Relaxed TFMs.In [8,6], we evaluate the revenue of specific TFMs, and the optimal revenue obtainable by TFM classes that satisfy interesting combinations of desired properties.Non-myopic TFMs.In [7], we adopt the competitive ratio benchmark used by previous works to measure an allocation strategy's worst-case performance, relative to an optimal one.We note that the used model and analysis techniques bear similarities to those used in the packet-scheduling literature, yet that we significantly diverge due to our discounting of future revenue.TFM DoS Attacks.In [20], we create a testing framework that executes our attacks on a local private Ethereum testnet.As our goal is to prevent victims from being able to allocate transactions to blocks, we run the testnet on strong hardware and measure the amount of honest transactions that victims allocate to blocks.

RESULTS
Timestamp Manipulations.In [17], which was published before Ethereum's transition to a proof-of-stake (PoS) mechanism, we present several significant discoveries: (1) We prove our novel timestamp attacks risklessly increase attacker profits.(2) We implement an attack variant for Ethereum's geth client to demonstrate the applicability of our results.(3) We give the first evidence of miners attacking a major consensus mechanism, showing that Ethereum was attacked for nearly two years by F2Pool (the second largest mining pool in Ethereum at the time).Application Layer Rewards.In [18], published before Ethereum's transition to PoS, we show that a 25% miner can apply the intermittent mining technique to "stretch" the time between blocks by up to 33% in Bitcoin, and 54% in Ethereum.Moreover, we show that when this technique is used to manipulate lending applications' interest rates, a 25% miner can increase its profits by up to 35%.Mining Value.In [19], we apply our method to show that the Bitmain Antminer S9, a popular type of mining machine, was typically overpriced between 2016 and 2020.Furthermore, we show a surprising result: the volatility of mining profits increases the value of mining.Thus, lower volatility may affect cryptocurrency security.
In particular, the value of a mining machine given Bitcoin's peak annual volatility is larger by 20% when compared to an equivalent machine's value given Bitcoin's annual volatility on June 2021.Relaxed TFMs.In [6], we show that previous work conflated two CP notions called SCP and OCA-proofness, while SCP is stricter than OCA-proofness.Unfortunately, we find that in certain cases, TFMs that are UIC, MIC and OCA-proof necessarily result in 0 revenue, thereby resolving the open question of [14], that underlies a major line of works on TFMs.In [8], we show that by restricting user fees to discrete values (while previous works implicitly assumed fees are continuous), one can design a TFM that is both UIC and SCP yet obtains non-zero revenue.Alas, we bound the revenue of discrete-fee TFMs and show that it is low.We furthermore prove that Bitcoin's TFM is revenue optimal among a natural class of OCA-proof TFMs in the "traditional" continuous setting.
Non-myopic TFMs.In [7], we prove an upper bound for the competitive ratio of an optimal strategy, tight bounds for the competitive ratio of the myopic strategy.We furthermore present an alternative "biased" strategy that outperforms the myopic one, and prove its optimality for large regimes of the parameter space.TFM DoS Attacks.In [20], we present several attacks.In particular, we show that by sending 140 transactions that have an expected cost of $376, an adversary can prevent a victim running capable hardware from being able to include honest transactions in blocks.Additional Results.We briefly mention several works that analyze the blockchain application layer, which were omitted due to lack of space.In [21], we find that actors perform suboptimally when interacting with DeFi applications, we show optimal strategies for several cases, and present circumstantial evidence that actors have been taking advantage of such suboptimality for their own profit.Cryptocurrency applications commonly mint governance tokens that allow their holders to vote on proposals that modify the underlying applications.In [11], we analyze "airdrop" schemes which are commonly used to distribute governance tokens, and find that so-called airdrop farmers who pose as real users to receive such tokens usually obtain a large share of the proceeds and sell their rewards quickly after receiving them.In [3], we go over notable incidents stemming from flawed governance mechanisms, and analyze related empirical data showing that transaction fees affect voter turnout.In [16], we analyze the effect of costs on sequential voting procedures and show that vote timing is an important strategic choice: strategic voters should account for costs and for the arrival of other voters to the ballot when deciding if and when to vote.

CONCLUSIONS AND FUTURE WORK
In this paper, we present our work toward more realistic cryptocurrency models.Our approach resulted in several novel techniques which were unexplored by the literature and which allowed us to extend the realm of possible miner deviations that cryptocurrency mechanism designers should consider.In particular, we uncover proof that miners were using similar techniques in the wild to attack Ethereum, the first evidence of this type.
Future & Ongoing Work.The authors find TFMs to be a promising area of research.With respect to TFM attacks in the vein of [20], we suggest mitigations for them in the paper, but these result in severely degraded cryptocurrency performance.Thus, we are currently in the process of understanding how attacks can be mitigated while preserving performance as much as possible.Furthermore, we highlight the importance of additional work on the impact of time on blockchain mechanisms and actor incentives, a topic that is a major running theme in our work [18,19,17,8,7,16].Although blockchains are commonly thought of as "timestamp servers", there is much to be done to improve our understanding of how time influences various blockchain dynamics.In particular, time is pertinent to blockchain governance [16], and we expect research on the temporal aspects of social choice theory to produce important results that extend beyond the blockchain setting.

Figure 3 :
Figure 3: Adversarial intermittent mining can stretch the block-rate and increase application layer rewards.
Figure By falsely setting   <<   , an adversarial block's difficulty   increases relative to an honest one's   .