1. Introduction

On March 24, the Bitcoin Cash mining concern, Coingeek, pledged not to build on top of blocks that contained "obvious double-spends" of unconfirmed transactions. The intent of the pledge was to improve the security of unconfirmed transactions--a noble and important goal for Bitcoin Cash. However, whether such a pledge helps achieve that goal is unclear. In this article we show how any mining opponent with more hash power than Coingeek can "game" this pledge. By applying the simple strategy described below, an opponent can increase her profit at the expense of Coingeek and its owner, Mr. Ayre.
To begin, we define the following three mining strategies:

A. Coingeek's stategy:

Examine newly-mined blocks for mempool conflicts. If a conflict exists, and if the conflicting transaction had been hidden, do not mine directly on this block (but if another block is added above that block, give up). If no conflict exists, use the default strategy.

B. Opponent's stategy:

Use the default strategy AND trigger Coingeek's strategy by announcing a transaction publicly while including a hidden double-spend in the mined block.

C. Default strategy:

Mine on the longest chain. If two chains of equal length exist, mine on the one first seen.

2. Analysis

Let A, B and C, respectively, represent the fraction of hash power adopting Coingeek's, the Opponent's, and the Default strategy. Since there are no other miners, A + B + C = 1.
For B > 0, both Coingeek and the Opponent will suffer increases in their orphan rates (we'll derive this in detail below). For example, Coingeek will have a block orphaned when it succeeds in mining a single block but fails to mine the second block required to trigger the reorg. The Opponent will have a block orphaned when Coingeek succeeds in triggering the reorg.
The orphan rate can be defined as
r = number of blocks orphaned / number of blocks found,
from which it follows that the rate at which blocks are committed to the blockchain is
1 - r = number of blocks committed to the blockchain / number of blocks found.
The expected number of blocks committed to the blockchain by each group over time T is
Na = A T (1 - ra),
Nb = B T (1 - rb),
Nc = C T.
The total blocks added to the blockchain over this period is
N = Na + Nb + Nc = A T (1 - ra) + B T (1 - rb) + C T
The fraction of blocks won by the Opponent miner is clearly
Nb / N = B (1 - rb) / (A (1 - ra) + B (1 - rb) + C). (Eq. 1)
This is an important result. Since the network difficulty target adjusts so that the total number of blocks added to the blockchain per unit time remains approximately constant, if the opponent can increase her share of blocks then she will see a corresponding increase in revenue per unit time. That is, if application of her strategy results in
Nb / N > B / (A + B + C),
she will come out ahead.
It is straightforward from Eq. (1) to show that the above inequality is equivalent to
ra / rb > (1 - B) / A. (Eq. 2)
Next we calculate ra and rb and then prove, using the above equation, that any miner with more hash power than Coingeek can profitably game Coingeek's pledge.

3. What are the orphan rates for Coingeek and the opponent miner?

In order for Coingeek to succeed in triggering a reorg around the Opponent's block, it must solve two blocks before the other miners solve one. If Coingeek solves only one, they will lose that block. If they solve none, then neither Coingeek nor the Opponent will lose a block. When the Opponent finds a block (probability B), there are thus three possible ways for the situation to resolve:
  • Opponent loses a block (probability A^2)
  • Coingeek loses a block (probability A (1 - A))
  • Neither lose a block (probability 1 - A)
The probabilities above assume that block propagation time is negligible and that both Coingeek and the Opponent have equal connectivity to the other miners on the network.
Coingeek finds blocks at a rate of A and loses them at a rate of B A (1 - A), for an orphan rate of
ra = B (1 - A)
The opponent finds blocks at a rate of B and loses them at a rate of B A^2, for an orphan rate of
rb = A^2.
Substituting these equations into Eq. (2) (the equation that describes when the Opponent comes out ahead) gives
B (1 - A) / A^2 > (1 - B) / A,
which simplifies to
B > A.
In other words, any miner controlling more hash power than Coingeek can profitably game Coingeek's orphaning pledge.

4. Why is Coingeek's strategy weak?

Coingeek's strategy is weak because it requires solving two blocks before the rest of the network solves one block. This means it hurts itself more than it hurts the cheaters. It has been argued that miners may still adopt such strategies in order to disincentive bad behaviour on the network -- to "take one for the team" so-to-speak.
But the counterintuitive result derived in this article--due to the fact that difficulty readjusts lower--is that an Opponent with more hash power than Coingeek will come out ahead by intentionally triggering Coingeek's pledge. Instead of discouraging blocks with hidden transactions, Coingeek's pledge arguably encourages them!

5. How much hash power does Coingeek have?

Over the last 7 days, Coingeek was estimated to control 3.3% of the network hash power. This means that at least 6 other mining groups could independently game Coingeek's pledge to increase their revenue (SBI Crypto, BTC.top, AntPool, Bitcoin.com, BTC.com and ViaBTC).

6. Some numbers

Let's take ViaBTC as the Opponent. We then have B = 0.177, A = 0.033. Plugging in these numbers to calculate the change in revenue we find that ViaBTC would earn 0.48% more blocks per unit time by adopting the Opponent strategy, while Coingeek would earn 16.6% fewer blocks.
(It is interesting to note that ViaBTC could adopt this strategy and no miner (acting alone) could profitably game the pledge (at least according to this simplified model). However, deeper analysis may reveal that the network itself may become at risk of fracturing if too much hash power behaves this way).

7. Conclusion

I applaud Coingeek for this act of altruism. They pledged to take a hit to their profits in order to thwart double-spend fraud. However, what this article has shown is that their pledge is likely to backfire. Rather than discouraging miners from including hidden double-spend transactions in their blocks, Coingeek's pledge actually encourages them to do so. Indeed, any miner who controls more hash power than Coingeek can increase her revenue by intentionally gaming Coingeek's pledge.

Further reading

Here is a related article by Jason Cox that looks at the flaws in Coingeek's pledge from a more general point of view: https://www.yours.org/content/why-orphaning-blocks-with-double-spend-transactions-is-dangerous-f09f16779603
Here is a second article by im_uname that also illustrates problems with this approach https://www.yours.org/content/why-orphaning-doublespends-in-mempool-doesn-t-work-c5e07d0775d6
Here is a video by the author describing a scientific way of detecting and reacting to unconfirmed-transaction fraud: https://www.youtube.com/watch?v=yXFuNkaYcPQ
There is a Mathematica simulation behind the pay wall.


11 of 11 reviewers say it's worth paying for

0 of 11 reviewers say it's not worth paying for
  earned 20.0¢
" It has been argued that miners may still adopt such strategies in order to disincentive bad behaviour on the network -- to "take one for the team" so-to-speak."
Other miners have the choice of exploiting coingeek and then coingeek will stop eventually OR collude with them and therefore strengthening the currency and network they have invested a lot in! This is known as tit for tat and has shown to be the winning strategy in simulations (first link I found to this without reading it again..: https://www.forbes.com/sites/rogerkay/2011/12/19/generous-tit-for-tat-a-winning-strategy/#58eb733866eb)
   2yr ago
25.0¢ 5.0¢
  spent 5.0¢
Pre-emptive stand can only be declared but not actually enforced until at least of 51%+ of the hashing power also pledges to it.
   2yr ago
  earned 0.0¢
Great work, thanks for this! This is a very healthy discussion.
Intuitively I see that your point makes sense, mathematically I have to say that I do not quite understand this step:
"The fraction of blocks won by the Opponent miner is clearly
Nb / N = B (1 - rb) / (A (1 - ra) + B (1 - rb) + C)."
How can you add the hashingpower fraction 'C' to the fraction of blocks B will find?

Also: Don't you basically say that if more than 50% of the miners follow this strategy then noone could game it? So if > 50% of the miners would behave nice this works.
   2yr ago
  spent 5.0¢
In case of a minority (like Coingeek) actually adopting this, the attacker doesn't even need to have hashpower. Just send simultaneous doublespends all day to different nodes - extremely cheap to do so - and once in a while coingeek will reject a block containing one. Watch fireworks.
   2yr ago
  earned 0.0¢
Great post!
Peter, I just want to point out that you are being extremely nice to coingeek for writing this article. There is no need to give economic advice to them. Whatever they do with their 3.3% hashpower will have no real effect on Bitcoin Cash.
The important point to realise is that coingeek wants to have the ability to censor transactions following a heuristic that isn't part of the consensus rules. However noble or not their reasons, they still are a minority rejecting the ways of the majority. And as such they will lose their money. Simple as that.
They are fully in their rights to spend their money any way they want, including throwing it away just because their flagship spokesman feels the need to do something "positive".
If (when?) they push this issue (they seem unable to take good advice) I suggest to just sit back and watch how this plays out.
I just suggest making sure all other miners realise that it is a really bad idea to reject a block that follows consensus 100%, based on some censorship campaign. The mother of all slippery slopes right there.
   2yr ago
5.0¢ 5.0¢
  earned 5.0¢
Being a bit of a philosophy/logic geek, one important aspect of this issue jumped out at me while I was reading along.
Has anyone checked with Calvin Ayre to see if he was specifically referring to orphaning blocks as a means to prevent double-spends? That may be leaping to conclusions as his official statement could be interpreted to mean he will orphan blocks from attackers *and* omit transactions *from* blocks if there is evidence the transaction is part of a double-spend attempt:
“CoinGeek mining systems will reject blocks that are clearly generated by attacks. If a transaction is hidden from the network to create a double spend by other miners to steal funds, we will reject this.
We support honest mining and competition. 
Transactions from honest miners propagate. When a transaction is hidden, this is easily detected with clear evidence that is digitally signed. CoinGeek is taking a pre-emptive stand to let the Bitcoin Cash community know that we will not tolerate dishonest practices and we will work to combat criminal actions.
Profit is best derived from long-term investment and we won’t stand for criminals attempting to game the system for short-term gain.
We believe that all current miners would support us in an honest majority.”
Perhaps he was saying he would do both of those things. Perhaps he wasn't. But, it verges on a straw man attack to assume he only meant the former. If he did only mean the former, then this is useful analysis but, without getting elaboration or clarification from Calvin Ayre about what exactly he meant, it comes across as one-sided. I'd like to see both sides fleshed out.
   2yr ago
5.0¢ 10.0¢
  earned 30.0¢
Hello good people, sorry to interrupt the 🤓 techy-convo you're having here with my simple words but would you be interested in looking at some of my artwork and maybe leave a tip or two 😛 I would really appreciate 💙 Here some samples of my artwork:
Thanks for you time 😃
   2yr ago
5.0¢ 25.0¢ 10.0¢
  earned $3.90
What you have here Peter is a theory. You've made assumptions and from those, you've drawn what are most likely valid deductions. Whether the conclusions are actually valid and useful in the real world is something no academic should take for granted.
What you haven't done is proven that this is how the system will actually behave. To do that will require someone with real skin in the real game - not some test net experiment - to attempt to implement your money making strategy and thereby either cause Coingeek to change their strategy or lose income for a sustained period of time.
As Craig loves to remind us, Bitcoin is an economic system. In this case that may mean that your theory fails to capture the reputations and long term profit incentives of honest miners.
Miners are NOT simply nodes on an arbitrary network. They spend money to connect to each other in proportion to the blocks generated by each connection. If one of those connections suddenly starts behaving badly - in a manner that suggests they are being dishonest - they are likely to pay for that behavior by finding their connections downgraded.
I'm betting on any profit to be made by attempting to game Coingeek's public policy in support of honest transaction processing will be short lived and the attackers will be left suffering both economic and reputation loses.
And while we're at it - in this climate of valuing and tolerating almost everything in the name of greater diversity - is it really SO hard for you, Emin, and Vitalik to try a bit harder to find value in what Craig brings to the table. How many others have been at this for as long or have committed so much of their lives to helping bring global peer to peer cash to the world?

   2yr ago
25.0¢ 25.0¢ 25.0¢ 10.0¢ 5.0¢ $2.50 25.0¢ 10.0¢ 25.0¢ 25.0¢
  earned 0.0¢
@tonesnotes Repeating the "Economic Incentive" handwave doesn't add any value to the system.
   2yr ago
  spent 5.0¢
I would agree here with Peter that having a different policy over first seen is a bad idea.
   2yr ago
  spent 5.0¢
Thank you, Peter! You explain this stuff (and your work on subchains etc.) very well. And your quizzes on twitter got me so curious I read the Whitepaper again (this time I actually took a closer look at chapter 11).
   2yr ago