6  Security Economics and Attacks

We show that the Bitcoin protocol is not incentive-compatible.

Eyal and Sirer, Majority Is Not Enough: Bitcoin Mining Is Vulnerable (2014)

6.1 Learning objectives

By the end of this chapter the reader should be able to:

  • Distinguish what cryptography guarantees in Bitcoin from what economic incentives guarantee, and locate the boundary precisely.
  • Compute a rental-based cost-of-attack for a 51 percent attack and explain why the attacker recovers most of that cost.
  • State the Eyal-Sirer selfish-mining result and reproduce their closed-form relative-revenue curve, including the sub-50-percent profitability threshold.
  • Explain incentive compatibility as an equilibrium property of a mechanism, and audit the assumptions a compatibility claim rests on.
  • Assess when a low cost-of-attack makes a small permissionless chain the wrong custodian for a health-data ledger.

6.2 Orientation

We begin with a data-integrity problem to which the book will return throughout. Several hospitals participating in a multi-institution clinical trial share a single append-only record of who was enrolled, how each participant was randomised, and which outcome and adverse events occurred, with no single institution trusted to hold the master copy and a regulator who audits the record only after the fact. We shall call this the trial ledger. Suppose now that a sponsor, a participating site, or an outside party wished to alter the shared record: to suppress an adverse event, say, or to move an enrolment date so that a protocol deviation disappears from view. Two questions decide whether such a ledger deserves anyone’s trust. What would that alteration cost the party who attempted it, and who would bear the loss were it to succeed?

These are not, in the first instance, cryptographic questions. A digital signature can make each entry attributable and each subsequent edit detectable, and we quantified that guarantee in Chapter 3. What cryptography cannot tell us is whether a coalition with enough of the system’s resources will find it profitable to rewrite recent history, nor what an honest custodian stands to lose if it does. Those are questions about payoffs, and they are answered, if they are answered at all, by incentives, audit, and consequences. The habit the statistician already possesses, of asking who benefits from a given data pattern and whether they could plausibly have produced it, is precisely the habit this chapter formalises for a shared ledger.

The mechanics for such a ledger were built in the previous two chapters, which constructed proof-of-work and studied mining as a renewal process (a sequence of block discoveries separated by independent, identically distributed waiting times). This chapter asks the question those mechanics defer: why does anyone follow the rules? A miner, or a custodian of the trial ledger, is free software running on hardware its owner controls. Nothing in the protocol compels a participant to extend the chain everyone else extends, to publish a block promptly, or to refrain from rewriting recent history. The protocol is a proposal, and the network’s integrity is the claim that following the proposal is the profit-maximising strategy.

That reframing is the chapter’s thesis. Bitcoin’s security, and by extension the trial ledger’s, is economic, not merely cryptographic. Cryptography does one job, and does it to a standard we quantified in Chapter 3: it makes signatures unforgeable and the ledger tamper-evident, so no participant can spend another’s coins or silently rewrite a committed block. Cryptography says nothing about whether a majority coalition of miners will choose to reorganise the chain, or whether a large miner will withhold blocks so as to orphan its rivals’ work, that is, to cause validly mined blocks to be discarded because a competing chain has outpaced them. Those are not cryptographic questions. The reader trained on clinical data will recognise the shape of the argument at once, for research integrity too is maintained not by cryptography but by the prospect that a fabricated pattern will be detected, questioned, and punished. We shall see the analogy sharpen, and also where it breaks, as the chapter proceeds.

A reader with masters-level game theory and probability already owns the tools. The cost-of-attack is a comparison of two revenue streams. Selfish mining is a Markov chain (a random process whose next state depends only on the current one) on the lead a miner holds over the public chain, and its profitability is a rational function of two parameters. Incentive compatibility is the statement that honest mining is a Nash equilibrium (a strategy profile from which no participant gains by deviating alone), or close enough to one that deviation does not pay. The work of the chapter is to write these down and check them, because the field states them as slogans (‘51 percent is the security threshold’) that the arithmetic does not support. We proceed as follows. We first price a majority attack and examine what its cost recovers. We then derive the selfish-mining threshold and read it as a security parameter. We close by returning to the trial ledger and asking, candidly, whether the permissionless machine, meaning the open system that any party may join without approval, is the right custodian for it at all.

The chapter turns on a compact vocabulary, which we fix here before proceeding, so that the reader need not carry these terms as unknowns through the argument that follows.

NoteThe vocabulary of this chapter
  • The 51 percent (majority) attack. An attack in which a single party commands more than half of the network’s mining power and uses it to rewrite recent history, to reorder or exclude entries, and to spend the same coins twice.
  • Cost of attack. The expenditure a party must incur to mount such an attack. Here it is priced as the cost of renting a majority of the mining power for the duration of the attack window.
  • Selfish mining. A strategy in which a miner keeps the blocks it finds secret and releases them at moments of its own choosing, so as to waste the effort of honest miners and capture more than its fair share of the reward.
  • Hash-power fraction (alpha). The share of the network’s total mining power that a given miner controls, written \(\alpha\).
  • Communication (propagation) advantage (gamma). The fraction of honest miners that side with a selfish miner’s block, rather than the competing honest block, when the two are released at once. Written \(\gamma\), it measures how effectively the selfish miner wins the race to propagate its block first.
  • Relative revenue. The share of the total block reward a miner earns in the long run. Honest mining earns a relative revenue equal to \(\alpha\); an attack pays only when it earns more.
  • Incentive compatibility. The property that following the protocol honestly is the strategy that maximises a participant’s own payoff, so that no participant gains by deviating from it.
  • Eclipse attack. An attack that surrounds a node’s network connections with the attacker’s own peers, so that the victim is fed a false view of the ledger or has its own entries suppressed.

Before pricing any single attack, we lay out the four we shall meet and the layer that stops each, so the cryptography-versus-economics boundary is visible from the outset (Table 6.1). Only the first is a cryptographic matter; the rest are questions of payoffs and network structure.

Table 6.1: The chapter’s four attacks and the layer that stops each
Attack Prevented by Cost driver Trial-ledger reading
Signature forgery Cryptography Breaking ECDSA, computationally infeasible An outsider cannot author an entry in a site’s name
51 percent reorg Economics Rental of a hash-power majority for the window A funded party rewrites recent enrolments and outcomes
Selfish mining Economics Hash share above \((1-\gamma)/(3-2\gamma)\) A large site farms orphans, biasing whose entries survive
Eclipse and censorship Network design Surrounding a node’s peer connections A site is fed a false ledger view or has its entries suppressed

6.3 The statistician’s contribution

Three judgements structure the chapter, and none is automated by any tool.

1. Separate the cryptographic guarantee from the economic guarantee, and never let one borrow the other’s certainty. A signature scheme’s security is a statement about computational hardness that holds against any adversary below a work bound. An incentive-compatibility claim is a statement about a rational adversary’s payoffs that holds only under a stated behavioural and distributional model. The first is close to a protocol fact; the second is an economic claim in the sense of Chapter 1, conditional on assumptions. Treating ‘the chain is secure’ as one undifferentiated guarantee is the field’s most common category error, and the statistician’s first contribution is to refuse it. The whole chapter can be read off a single partition: what the mathematics guarantees, what the economics guarantees only under a model, and what neither underwrites at all (Table 6.2). The rightmost column is where every failure in this chapter lives.

Table 6.2: What the two guarantees cover, and what falls between them
Cryptography guarantees Incentives guarantee (under a model) Neither guarantees
Entries are attributable to a signer Rewriting recent history costs more than it returns, on a large chain That a small chain’s security budget exceeds an edit’s off-chain value
Any edit to a committed block is detectable Honest extension is an equilibrium below the threshold That a miner values disruption less than reward
No one spends coins they cannot sign for Withholding does not pay below \((1-\gamma)/(3-2\gamma)\) That the propagation parameter \(\gamma\) is known and fixed
The issuance schedule cannot be rewritten Pooling cuts variance without changing mean reward That pooling will not concentrate share past the threshold

2. Audit the assumptions behind an incentive-compatibility claim before believing the conclusion. Every equilibrium result in this chapter rests on premises: that miners are myopically revenue-maximising, that hash power is divisible and rentable, that block propagation is described by a single communication-advantage parameter, that no miner values disruption for its own sake. The selfish-mining result is a theorem about a model, and the model can fail. Naming the premises and asking whether they hold for a specific chain is analytic work, not a literature citation.

3. Recognise when a threshold model’s assumptions fail so its threshold stops meaning what it says. ‘51 percent’ is exact under a model in which the only attack is a longest-chain race by a myopic majority. Selfish mining moves the relevant threshold below 50 percent; a chain whose miners can be bribed moves it again; economic irrationality (an attacker who will pay to destroy) removes it. The statistician’s job is to know which threshold governs which threat, and to say plainly when the headline number is the wrong one.

6.4 The 51 percent attack and its cost

6.4.1 What a majority actually buys

Recall the double-spend analysis of Chapter 4, where a double-spend is the act of spending the same coins twice by rewriting the ledger after a payment has been accepted. An attacker with hash-power fraction \(q\) who trails the honest chain by \(z\) confirmations is running a biased random walk, and the probability of ever catching up is \((q/p)^{z}\) when \(q < p = 1 - q\), which decays geometrically in \(z\). When \(q \ge 1/2\) that ratio reaches one: catch-up becomes certain, the geometric safety in \(z\) collapses, and no number of confirmations protects a transaction. A majority of hash power therefore buys the ability to rewrite recent history at will, to exclude or reorder transactions, and to double-spend against any confirmation depth.

It is worth stating precisely what a majority does not buy, because the folklore overreaches. It does not let the attacker forge signatures, spend coins it does not hold keys for, or alter the issuance schedule; those are enforced by every node’s validation rules, which a majority of hash power does not override. The 51 percent attack is a liveness-and-ordering attack on recent history, that is, an attack on whether and in what order entries appear rather than on their authenticity, not a theft of arbitrary funds. That distinction is exactly the cryptography-versus-incentives boundary this chapter is about.

6.4.2 A rental cost-of-attack

The security question is not whether a majority attack is possible, for above 50 percent it plainly is, but what it costs. But how much does a majority cost to assemble? The relevant model is rental: an attacker need not buy hardware, only command a majority of hash power for the duration of the attack window. We reuse the proof-of-work cost helper from the mining chapter, which prices the attack as the rental of just over half the network’s hash rate for the window.

pow_attack_cost <- function(network_hashrate_ths,
                            hours,
                            rent_per_ths_hour) {
  0.51 * network_hashrate_ths * hours *
    rent_per_ths_hour
}

# Illustrative figures, not a live measurement.
c(cost_6h  = pow_attack_cost(4e8, 6,  0.02),
  cost_24h = pow_attack_cost(4e8, 24, 0.02))
#>  cost_6h cost_24h 
#> 24480000 97920000

The arithmetic is deliberately transparent: cost scales linearly in the hash rate commanded, in the attack window, and in the unit rental price. The figures are illustrative rather than a live measurement of any chain. The lesson is structural. Doubling the confirmation depth a merchant waits for roughly doubles the window an attacker must sustain, and so roughly doubles the cost; this is the economic reading of the confirmation-depth policy derived in Chapter 4.

6.4.3 Cost recovery and the proof-of-stake contrast

A subtlety the headline cost hides is what happens to the attacker’s capital afterward. Under proof-of-work the attacker rents or owns general-purpose hashing hardware. When the attack ends, the hardware retains almost all its value: it can be resold, or redirected to honest mining, or rented back out. The economic loss is the rental premium and the opportunity cost of the window, not the capital itself. Proof-of-work attack cost is, in this sense, a recurring flow that the attacker largely recovers.

Proof-of-stake inverts this, and we develop the contrast fully in Chapter 10. There the analogue of ‘commanding a majority’ is holding a large fraction of the staked capital, and an attack that violates the protocol triggers slashing: the offending stake is destroyed by the protocol itself. The attacker’s own capital sits in the blast radius. The cost is not a recoverable rental flow but a stock of capital placed at risk of outright loss. Whether that makes proof-of-stake more or less secure is a genuine and contested question; the point here is only that the two cost structures differ in kind, flow-recoverable versus stock-at-risk, and conflating them is a common error.

A commentator writes that an entity controlling 55 percent of Bitcoin’s hash power ‘could drain every wallet on the network’. Using the cryptography-versus-incentives distinction, state precisely what is wrong with this claim and what a 55 percent coalition can in fact do.

Draining arbitrary wallets requires spending coins whose private keys the attacker does not hold, which is a forgery of ECDSA signatures, ECDSA being the elliptic-curve digital-signature scheme Bitcoin uses. That is prevented cryptographically and is not affected by hash-power share; every node rejects a transaction whose signatures do not verify, regardless of who mined the block containing it. A 55 percent coalition can rewrite recent history: exclude or reorder transactions, censor addresses, and double-spend its own coins against any confirmation depth by out-racing the honest chain. It cannot move funds it cannot sign for. The claim commits the category error of borrowing cryptographic certainty (unforgeability) to describe an economic-ordering attack.

6.5 Selfish mining

6.5.1 The result and why it is striking

The 51 percent analysis suggests a comforting threshold: stay below half the hash power and the chain is safe. Eyal and Sirer, whose selfish-mining result first showed that a miner can profit by withholding the blocks it finds, overturned that comfort (Eyal & Sirer, 2014). They exhibit a strategy, selfish mining, under which a miner with strictly less than half the hash power earns revenue exceeding its fair share, and, once its share passes a threshold that can be well below 50 percent, earns more by deviating than by mining honestly. The striking consequence is that the honest-majority assumption is not enough. A rational miner with, say, a third of the hash power may be incentivised to attack, so the coalition that threatens the chain can be far smaller than a majority.

The mechanism is withholding, and it will repay a moment’s translation into terms the applied reader knows well. A selfish miner who finds a block does not publish it. It mines privately on its secret extension, building a lead. When the honest network finds and publishes a competing block, the selfish miner releases its withheld block to create a fork, and, crucially, races to have its version adopted. Honest miners who had begun extending the public block find their work orphaned. The selfish miner has converted its private lead into wasted honest effort, raising its share of the blocks that ultimately survive above its share of the hash power.

We can picture the manoeuvre as a Markov chain on the lead the selfish miner holds, with its withheld branch riding above the public chain (Figure 6.1). The state is that lead: zero when nothing is withheld, one when a single block is held back, two or more when the private branch has pulled ahead.

library(ggplot2)

PAL <- c('#2a78d6', '#1baf7a', '#eda100', '#008300',
         '#4a3aa7', '#e34948', '#e87ba4', '#eb6834')

book_theme <- ggplot2::theme_minimal(base_size = 11) +
  ggplot2::theme(
    panel.grid.minor = ggplot2::element_blank(),
    panel.grid.major = ggplot2::element_line(
      linewidth = 0.25, colour = 'grey88'),
    axis.title = ggplot2::element_text(size = 10),
    legend.position = 'bottom')

indigo <- '#33356b'
attack_col <- '#e34948'

nodes <- data.frame(
  x = c(1, 3, 5), y = 0, lab = c('0', '1', '2+'))
pub <- data.frame(
  xmin = c(0.6, 1.6, 2.6), xmax = c(1.4, 2.4, 3.4),
  ymin = 1.2, ymax = 1.55)
wh <- data.frame(
  xmin = c(2.6, 3.6), xmax = c(3.4, 4.4),
  ymin = 1.95, ymax = 2.3)

ggplot() +
  geom_rect(data = pub, aes(xmin = xmin, xmax = xmax,
            ymin = ymin, ymax = ymax),
            fill = 'white', colour = indigo,
            linewidth = 0.6) +
  geom_rect(data = wh, aes(xmin = xmin, xmax = xmax,
            ymin = ymin, ymax = ymax),
            fill = 'white', colour = attack_col,
            linewidth = 0.6) +
  annotate('segment', x = 3, xend = 3,
           y = 1.55, yend = 1.95,
           colour = attack_col, linewidth = 0.5) +
  annotate('text', x = 0.6, y = 1.72,
           label = 'public chain', colour = indigo,
           size = 3.1, hjust = 0) +
  annotate('text', x = 4.4, y = 2.45,
           label = 'withheld private branch',
           colour = attack_col, size = 3.1, hjust = 1) +
  geom_point(data = nodes, aes(x, y), shape = 21,
             size = 16, fill = 'white', colour = indigo,
             stroke = 0.7) +
  geom_text(data = nodes, aes(x, y, label = lab),
            colour = indigo, size = 4) +
  annotate('curve', x = 1.35, xend = 2.65,
           y = 0.28, yend = 0.28, curvature = -0.4,
           colour = attack_col, linewidth = 0.5,
           arrow = arrow(length = unit(0.02, 'npc'),
                         type = 'closed')) +
  annotate('curve', x = 3.35, xend = 4.65,
           y = 0.28, yend = 0.28, curvature = -0.4,
           colour = attack_col, linewidth = 0.5,
           arrow = arrow(length = unit(0.02, 'npc'),
                         type = 'closed')) +
  annotate('text', x = 3, y = 0.72, colour = attack_col,
           size = 3.1,
           label = 'selfish finds a block: extend the secret lead') +
  annotate('curve', x = 2.65, xend = 1.35,
           y = -0.28, yend = -0.28, curvature = -0.4,
           colour = indigo, linewidth = 0.5,
           arrow = arrow(length = unit(0.02, 'npc'),
                         type = 'closed')) +
  annotate('curve', x = 4.65, xend = 3.35,
           y = -0.28, yend = -0.28, curvature = -0.4,
           colour = indigo, linewidth = 0.5,
           arrow = arrow(length = unit(0.02, 'npc'),
                         type = 'closed')) +
  annotate('text', x = 3, y = -0.72, colour = indigo,
           size = 3.1,
           label = 'honest finds a block: publish and race to be adopted') +
  annotate('text', x = 1, y = -1.05, colour = 'grey45',
           size = 2.9,
           label = 'lead 0: honest block adopted') +
  coord_cartesian(xlim = c(0.2, 5.8),
                  ylim = c(-1.2, 2.6)) +
  theme_void()
Figure 6.1: The selfish miner modelled as a Markov chain on the lead it holds over the public chain. Finding a block extends a withheld private branch, drawn in red above the public chain, while an honest block prompts the miner to publish and race to have its branch adopted. The state records how many blocks the private branch leads by.

The essential move here is not a forgery but a strategic misreport. The selfish miner never breaks the letter of the protocol: every block it releases is valid, every signature verifies. It cheats by controlling the timing of disclosure, withholding information at moments chosen to disadvantage its rivals. The reader who has thought about publication bias and selective outcome reporting will find this familiar. An investigator who runs an analysis, dislikes the result, and delays or suppresses its disclosure has broken no rule of arithmetic; the reported estimates are each internally valid, yet the aggregate record is distorted by what was withheld and when. Selfish mining is that manoeuvre made mechanical, with a propagation race in place of a file drawer. We should note carefully where the analogy ends, for it ends at an important place. Mining rewards are zero-sum: a block the selfish miner steals is a block some honest miner does not earn, and the total is fixed by the issuance schedule. Scientific evidence is not zero-sum in this way. A suppressed trial does not transfer its truth to a competitor; it removes information from the common pool, and the loss is borne diffusely by future patients rather than captured by any rival. The incentive to withhold is real in both settings, but the accounting of who gains and who loses differs, and we shall not press the analogy past that boundary.

6.5.2 The closed form

Eyal & Sirer (2014) model the strategy as a Markov chain on the selfish miner’s lead over the public chain and derive the miner’s long-run relative revenue in closed form. Two parameters govern it. Let \(\alpha\) be the selfish miner’s fraction of total hash power, and let \(\gamma\) be the fraction of the honest hash power that, in a fork, ends up mining on the selfish miner’s block rather than the honest one. The parameter \(\gamma\) is a communication advantage: it measures how effectively the selfish miner wins the propagation race when it releases a withheld block to answer an honest one. The relative revenue is

\[ R(\alpha, \gamma) = \frac{\alpha(1-\alpha)^2\bigl(4\alpha + \gamma(1-2\alpha)\bigr) - \alpha^3} {1 - \alpha\bigl(1 + (2-\alpha)\alpha\bigr)}. \]

Honest mining earns relative revenue equal to \(\alpha\): a miner with fraction \(\alpha\) of the hash power wins fraction \(\alpha\) of the blocks in the long run. Selfish mining pays whenever \(R(\alpha, \gamma) > \alpha\). The algebra of that inequality yields a clean profitability threshold:

\[ \alpha > \frac{1 - \gamma}{3 - 2\gamma}. \]

At \(\gamma = 0\), the selfish miner has no propagation advantage and the threshold is \(1/3\): withholding pays only above a third of the hash power. At \(\gamma = 1\), the selfish miner always wins the race and the threshold falls to \(0\): any positive share benefits from deviating. Realistic \(\gamma\) sits between, so the operative threshold sits between \(0\) and \(1/3\), in every case below the naive \(1/2\).

6.5.3 Reproducing the curve

We implement the closed form directly and plot the relative-revenue family against the honest baseline \(y = \alpha\).

selfish_revenue <- function(alpha, gamma) {
  num <- alpha * (1 - alpha)^2 *
    (4 * alpha + gamma * (1 - 2 * alpha)) -
    alpha^3
  den <- 1 - alpha * (1 + (2 - alpha) * alpha)
  num / den
}

selfish_threshold <- function(gamma) {
  (1 - gamma) / (3 - 2 * gamma)
}

# Thresholds at the three communication regimes.
c(gamma_0   = selfish_threshold(0),
  gamma_0.5 = selfish_threshold(0.5),
  gamma_1   = selfish_threshold(1))
#>   gamma_0 gamma_0.5   gamma_1 
#> 0.3333333 0.2500000 0.0000000

The printed thresholds are \(1/3\), \(1/4\), and \(0\), matching the formula. Now the curves.

library(dplyr)
library(tidyr)
library(ggplot2)

gammas <- c(0, 0.5, 1)
alpha_grid <- seq(0.001, 0.499, length.out = 400)

curves <- expand_grid(gamma = gammas,
                      alpha = alpha_grid) |>
  mutate(revenue = selfish_revenue(alpha, gamma),
         gamma = factor(gamma))

thresholds <- tibble(
  gamma = factor(gammas),
  alpha_star = selfish_threshold(gammas))

ggplot(curves,
       aes(alpha, revenue, colour = gamma)) +
  geom_line(linewidth = 0.8) +
  geom_abline(slope = 1, intercept = 0,
              linetype = 2) +
  geom_vline(data = thresholds,
             aes(xintercept = alpha_star,
                 colour = gamma),
             linetype = 3) +
  coord_cartesian(xlim = c(0, 0.5),
                  ylim = c(0, 0.75)) +
  labs(x = expression('hash-power fraction ' *
                        alpha),
       y = 'relative revenue',
       colour = expression(gamma),
       title = paste('Selfish mining beats honest',
                     'below 50% hash power'))
Figure 6.2: Selfish-mining relative revenue against honest mining. Each curve is R(alpha, gamma) for one communication advantage; the dashed line is the honest baseline y = alpha. Where a curve rises above the dashed line, withholding pays. Vertical marks show the profitability thresholds (1-gamma)/(3-2gamma).

The dashed diagonal is honest revenue. For each \(\gamma\) the solid curve lies below the diagonal until \(\alpha\) crosses the dotted vertical (the threshold), after which selfish mining earns strictly more than the miner’s fair share. The \(\gamma = 1\) curve is above the diagonal for every positive \(\alpha\), so with a decisive propagation advantage there is no safe minority share at all. The takeaway is the one Eyal & Sirer (2014) emphasised: the security threshold is not 50 percent, and under favourable propagation it can be pushed arbitrarily close to zero.

The revenue curves fix a value of \(\gamma\) and vary \(\alpha\); it is worth also seeing the threshold itself as a function of \(\gamma\), since that is the security parameter a chain operator can influence (Figure 6.3). The safe share is largest, one third, only when the attacker has no propagation edge, and it slides to zero as that edge becomes decisive.

gamma_grid <- seq(0, 1, length.out = 200)
thr_df <- tibble::tibble(
  gamma = gamma_grid,
  alpha_star = selfish_threshold(gamma_grid))

ggplot(thr_df, aes(gamma, alpha_star)) +
  geom_ribbon(aes(ymin = alpha_star, ymax = 0.5),
              fill = PAL[1], alpha = 0.12) +
  geom_line(colour = PAL[1], linewidth = 0.9) +
  annotate('text', x = 0.48, y = 0.42,
           label = 'selfish mining pays',
           colour = PAL[1], size = 3.4) +
  annotate('text', x = 0.66, y = 0.08,
           label = 'honest mining safe',
           colour = 'grey40', size = 3.4) +
  annotate('point', x = 0, y = 1 / 3,
           colour = PAL[1], size = 1.6) +
  annotate('text', x = 0.04, y = 1 / 3 + 0.035,
           hjust = 0, label = 'gamma = 0: one third',
           colour = 'grey30', size = 3.1) +
  annotate('point', x = 1, y = 0,
           colour = PAL[1], size = 1.6) +
  annotate('text', x = 0.96, y = 0.035, hjust = 1,
           label = 'gamma = 1: zero',
           colour = 'grey30', size = 3.1) +
  coord_cartesian(ylim = c(0, 0.5)) +
  labs(x = expression('communication advantage ' *
                        gamma),
       y = expression('threshold share ' *
                        alpha^'*')) +
  book_theme
Figure 6.3: The selfish-mining profitability threshold falls as the communication advantage grows. The curve is the safe-share boundary (1-gamma)/(3-2gamma); a miner whose share lands in the shaded region above the curve earns more by withholding, while a miner below it does better mining honestly. The safe share is one third when the attacker has no propagation edge and vanishes as gamma approaches one.

6.5.4 What the model assumes

The result is a theorem about a model, and the statistician’s contribution is to inventory the premises. The Markov-chain derivation assumes a single selfish coalition (not several competing ones), a fixed and known \(\gamma\), myopic revenue-maximisation over block rewards with no regard for exchange-rate consequences, and no difficulty-adjustment feedback within the analysis window. Sapirshtein and colleagues tightened the picture by solving for the optimal withholding policy as a Markov decision process (a Markov chain in which a decision-maker chooses actions so as to maximise long-run reward), showing that Eyal and Sirer’s strategy is not always optimal and that the true profitability threshold can be lower still (Sapirshtein et al., 2016). That is a strengthening of the result, not a refutation: optimising the attacker only lowers the threshold further. The honest reading is that \(1/3\) at \(\gamma = 0\) is an upper bound on the safe share under this family of attacks, and the safe share is smaller once the attacker plays optimally or enjoys any propagation edge.

ImportantThe sceptic’s reflex

‘Proof-of-work is 51-percent-attack-proof below a majority’ is a narrative wearing the cadence of a protocol fact. Demote it. It is an economic claim, conditional on a model in which the only deviation is an honest-strategy longest-chain race. Selfish mining is a deviation outside that model, and under it the operative threshold is \((1-\gamma)/(3-2 \gamma)\), which is at most \(1/3\) and can approach \(0\). The correct statement is conditional: honest mining is incentive-compatible only for shares below a threshold that depends on propagation, and that threshold is below one half. Anyone quoting ‘51 percent’ as the security margin is quoting the wrong number.

6.6 Incentive compatibility as mechanism design

6.6.1 Why honest miners extend the longest chain

Nothing in the protocol forces a miner to build on the chain everyone else builds on. A miner could extend a stale block, or start a private fork, at no cryptographic cost. Yet honest miners overwhelmingly extend the longest (more precisely, the highest-total-work) chain. The reason is expected reward, and it is worth making the argument explicitly because it is the template for every incentive claim in the field.

A block earns its reward only if it ends up on the chain the network eventually accepts, which is the one with the most accumulated work. A miner who extends a minority branch is betting that its branch will win the work race against the rest of the network. Unless that miner commands a majority of hash power, the bet is a biased random walk running against it, and the branch is orphaned with probability approaching one. The expected reward from extending the majority chain therefore dominates the expected reward from any minority branch, for any sub-majority miner. Orphan risk is the enforcement mechanism: the protocol does not forbid deviation, it makes deviation lose money in expectation. This is precisely the logic that selfish mining exploits and inverts, by manufacturing orphans for honest miners rather than suffering them.

6.6.2 Mining pools and centralisation pressure

The variance of solo mining is punishing. A small miner finds blocks as a Poisson process (events arriving independently at a constant average rate) with a minute rate, so its reward is a high-variance lottery with long dry spells. Pooling hash power, meaning that many miners combine their effort in a mining pool and share the rewards in proportion to the work each contributes, converts the lottery into a near-deterministic income stream, reducing variance without changing expected reward. That is a rational risk-management response, and it is why pools dominate. It also concentrates the decision of what to mine into a few pool operators, which is a centralisation pressure the base protocol does nothing to resist. A statistician recognises this as a variance-reduction incentive with a governance externality: individually rational pooling aggregates into a small number of entities whose combined share can approach the selfish- mining and majority thresholds discussed above. The security model assumes diffuse hash power; the economics of variance pushes toward its concentration.

6.6.3 The security-performance frontier

Protocol parameters that improve performance often degrade security, and the trade-off is quantifiable. Gervais and colleagues built a framework that, for given block interval, block size, and network propagation, computes the cost of attacks such as double-spending and selfish mining, mapping out a security-performance frontier, the boundary describing how much security must be surrendered to gain throughput and conversely (Gervais et al., 2016). Shorter block intervals and larger blocks raise throughput but also raise the stale-block rate, meaning the frequency with which validly mined blocks are discarded as the network converges on one chain, which improves an attacker’s relative position: more natural forks mean a withholding attacker’s manufactured forks are cheaper to win. The frontier makes explicit that ‘faster’ and ‘more secure’ are competing objectives on a measurable curve, not free improvements. Bonneau and colleagues, in their systematisation-of- knowledge survey, place these results in a common framework, cataloguing Bitcoin’s stability and incentive assumptions and the attacks that probe them (Bonneau et al., 2015), and it is the right map for orienting among the individual results.

6.6.4 The game-theoretic frame

Assembling the pieces, the security argument for proof-of-work is a claim in mechanism design. The protocol designer chooses rules (the reward schedule, the longest-chain rule, the difficulty adjustment) so that the behaviour the system needs, honest extension of the canonical chain, is an equilibrium of the game the miners play. The system is secure to the extent that honest mining is a Nash equilibrium, or close enough to one that no profitable unilateral deviation exists. Selfish mining is precisely the demonstration that honest mining is not an equilibrium for a sufficiently large or well-connected miner, which is why the result matters beyond its arithmetic: it is a proof that the mechanism is not incentive-compatible over the whole parameter range its designers implicitly assumed. Reading Bitcoin as a mechanism, and asking whether honest behaviour is an equilibrium under stated assumptions, is the frame that turns a pile of attacks into a single question.

A mining pool controls a well-connected relay network, so that in a fork roughly 60 percent of honest hash power adopts its block. It holds 28 percent of total hash power. Is honest mining incentive-compatible for this pool, and what is the operative threshold?

The communication advantage is \(\gamma = 0.6\), so the selfish-mining threshold is \((1 - 0.6)/(3 - 2 \cdot 0.6) = 0.4 / 1.8 \approx 0.222\). The pool’s share of \(0.28\) exceeds this threshold, so honest mining is not incentive-compatible: the pool earns more by withholding than by mining honestly. Note that a naive ‘51 percent’ analysis would have declared the pool harmless. The propagation edge, not just the raw share, is what moves the threshold, which is why \(\gamma\) must be part of any serious assessment.

6.7 A public-health reading: threat-modelling the trial ledger

We now return to the trial ledger with which the chapter opened, and to the two questions we posed of it: what an alteration would cost, and who would bear the loss. A recurring proposal is to put such a ledger, or a vaccine cold-chain provenance system of the same character, on a permissionless blockchain, so that its integrity does not depend on trusting a single custodian. The security analysis of this chapter is exactly the threat model that proposal needs, and we shall find that it usually undermines the proposal rather than supporting it.

The integrity of a permissionless chain is only as strong as the cost of attacking it. That cost, as the rental calculation showed, is a function of the chain’s total hash rate. A large chain like Bitcoin has an attack cost in the millions of dollars per day, but a small or new chain, exactly the kind a niche health registry might spin up or select for low fees, can have a 51 percent rental cost of a few thousand dollars, which is trivial relative to the stakes of a trial record. Worse, the value an attacker extracts from corrupting the ledger is not the on-chain token value to which the security budget is scaled; it is the off-chain value of altering a record, which can be far larger. A chain secured by a small mining reward is defending high-stakes data with a low-value security budget, an economic mismatch the cost-of-attack framing makes explicit.

To illustrate, consider a consortium of six hospitals that proposes to host the trial ledger on a small proof-of-work chain, chosen for its low transaction fees, whose total hash rate is a thousandth of a large network’s. Suppose a site under enrolment pressure wishes to erase a single serious adverse event, and that doing so would protect a product whose off-chain value, in avoided liability and preserved approval prospects, runs to several million dollars. We price the two sides of the ledger explicitly.

# SYNTHETIC illustration, not a live measurement.
small_chain_hashrate_ths <- 4e5   # 1/1000 of large
attack_window_hours      <- 6     # confirmations
rent_per_ths_hour        <- 0.02

attack_cost <- pow_attack_cost(
  small_chain_hashrate_ths,
  attack_window_hours,
  rent_per_ths_hour)

offchain_value_of_edit <- 3e6     # avoided liability

c(attack_cost_usd  = attack_cost,
  offchain_value   = offchain_value_of_edit,
  ratio_value_cost = offchain_value_of_edit /
    attack_cost)
#>  attack_cost_usd   offchain_value ratio_value_cost 
#>        24480.000      3000000.000          122.549

Laid out as a tidy ledger, the two sides of the threat model sit side by side and the mismatch is plain (Table 6.3).

knitr::kable(
  tibble::tibble(
    Quantity = c(
      'Small-chain hash rate (TH/s)',
      'Attack window (hours)',
      'Rental price (USD per TH/s-hour)',
      'Rental cost of the reorg (USD)',
      'Off-chain value of the edit (USD)',
      'Value-to-cost ratio'),
    Value = c(
      format(small_chain_hashrate_ths, big.mark = ',',
             scientific = FALSE),
      format(attack_window_hours),
      format(rent_per_ths_hour),
      format(round(attack_cost), big.mark = ',',
             scientific = FALSE),
      format(offchain_value_of_edit, big.mark = ',',
             scientific = FALSE),
      paste0(round(offchain_value_of_edit /
                     attack_cost), ' to 1'))),
  caption = paste('The hospital-consortium threat',
                  'model, SYNTHETIC, priced on both',
                  'sides of the ledger.'),
  align = c('l', 'r'))
Table 6.3: The hospital-consortium threat model, SYNTHETIC, priced on both sides of the ledger.
Quantity Value
Small-chain hash rate (TH/s) 400,000
Attack window (hours) 6
Rental price (USD per TH/s-hour) 0.02
Rental cost of the reorg (USD) 24,480
Off-chain value of the edit (USD) 3,000,000
Value-to-cost ratio 123 to 1

The rental cost of rewriting six hours of the small chain’s history is a few tens of thousands of dollars, while the off-chain value of the edit is some two orders of magnitude larger. The ratio is the whole argument: when the reward for corrupting the ledger dwarfs the cost of doing so, the economic security the chain was supposed to provide has evaporated, and the append-only record protects nothing that a determined and moderately funded party cannot undo. The signatures still verify; the integrity does not.

For high-stakes, low-on-chain-value health data, a permissioned design with legal accountability often dominates. If the participating institutions are known, credentialed, and legally liable (the hospitals, the trial sponsor, the regulator), the threat is not an anonymous majority coalition but a nameable party who can be audited, sued, and prosecuted. A permissioned ledger, or a well- governed replicated database with cryptographic audit logging, delivers tamper-evidence, the property actually wanted, without staking integrity on a hash-rate market the health system does not control. This is the negative result Chapter 1 promised the book would state candidly: for high-stakes health data, legal accountability in a permissioned design frequently dominates economic security in a small permissionless one, and the cost-of-attack calculation is how a statistician demonstrates the point rather than merely asserting it. We do not claim the permissioned design is free of its own difficulties, for concentrating custody re-introduces the trusted party the blockchain was meant to eliminate; we claim only that the economic accounting must be done before, not after, the architecture is chosen.

6.8 Worked example

We tie the chapter together by placing the two attack economies side by side and reading the selfish-mining threshold as a security parameter. The first computation contrasts a rental proof-of-work attack with the stock-at-risk proof-of-stake structure developed in Chapter 10, so the flow-versus-stock distinction is concrete.

library(tibble)

pos_attack_cost <- function(total_staked_usd,
                            slash_fraction = 1) {
  0.34 * total_staked_usd * slash_fraction
}

# Illustrative, not a live measurement.
tibble(
  mechanism = c('PoW rental (6h)',
                'PoW rental (24h)',
                'PoS stake-at-risk'),
  cost_usd = c(
    pow_attack_cost(4e8, 6,  0.02),
    pow_attack_cost(4e8, 24, 0.02),
    pos_attack_cost(1e11, 1)),
  recovered = c('most (hardware retains value)',
                'most (hardware retains value)',
                'little (slashed)'))
#> # A tibble: 3 × 3
#>   mechanism            cost_usd recovered                    
#>   <chr>                   <dbl> <chr>                        
#> 1 PoW rental (6h)      24480000 most (hardware retains value)
#> 2 PoW rental (24h)     97920000 most (hardware retains value)
#> 3 PoS stake-at-risk 34000000000 little (slashed)

The proof-of-work rows are a recoverable rental flow; the proof-of-stake row is capital largely destroyed on use. The numbers are illustrative, but the two columns encode the structural lesson of the chapter: a headline cost means little without knowing how much of it the attacker gets back.

The second computation reads the selfish-mining threshold as the security parameter it is, tabling the minimum safe hash-power share against the communication advantage.

gamma_seq <- c(0, 0.25, 0.5, 0.75, 1)

tibble(
  gamma = gamma_seq,
  safe_share_upper = selfish_threshold(gamma_seq),
  revenue_at_share =
    selfish_revenue(selfish_threshold(gamma_seq) +
                      1e-6, gamma_seq))
#> # A tibble: 5 × 3
#>   gamma safe_share_upper revenue_at_share
#>   <dbl>            <dbl>            <dbl>
#> 1  0               0.333       0.333     
#> 2  0.25            0.3         0.300     
#> 3  0.5             0.25        0.250     
#> 4  0.75            0.167       0.167     
#> 5  1               0           0.00000100

At each \(\gamma\), safe_share_upper is the largest share for which honest mining remains incentive-compatible, and it falls monotonically from \(1/3\) to \(0\) as the attacker’s propagation advantage grows. The revenue evaluated just above each threshold sits essentially at the honest baseline, confirming the threshold is where the two strategies cross. The single number a security assessment should quote is not 50 percent but this \(\gamma\)-dependent share, and producing it is the chapter’s deliverable.

6.9 Collaborating with an LLM

Language models are fluent on this material and also reliably wrong in specific ways. Three prompt patterns, each with what to watch for and how to verify.

Prompt. ‘Derive the selfish-mining profitability threshold and explain each step.’

Watch for. Models frequently quote the threshold as a flat \(1/3\) or \(25\) percent, dropping the dependence on the communication advantage \(\gamma\) entirely, and some conflate the Eyal-Sirer strategy with the later optimal policy of Sapirshtein et al. (2016) without noting the difference.

Verification. Check the stated threshold reduces to \((1-\gamma)/(3-2\gamma)\) and reproduces \(1/3\) at \(\gamma = 0\) and \(0\) at \(\gamma = 1\). Evaluate the closed form at a share just above the claimed threshold and confirm it exceeds \(\alpha\), as the worked example does.

Prompt. ‘Estimate the cost of a 51 percent attack on a given chain.’

Watch for. A confident single dollar figure that silently fixes a rental price, an attack window, and a hash rate without stating them, and that omits the cost-recovery point entirely, so the number reads as a pure loss when most of it is recovered.

Verification. Require the three inputs (hash rate, window, unit rental price) as explicit arguments, recompute with the transparent helper, and insist the answer separates the gross cost from the net unrecovered cost.

Prompt. ‘Is putting our patient registry on a blockchain more secure than a database?’

Watch for. An answer that treats ‘blockchain’ as uniformly high-integrity and skips the cost-of- attack scaling, missing that a small chain’s security budget may be trivial relative to the value of corrupting a health record.

Verification. Ask the model to state the chain’s approximate 51 percent rental cost and compare it to the off-chain value of altering a record. If it cannot, treat its security claim as a narrative and apply the permissioned-alternative analysis above.

6.10 Exercises

  1. Boundary of the majority attack. Starting from the catch-up probability \((q/p)^{z}\) for \(q < p\), show that as \(q \to 1/2\) the probability tends to \(1\) for every fixed \(z\), and interpret why no finite confirmation depth protects a transaction against a majority.

  2. Cost scaling. Using pow_attack_cost, derive how the attack cost scales if a merchant doubles its required confirmation depth (and hence the attack window). Confirm the linear scaling numerically and explain the connection to the confirmation-depth policy of Chapter 4.

  3. Reproduce the threshold algebraically. Starting from \(R(\alpha, \gamma) > \alpha\) with the closed form given, derive the profitability threshold \((1-\gamma)/(3-2\gamma)\). Verify your derivation against selfish_threshold at \(\gamma \in \{0, 0.5, 1\}\).

  4. Selfish mining by simulation. Implement the selfish-mining Markov chain on the miner’s lead over the public chain, simulate it for a few thousand blocks at \(\alpha = 0.35\) and several \(\gamma\), and estimate the miner’s realised relative revenue. Compare the estimates to selfish_revenue and report the agreement to simulation noise.

  5. Pooling and variance. Model solo mining reward over a fixed horizon as a compound Poisson process and quantify the reduction in the coefficient of variation of reward when a miner joins a pool holding \(k\) times its hash power. Discuss how this variance incentive drives the centralisation pressure of the chapter.

  6. Health-ledger threat model. For a hypothetical patient-consent registry, estimate the 51 percent rental cost of hosting it on a small chain with a stated hash rate, estimate the off-chain value of corrupting a consent record, and write a short recommendation comparing the permissionless option to a permissioned ledger with legal accountability. Be explicit about which assumptions your recommendation is most sensitive to.

6.11 Further reading

Eyal & Sirer (2014) is the primary source for selfish mining and should be read first; the Markov-chain derivation of the relative-revenue formula reproduced here is worth working through in full, because the modelling choices are where the result’s assumptions live. Sapirshtein et al. (2016) recasts the problem as a Markov decision process and solves for the optimal withholding policy, showing the Eyal-Sirer strategy is not always optimal and lowering the profitability threshold further; read it for how much the honest-majority assumption actually buys. Gervais et al. (2016) is the quantitative security-performance framework, and the source to consult before claiming any parameter change is a free improvement. Bonneau et al. (2015) is the systematisation-of-knowledge survey that organises Bitcoin’s stability and incentive results into a common framework, and is the best single map of the territory. The reference textbook throughout, Narayanan et al. (2016), treats mining incentives and the 51 percent attack with the rigor this chapter aims to extend, and its treatment of pool economics and centralisation pressure complements the game- theoretic framing developed here.

6.12 In conclusion

In conclusion, three points are to be emphasized. First, the security of a shared ledger, whether Bitcoin’s or the trial ledger’s, is an economic guarantee resting on a stated behavioural and distributional model, and it must never be allowed to borrow the near-certainty of the cryptographic guarantee that sits beside it; the two answer different questions, and conflating them is the field’s most common error. Second, the headline ‘51 percent’ is the wrong security parameter for proof-of-work: selfish mining moves the operative threshold to \((1-\gamma)/(3-2\gamma)\), at most a third and possibly near zero, and a serious assessment must quote this propagation-dependent share rather than the folklore number. Third, for high-stakes health data whose off-chain value exceeds the on-chain security budget, legal accountability in a permissioned design frequently dominates economic security in a small permissionless one; the cost-of-attack calculation developed here is the instrument by which the statistician decides the question honestly, and it should be carried out before an architecture is chosen, not after.