This paper addresses a critical flaw in Bitcoin's incentive compatibility, first highlighted by Eyal and Sirer (2014). While their SM1 strategy demonstrated profitable selfish mining, this work proves it is not optimal. We present a generalized model and an algorithm to find ε-optimal selfish mining policies, establishing tighter bounds on profitability and revealing a lower computational power threshold for successful attacks than previously known.
Understanding selfish mining requires grounding in Bitcoin's consensus mechanism and prior attack models.
Bitcoin relies on a Proof-of-Work (PoW) consensus where miners compete to solve cryptographic puzzles. The first to solve a puzzle broadcasts a new block, claiming a block reward and transaction fees. The protocol mandates immediate block publication. The longest chain rule resolves forks.
Eyal and Sirer's SM1 strategy involves a miner withholding a newly mined block, creating a private chain. The attacker reveals blocks strategically to orphan honest blocks, claiming a disproportionate share of rewards. Their analysis suggested a profitability threshold of ~25% of the network's hash rate for a well-connected attacker.
We extend the selfish mining model into a Markov Decision Process (MDP) framework, allowing for a more comprehensive search of the strategy space.
The system state is defined by the lead of the attacker's private chain over the public chain. Actions include: Adopt (abandon private chain), Override (publish to overtake public chain), Wait (continue mining privately), and Match (publish just enough to tie). The model incorporates the attacker's relative computational power $\alpha$ and the network propagation factor $\gamma$.
We formulate the problem as a discounted infinite-horizon MDP. Using value iteration or policy iteration algorithms, we compute an ε-optimal policy $\pi^*$ that maximizes the attacker's relative revenue $R(\alpha, \gamma, \pi)$. The algorithm's output dictates the optimal action (Wait, Adopt, Override, Match) for every possible state (lead $l$).
~23%
Hash share needed for profit (Our Model)
~25%
Hash share needed for profit (SM1)
>0%
Vanishes under realistic delay models
Our optimal strategies consistently yield a lower profitability threshold than SM1. For a typical propagation factor ($\gamma=0.5$), the threshold drops from approximately 25% to about 23%. This 2% difference is significant, bringing more potential attackers into the profitable zone.
The derived policies strictly dominate SM1. The key improvement is more sophisticated "attack withdrawal"—knowing precisely when to abandon a private chain (Adopt) to cut losses, rather than persisting dogmatically as SM1 often does. This adaptive behavior increases expected revenue across all $\alpha$ and $\gamma$ values.
Under a model incorporating network propagation delays, the profit threshold effectively vanishes. Even miners with negligible hash power ($\alpha \rightarrow 0$) have a probabilistic incentive to occasionally withhold blocks, as delays create natural forks they can exploit. This reveals a more fundamental incentive misalignment in Nakamoto consensus.
The core of the analysis is the state transition model and revenue function. The relative revenue $R$ of an attacker with hash power $\alpha$ following policy $\pi$ is:
$R(\alpha, \gamma, \pi) = \frac{\text{Expected blocks earned by attacker}}{\text{Expected total blocks created}}$
The state is the lead $l$. Transition probabilities depend on $\alpha$ and honest miners finding blocks. For example, from state $l=1$:
Key Chart 1: Relative Revenue vs. Hash Power (α)
A line chart comparing the relative revenue $R$ of the optimal policy (from our algorithm) against the SM1 policy and honest mining. The optimal policy curve lies strictly above the SM1 curve for all $\alpha > 0$. The curves intersect the honest mining line (where $R = \alpha$) at different points, visually demonstrating the lower threshold of the optimal policy.
Key Chart 2: State Transition Diagram
A directed graph showing states (l=0,1,2,...) and the optimal actions (labeled on edges: Wait, Override, Adopt, Match) as determined by the algorithm for a specific ($\alpha$, $\gamma$). This diagram concretely shows the non-trivial decision logic, such as adopting from a lead of 1 under certain conditions—a counter-intuitive move not in SM1.
Scenario: A mining pool "AlphaPool" controls $\alpha = 0.24$ of the network hash rate. The network propagation factor is $\gamma=0.6$ (meaning AlphaPool learns of 60% of honest blocks immediately).
SM1 Strategy: AlphaPool would follow a rigid rule: mine privately with a lead, publish to override when ahead by 2. Analysis shows this yields $R_{SM1} \approx 0.239$, which is less than its hash share (0.24), making it unprofitable vs. honest mining.
Optimal Policy (from our algorithm): The computed policy $\pi^*$ might dictate: From a lead of 1, if an honest block is found, immediately Match (publish) to create a tie and compete in the next round, rather than waiting. This subtle change alters the transition probabilities. The resulting revenue is $R_{opt} \approx 0.242$, which is greater than 0.24. The attack becomes profitable.
Insight: This case demonstrates how optimal, state-dependent decision-making can turn a theoretically unprofitable hash share into a profitable one, purely through strategic block publication.
Protocol Design & Countermeasures: This work provides a tool to stress-test proposed Bitcoin improvements (e.g., GHOST, Inclusive Blockchain protocols) against optimal selfish mining, not just SM1. The analysis of Eyal and Sirer's suggested countermeasure shows it is less effective than hoped, guiding future research towards more robust fixes.
Beyond Bitcoin: The MDP framework is applicable to other Proof-of-Work blockchains (e.g., Litecoin, Bitcoin Cash) and can be adapted to study strategic behavior in Proof-of-Stake (PoS) systems, where analogous "block withholding" or "equivocation" attacks may exist.
Combined Attacks: Future work must model the interplay between selfish mining and double-spending attacks. A selfish miner with a private chain has a natural platform for attempting double-spends, potentially increasing the attacker's utility and lowering the barrier for both attacks.
Decentralization & Pool Dynamics: The lower threshold increases centralization pressure. Large pools are incentivized to employ these optimal strategies, and smaller miners are incentivized to join them for stable returns, creating a feedback loop that undermines decentralization—a core security premise of Bitcoin.
Sapirshtein et al. have delivered a masterclass in protocol stress-testing, moving beyond the specific exploit (SM1) to model the entire space
The paper's logic is impeccable and devastating. 1) Model Generalization: They correctly identify SM1 as a single point in a vast strategy space. By framing the problem as a Markov Decision Process (MDP)—a technique with pedigree in AI and control theory, akin to the frameworks used in groundbreaking works like the CycleGAN paper for exploring image translation spaces—they unlock the ability to search this space systematically. 2) Algorithmic Solution: The value iteration algorithm isn't just a tool; it's a proof mechanism. It doesn't assume a strategy; it derives the optimal one from first principles. 3) Threshold Compression: The output is clear: optimal strategies dominate SM1, lowering the bar for profitability. 4) The Delay Killshot: The final move, incorporating network delays, is the coup de grâce. It shows that in a non-instantaneous world (i.e., reality), the economic incentive to occasionally deviate from the protocol is universal, not exceptional.
Strengths: The methodological rigor is top-tier. The MDP model is the right tool for the job, providing a formal, computable foundation that previous heuristic analyses lacked. The consideration of network delays bridges a critical gap between theory and practice, aligning with observations from network measurement studies like those from institutions like the IC3 (Initiative for Cryptocurrencies & Contracts). The paper's utility as a "security analyzer" for protocol modifications is a major practical contribution.
Flaws & Blind Spots: The analysis, while deep, is still a two-player game (attacker vs. honest "rest"). It doesn't fully grapple with the dynamic, multi-pool equilibrium that characterizes Bitcoin today. What happens when multiple large pools all run optimal (or learning) selfish strategies against each other? The model also simplifies the cost of attack withdrawal (orphaning your own blocks), which may have non-linear psychological or reputational costs for pools. Furthermore, as noted by later research (e.g., Gervais et al., 2016), the analysis assumes a static α; in reality, hash power may flee a chain perceived as attacked, dynamically altering the attacker's share.
For Protocol Developers: Stop patching for SM1. You must design for the optimal strategy. This paper provides the benchmark. Any proposed fix (e.g., new fork choice rules like GHOST) must be evaluated against this MDP framework. The goal should be to make the honest strategy a Nash equilibrium for any α > 0, a far higher bar than currently held.
For Miners & Pool Operators: The calculus has changed. The 25% "safety" guideline is obsolete. Pools with as little as 20% hash power, especially those with good connectivity (high γ), must now consider the economic temptation of strategic withholding. The ethical and game-theoretic implications of not running the optimal policy become a boardroom discussion.
For Investors & Regulators: Understand that Bitcoin's security budget (miner rewards) is under a more sophisticated form of economic attack than previously acknowledged. The risk of mining centralization is not linear; it's subject to strategic tipping points revealed by this research. Monitoring pool behavior and network propagation times becomes a critical security metric.
In conclusion, this paper isn't just an academic improvement on prior work; it's a paradigm shift. It moves the discussion from "Can a big pool cheat?" to "How does everyone's optimal strategy, in an imperfect network, constantly strain the protocol's incentives?" The answer, unfortunately, is "significantly." The burden of proof now lies with defenders to demonstrate that Nakamoto consensus, in its current form, can be made truly incentive-compatible.