Research on the Incentive Attack of the Blockchain of Work Volume Proof (PoW)

Translator's Foreword: The unlicensed workload proof (PoW) blockchain represented by Bitcoin not only faces the threat of 51% attack, but also the possibility of bribery attacks, especially the transaction sorting and exclusion attacks have caused A lot of attention, in this regard, the researchers systematically analyzed and classified bribery attacks and similar technologies (collectively called incentive attacks), and proposed three improved versions of the incentive attack method, which proves the problem domain. It has not been fully explored. Compared to previous bribery attacks, these new ways of attacking through smart contracts not only do not require trust, but also greatly reduce the cost of attack. This suggests that only honest and Byzantine actors are assumed to accurately reflect the security attributes of unlicensed PoW cryptocurrencies.

The original authors are from SBA Research, Imperial College London, University College London, IC3 and IOHK. The full list of researchers is as follows: 9


(Image courtesy of

The following is a translation of the paper:


In 2016, the feasibility of a cryptocurrency bribery attack was first proposed. Since then, the academic community has proposed various new techniques and methods. A recent 51% attack on small cryptocurrencies in the real world highlights the threat of current bribery attacks, especially for unlicensed cryptocurrencies.

This paper systematically analyzes and classifies bribery attacks and similar technologies (collectively referred to as incentive attacks). In addition, we have proved that the problem area has not been fully explored by proposing several new and improved incentive attacks.

We consider incentive attacks (without forks and near forks) as a powerful but neglected category. In particular, transaction sorting and exclusion attacks have caused academics to have serious security concerns about state-of-the-art cryptocurrencies such as smart contract platforms.

In addition, we propose the first untrusted out-of-band bribery attack, which promotes double-flowered collusion between different blockchains, even in the event of failure, to compensate the collaborators. .

Therefore, the cost of such an attack is 85% to 95% cheaper than similar bribery techniques such as whale attacks. In addition, we implemented the basic building blocks of all out-of-band attacks as Ethereum smart contracts to demonstrate their viability.

First, the introduction

"As long as the total CPU power jointly controlled by the honest nodes exceeds any of the collaborative group attacker nodes, the system is safe." – Nakamoto Satoshi [25].

Although research on the field of cryptocurrencies is increasing, it is still unclear whether Bitcoin (and Nakamoto Satoshi consensus) has incentive compatibility under actual conditions, and whether the expected attributes of the system come from the appropriate practical model of miners [ 10]. Bribery attacks, especially target incentive compatibility, assume that at least some miners act rationally, that is, they accept bribes to maximize profits. If the attacker and all bribery miners can get considerable computing power, the attack can be successful even in a short period of time. Therefore, the economic viability of obtaining most computing power is effectively emphasized through events such as Crypto51, especially for small PoW currencies.

Another serious cause of concern is the transaction sorting and exclusion attacks (eg [19]), which can be performed as a (near-forked or no-forked) stimulus attack. Therefore, the opponent's goal is to bribe the miners so that they can build new (effective) blocks in a way that is good for the opponent. A special form of this type of attack, known as front-running, is often emphasized and analyzed in recent research, focusing on its application to the Ethereum platform [12, 14].

The possibility of rational miners (without trust) to auction their block offers (ie, votes) to the highest bidders raises the fundamental security of most unlicensed blockchains and claims.

To date, most of the incentive attacks have focused on optimizing the utility of participants. In this article, we also consider how bribery can undermine the design of the mechanism and lead to the deviation of rational participants from the rules. To this end, we first systematically reveal the subject of research on bribery, front running, Goldfinger, and other related attacks. These techniques can be summarized as general term incentive attacks because they all intend to tamper with the incentives of rational actors in the system.

This article systematically proposes incentive attacks, three of which are newly proposed, two of which are unbranched and near-forked stimulus attacks that were previously not fully represented.

The third, the first, is a double-flowered collusion attack that encourages no trust in an out-of-band scenario.

In addition, we have introduced three key enhancements for motivating attacks: (i) short-lived mining relays, as a mechanism to perform trust-free, time-limited, cross-chain incentive attacks, and (ii) even if the attack fails, It also ensures that miners who are bribed can receive payments, which actually reduces the cost of such attacks, and (iii) crowdfunding attacks that further reduce the individual cost of implementing incentive attacks.

1.1 Overview of the paper

The paper begins with an overview of the commonalities of the general system model assumptions that are often analyzed and newly proposed for stimulus attacks (Section 2).

Section 3 systematically analyzes and compares literature on bribery attacks and related attacks.

In Section 4, we first outline the new pay-to-win attacks, including the main technical requirements that must be met.

Sections 5, 6 and 7 detail how to use these techniques to attack the current cryptocurrency.

In the eighth section, the paper will be discussed in general, and the final section 9 is the concluding remark.

Note: The original paper also provides extensive details on implementation (short mining relay) and assessment of individual attacks in the appendix, and readers are interested to view the original text.

Second, the general system model

For all analytics and proposed stimuli attacks, we use the following general system model. If the analyzed attack deviates from this model, it will be highlighted when describing the attack. We also introduced additional assumptions and necessary conditions related to the attack.

These incentive attacks are conducted for unlicensed proof of work (POW) cryptocurrencies. In other words, we assume that the protocol follows the design principles of Bitcoin [25] and is often referred to as the Nakamoto consensus or the Bitcoin base protocol [17, 26, 31].

Among the cryptocurrencies that were attacked, we distinguished miners who participated in the consensus agreement and tried to solve the POW problem and clients who did not participate in such activities. As with previous studies on bribery attacks [9, 21, 23, 32], we assume that a group of miners are fixed and that their respective computing power in the network remains the same. To abstract from the currency details, we use the term value as the common face value for a certain number of cryptocurrencies or any other out-of-band funds (such as fiat money).

Miners and clients may have a cryptographic currency unit and can transfer this value by creating and broadcasting a valid transaction in the network.

Moreover, as in previous work, such as [21, 23, 33], we make a simplifying assumption that the exchange rate of the currency remains constant during the attack.

The participating miners are divided into three groups, and their roles remain unchanged during the attack. Classification follows the BAR (Byzantine, altruistic, rational) [5, 20] model.

  1. Byzantine miners or attackers (Blofeld) : Attacker B wants to perform an incentive attack on the target cryptocurrency , and B controls the bribe fund (FB > 0), which can be in-band or out-of-band depending on the attack scenario. It has some or no power in the target cryptocurrency (α ≥ 0). The attacker may arbitrarily deviate from the rules of the agreement.
  2. Altruism or Honest Miner (Alice) : Honest Miner A always follows the rules of the agreement, so they will not accept bribes, and mining in different chain states, they will not deviate from the rules (even if this will bring more Big profit). Miner A controls some or no control power (β ≥ 0) in the target cryptocurrency.
  3. Rational or bribery miners (Rachel) : The power of Miner R in the target cryptocurrency is ω ≥ 0, which maximizes short-term profits. We believe that if the miners follow a strategy that deviates from the rules of the agreement, they are “bribeable” as long as they expect higher profits than honest miners. Among the attacked cryptocurrencies, the bridging miners have a power of ω > 0.

In the analysis, we assume that miners who can bribe will not engage in other rational strategies (such as selfish mining).

In addition, we assume that the victim of a bribery attack (Vincent) is a client who has no power. While other bribery attacks model the victim as an honest miner, we also distinguish the victims of reason for a more detailed description and subsequent analysis. If Vincent has a certain amount of computational power and models it, it can be considered part of beta or ω. And α + β + ω = 1 .

Whenever we call an attack no trust, it means that there is no need to trust a third party between the briber and the bribe to ensure that the correct payment is performed for the desired behavior.

Therefore, our goal is to design an incentive attack that allows attackers and conspirators to have no incentive to betray each other in an economically reasonable situation.

2, 1 communication and timing (Communication and Timing)

Participants pass a peer-to-peer gossip network, and we assume that the network implements reliable broadcast capabilities. We further assume that all miners in the target cryptocurrency are fully aware of the attack after the attack has begun. Similar to [17], we model the opponent Blofeld as “rushing”, which means that it can see the information of all other participants, such as executing an attack, before deciding on the decision.

If multiple cryptocurrencies are involved in the scenario under consideration, ie an additional cryptocurrency fund is used to plan and fund the attack on the target cryptocurrency, then we assume that their respective average block interval and mining difficulty are It remains unchanged during the attack.

In addition, there was no simultaneous attack on cryptocurrency financing.

Third, the incentive attack systematization

Incentive attacks are a common form of bribery attacks [9], including confrontational strategies designed to manipulate the motivations of rational participants.

Here, we first introduce a general classification from two different dimensions, namely the expected impact of the attack on the transaction and its ordering and the required interference, and the depth of the block chain reorganization caused by the fork to make the attack successful.

Combined with other important features and methods, the article systematically analyzes and classifies the research subjects of incentive manipulation attacks.

3, 1 expected impact on the transaction

The core goal of an unlicensed PoW cryptocurrency is to (finally) implement a consistent and fully ordered transaction log and define the global state of the shared ledger.

We distinguish the following three main types of incentive attacks, designed to manipulate transactions and their order:

  1. Transaction revision : change a previously issued, possibly confirmed transaction;
  2. Trading order : change the proposed or agreed transaction order;
  3. Transaction exclusion : Exclude specific transactions from the ordered log of the transaction within a limited time or indefinitely;

Some incentive attacks may allow multiple types of trading operations to occur simultaneously (see Table 1). The ability to invalidate a transaction can be considered as a result of successful execution of one or more of the above transaction manipulation attacks and does not require a separate category.

3, 2 necessary interference to the consensus

While the former transaction manipulation attack described the expected impact, here we need to consider the required interference to reach a consensus.

Specifically, we introduced three different fork requirements.

  1. A deep fork is required, where a depth l is required to exceed the fork of the safety parameter k (ie, l > k). The victim defines k[16,30] and indicates the number of confirmed blocks required to accept the transaction;
  2. Need near fork (Near-fork) , where the required fork depth does not depend on the victim-defined k (ie l ≤ k);
  3. No need for bifurcation , no blockchain reorganization at all (ie k=0);

Attacks that do not require a fork are distinguished from the other two types of attacks by manipulating the miner's block proposal rather than a (preliminary) consensus decision (ie, the mined block). The deep and near-forked attack attempts to undo the book status update that has been confirmed by the continuous workload proof.

Some attacks, such as front-running pre-transactions or transaction revisions (victims accept k=0) attacks, can be performed as a split-free attack.

Others, such as double-flowering in the case of a victim's careful choice of k[30], may need to materially influence the consensus and violate security assumptions, but the probability is negligible [16].

Classification and comparison of 3 and 3 attacks

Based on the expected shocks and the required disturbances, we classify and we consider the work related to incentive manipulation attacks. As part of the discussion, we also introduced other features. Table 1 shows the previously proposed classifications, as well as our latest "pay-to-win" attacks.

Each of these rows represents a different attack, and each column outlines their respective attributes.

Section 3.1 provides an overview of transaction revisions, transaction sequencing, and transaction exclusion. In the literature, several bribery attacks are designed to replace or modify a particular transaction, that is, to perform a double-flower transaction [9, 21, 23].

Therefore, they do not consider the order or exclusion of defining arbitrary transactions. Despite the existence of a double flower transaction, the content of subsequent blocks can be freely defined by bribery miners.

As a result, these miners can also perform a double transaction of a transaction for free by exploiting the attack from the original attacker.

GoldfingerCon [23] can be seen as a special case of trade exclusion attacks that reward bitcoin miners and exploit empty blocks with the help of Ethereum smart contracts.

Similarly, PitchWorks [18] uses combined mining to subsidize the creation of empty (or specially crafted) blocks in the attacked chain [18].

Script puzzle 38.2% [32] and the CensorshipCon attack [23] distracted the computing power of bribery miners to gain the advantage of the remaining honest miners.

Both attacks allow arbitrary transactions to be sorted and excluded, but require opponents to control more power than the rest of the miners.

Depth forks and trade revisions are not considered directly, which requires further analysis.

The only attack that was previously implemented to implement these three attributes is the Script Puzzle double [32]. However, once such attacks are successfully carried out, rational miners are deprived of bribes, making the attack impossible to repeat.

Section 3.2 outlines the need for chain reorganization and classifies attacks that use near or deep forks when implementing an attack.

The classic double flower attack scene [28, 30] requires deep forks (l > k) to reorganize the chain. Since the attacker has complete control over the computing power required to execute the attack, he can also order the trades arbitrarily and exclude the trade from the longest chain.

Depending on the scenario and the desired attack result, for example, only sorting is relevant, then deep forks are not necessarily required.

For example, the order of unconfirmed transactions can be manipulated without the need for forks, such as performing front running [14]. At present, researchers have not conducted in-depth research on the sorting attack of smart contract cryptocurrency [29].

In this paper, we summarize this ability in the context of motivating attacks and analyze how to implement it (Section 5).

As shown in Table 1, there are three attacks requiring α > 0. The Script Puzzle 38.2% attack allows the adversary to build a computational majority with the right amount of computation, and to obtain a net profit without considering a double-flower attack. In (Script Puzzle), the opponent has no minimum computational requirements, but it is designed to be a single-shot double-flower attack. CensorshipCon also requires the attacker's power to include the uncle block from the rational miner. Since it must contain all the unearthed blocks, it requires the attacker's power to be greater than 1/3, and the bribery miner's calculations can be bribed. In [1/3, 2/3).

Note that it makes sense to limit the attacker's power to less than 1/2, otherwise the attacker does not need to perform a bribery attack, which can complete the attack on the chain by itself.

A minimum proportion of rational miner ω required for an attack to have a chance to succeed, as described and evaluated in this paper. In general, all bribery attacks must assume that at least some miners are rational in order to make bribes. Note that the Script Puzzle attack requires all miners to be rational, ie α + ω = 1.

Moving the power from the valid tip of the attacked blockchain to some other form of puzzle or alternate branch does not contribute to state transitions. For example, the CensorshipCon block in the CensorshipCon example, or another Pitchforks in the Pitchforks example.


Table 1: For stimuli attacks on cryptocurrencies, we compare the existing scheme with the newly proposed P2W scheme. If it is, the attribute is marked as ✓, if not, it is marked as ✗, and the symbol ~ indicates that there is no further detail or In the case of discussion, attributes cannot be clearly mapped to any previously defined categories. The symbol ⋆ indicates that the attack is directed at the mine pool and therefore does not intend to manipulate the chain. The symbol † indicates that the paper does not explicitly specify an out-of-band payment method, but assumes its correctness.

A smart contract is required for all attacks that require a smart contract to run as expected.

Payment, specifying the place to pay the bribe taker. Rewards can be in-band, that is, in each cryptocurrency that is attacked, or out-of-band, such as through a different cryptocurrency payment.

It can be said that miners do not want attacks to affect the value of their receiving password currency, so out-of-band incentives are especially important.

The fact that the attacker does not need to trust means whether there is a conspiracy/bribery miner to exploit the attack itself to make a profit without complying with the attack. For example, a script puzzle attack requires some form of freshness guarantee to prevent the bribe from deliberately waiting for the attack to fail before calculating the puzzle solution to get the reward. It is also possible to ask for rewarding old, honest blocks that were later submitted to the CensorshipCon as a master.

The need for no trust between the collaborators means that the bribe taker does not have to trust the attacker and receive payment after they execute the attack. In a Checklocktime bribery attack, an adversary can attempt to deceive by creating a conflict/race transaction. However, such an attempt is only possible when the attacker controls the power of α > 0.

The same is true for Whale Transaction, because the attacker must provide new high-cost transactions for each block on the attack chain at each step of the attack.

Although HistoryRevisionCon does not explicitly consider the mistrust of conspirators, an enhancement is possible. CensorshipCon requires the attacker to include the blocks generated by the conspiracy miners, so there is no need to trust.

The Script Puzzles double-flower attack was designed as a one-time attack by a fraud conspirator.

The Script Puzzles 38.2% attack does not specify how to pay, and assumes an out-of-band payment method that does not require trust.

In a front-running pre-trade attack, an attacker cannot guarantee that the required ordering is achieved at a high cost.

Subsidy means that the attack exploits certain characteristics of the cryptocurrency or environment and becomes cheaper.

In the case of CensorshipCon, rewards from the uncle block were used to subsidize the attack, while in Pitchforks, the extra income from the combined mining was used as an incentive.

Compensates if attack fails, meaning that at least some of the bribes are unconditionally paid to the bribe taker.

In order to successfully hire rational miners, such as Checklocktime [9], whale [21], and HistoryRevisionCon [23], participants must be compensated, even if the final result of the attack is a failure.

As of now, no attacks that support transaction revisions can implement this property.

If the Script Puzzle double-strike attack succeeds, it will defraud the mined miner and will pay the reward if it fails.

In a Front-running attack, even if the required sorting effect is not achieved, it usually results in high transaction costs. Therefore, in this case, it is an attribute that the attacker does not need.

3, 4 main observations

It can be observed that most bribery attacks scenes either focus on transaction revisions or focus on transaction exclusions, but simply sort transactions as a by-product. A notable exception is the front-running attack, which we believe is a subset of possible (re)ordering attacks. For example, consider pinpointing a transaction between two other transactions.

An example of such an attack can be found in [29], which also describes a vulnerability in a blocked contract.

In general, as long as a valid block is generated, any miner can freely define the order and transaction set to be included in his own block proposal.

In this article, a particularly interesting scenario is that an attacker can manipulate the order of transactions, and the attackers themselves are not miners. We have not yet understood and discussed the trading sorting attacks on smart contract cryptocurrencies [29], but in practice we are observable [12, 14].

A notable exception to the exclusion of trading attacks is the CensorshipCon [23].

In addition, we also observed the lack of out-of-band incentive attacks. In addition to the Goldfinger attack, the only technology available, the attacker needs to master a lot of computing power. Note: Proof-of-stale-blocks [22] represents a special case for the mine.

In theory, all attacks that perform payment out of band can be used to initiate a Goldfinger-style attack because the recipient's remuneration is not directly related to the value of the attacked cryptocurrency.

The question of whether such an attack is profitable depends on the external utility that the failed cryptocurrency can produce.

In the following, we propose new incentive attacks for different scenarios.

Fourth, PAY-TO-WIN incentive attack

We propose three incentives that do not require attackers and collusion miners to trust each other and win rewards. In addition, we distinguish between in-band attacks (that is, funding and enforcement of attacks within the same cryptocurrency) and out-of-band attacks (that is, attacks that are funded and coordinated on different cryptocurrencies).

This type of attack does not require the attacker to control any computational power, that is, a = 0.

This section provides an overview of such attacks, the required technical and operational requirements. Sections 5-7 detail the structure of these attacks: (i) a general overview of the attack, (ii) a step-by-step description, (iv) an attack assessment, and (v) an attack analysis attribute.

4, 1 P2W attack overview

In-Band Attack: We introduced a new in-band attack method that can be executed and coordinated on the smart contract workload proof blockchain.

In-Band Deal Sorting: This type of attack (Section 5) motivates in-band non-forked trade sorting: if the attacker asks for an unconfirmed trade, the conspiracy miner is rewarded.

Compared to front running [12], this attack uses smart contracts to directly reward miners as long as the correct sorting conditions are maintained. Current front-running attacks can be viewed as full-pay auctions [12], where lost transactions (ie, their execution fails) also unnecessarily pay high fees.

Out-of-Band Attack: We distinguish the target cryptocurrency (where the attack will be executed) from the funding cryptocurrency (where the attack will be coordinated and paid). Although the funding cryptocurrency must support smart contracts (such as Ethereum), the target cryptocurrency (such as Bitcoin) has no requirements. In fact, out-of-band attacks are hard to find because they require monitoring multiple blockchains that support smart contracts.

Out-of-Band Transaction Exclusion/Sorting: This attack (Section 6) proposes an out-of-band transaction exclusion attack in which an attacker can also specify the order in which the transactions are included. This may be used to review certain transactions (such as closing a payment channel) or to perform multiple front-running attacks immediately. To perform an attack, we describe how an attacker builds a smart contract that temporarily rewards an attacker-defined block on the target cryptocurrency.

We call this technique an ephemeral mining relay because it combines elements from the pool and chain relay (see the end of this section).

Out-of-band transaction revisions: Finally, we describe an out-of-band transaction revision attack (Section 7) that directly promotes a double-flowered collusion attack: miners are bribed by attackers to another blockchain to mine their favored branch areas Piece. This technology combines the techniques previously introduced to create a more powerful attack.

We show how to build it to always reward conspirators, regardless of the outcome of the attack. Interestingly, this makes the cost of the attack significantly lower, because when the attack fails, the necessary compensation for the collusion is reduced.

4, 2 technical requirements

The technical requirements that need to be used in the three types of trust-free attacks mentioned above are summarized as follows:

(1) A block in the block interval (on the target chain) defined by the attacker, verified in a way that does not require trust:

(a) performing a state transition (eg, a transaction is included in the blockchain);

(b) no state transition has occurred (for example, does not include a transaction);

(2) A method of trust-free that uniquely attributes the block to the miner's address, and a method of mapping the latter to the corresponding address in the sponsored cryptocurrency.

(3) A method of transferring the value of the subsidized cryptocurrency to the untrusted method of the funded cryptographic currency address uniquely owned by the conspiracy miner company (see point 2)

(4) A method of determining the target cryptocurrency state without trust after the T blocks are dug up on the attacker's predefined block (ie, the longest chain). This means that it is possible to verify the PoW of the target cryptocurrency in a smart contract that finances the cryptocurrency.

(5) A method of trust-free determination of the target cryptocurrency attack state after T-blocks are dug up on the attacker's predefined block (ie, the attack chain anchored on this particular block).

Ephemeral mining relay: In order to verify the results of the attack and pay the rewards correctly in an untrusted out-of-band scenario, we introduced the concept of a short-lived relay. The short-lived relay is a smart contract that combines the functions of chain relays [2, 11, 36] and the pool [22, 34].

However, compared to previous proposals, the mining relay can fully verify the consensus rules of the target cryptocurrency by limiting the allowed block structure. In addition, it tracks all ongoing blockchain branches, which is a necessary feature to properly validate an incentive attack. A more detailed description of the short-lived relay structure is provided in Appendix G.1 of the paper, as well as a proof-of-concept implementation and cost analysis deployed on the Ethereum to verify the bitcoin blockchain.

Based on the implementation results, this additional verification cost is approximately $1 per block, which is negligible compared to the potential economic benefits of the incentive attack.

Five, in-band transaction sorting

This "no-fork" attack, in contrast to the front-running attack [12, 14], pays additional rewards for miners to reorder unconfirmed transactions. In the front-running attack, the opponent increased the chances that their transaction was first accepted by increasing the transaction fees paid to the miners. However, the result is a full-pay auction: even if the attack fails, the miners can put the high-fee transaction into the block.

Therefore, the attacker must always pay the fee, but it has nothing to do with the attack result [12]. In contrast, the newly proposed attack ensures that the attacker pays the conspiring miner only when the attack is successful (ie, if the order of transactions required is achieved).

5, 1 attack description

Initialization: The opponent (Blofeld) observes the p2p network and launches an attack after seeing the victim's (Vincent) transaction txV. He wants to pre-register a domain name or interact with the exchange through a front-running attack (snap or snap) . First, Blofeld released his front-running transaction txB. At the same time, he uses two transaction identifiers, the required order (txB < txV), the block into which the transaction was included, and a bribe ε to issue and initialize the attack contract. Once the contract to create the transaction has been dug up, (i) the configuration is no longer changeable, and (ii) the bribe is locked until the end of the attack. This is necessary to prevent an attacker from attempting to defraud a miner by changing the payment terms after the attack is executed.

Attack: If the attack is successful, the conspiracy miner will generate a block with the desired transaction order.

Note: Even if the victim attempts to update the original transaction txV with tx'V by the replace by fee [4], the txV will still be valid and the miner can choose to include it in the block. Therefore, as long as the payment terms are met, the rational miners will incorporate txB and txV in the prescribed order, as this will result in the highest return.

Expenditure: After k blocks (k is the blockchain security parameter defined by the attacker in this example), the miners can ask for their compensation, and the smart contract will first check if the order of the two transactions is in compliance.

5, 2 evaluation

5.2.1 Evaluation only in the case of rational miners (ω = 1) : First, we assume a scenario in which all miners are rational, that is, they are bribes. The miners were motivated to collude with the attackers because the contract guarantees a ε > 0 award in addition to normal mining.

Participation in this type of attack does not require mining on another fork, so the conspiracy miner does not face the additional risk that the block he is mining is judged to be invalid. The miner can also include unconfirmed attack contract creation transactions in the same block as the sorting attack itself, and if its block becomes part of the longest chain, it can still determine whether to pay.

5.2.2 Assessment in the presence of altruistic miners (ω+β=1) : In theory, this attack is feasible in the presence of bribery miners (ω>0), but the higher the proportion of computing power The chances of success will be greater.

If 2/3 of the computing power is controlled by a rational miner, then the probability of successful attack is expected to be 2/3. There will be more relevant analysis in Section C of the Appendix.

5, 3 characteristics and analysis

We will now analyze the possible defensive strategies of the victim (Vincent). Specifically, we considered the possibility of anti-bribery.

Immediate Counter Bribing: As long as the new block is not mined, the victim can immediately commit anti-bribery through the same attack mechanism, which is an effective countermeasure against this attack. Here, an English auction (price increase auction) was conducted between the attacker and the victim, rather than a full payment auction observed in other front-running attacks.

This defensive strategy requires the victim Vincent to actively monitor the P2P network and immediately realize the attack.

Delayed Counter Bribing: If the victim Vincent has only one SPV (Simplified Payment Verification [25]) wallet, he may only be able to identify the attack after the attacker has dug a new block in the order of the transaction. Vincent has no power, he can't directly launch counterattacks to fork their respective blocks. Therefore, the cost of its successful anti-bribery attack is already much higher than the cost of the original attacker Blofeld. In addition, from the bribery attack described in Section 3 above, in this case, Vincent has no direct applicable attack. For a cost analysis of removing such a block from the chain, see Appendix C of the original paper.

Six, out of band transaction exclusion and sorting

In this section, we describe how to construct an out-of-band stimulus attack that promotes transaction exclusion and sorting. This type of attack is superior to previous attacks in some respects: for example, for an attacker who tries to incorrectly close an out-of-chain payment channel (ie, issues an old/invalid state) but prevents the victim from performing regular penalties. Class attacks may be profitable [13, 24, 27].

The advantage of out-of-band attacks is that they can be funded by any smart contract cryptocurrency, while attacks occur on different target cryptocurrencies. As a victim, such attacks are difficult to detect, and they must monitor multiple blockchains that support smart contracts. To improve readability, we use Bitcoin (target cryptocurrency) and Ethereum (funding cryptocurrency) as examples to describe the following attacks. As described in Section 4, we rely on a short-lived relay to reliably verify the status of the target cryptocurrency, the correct execution of the attack, and the processing of payments to the conspirators. For more information on relays, see Appendix G. 1 and F).

6, 1 attack description

Initialization: The attacker's target prevents unconfirmed transactions txV from being included in newly mined blocks in Bitcoin (target chain). The attacker initializes an attack intelligence contract by specifying a block template, and only when the conspiracy bitcoin miner uses it can it be rewarded. This allows the attacker to have full control over the content of the dig block, including the ordering of the transactions and whether they are included. For each block template, the corresponding bribes are conditionally locked into smart contracts, and as long as the miners provide an effective solution, they can get compensation independent of the outcome of the attack.

For Bitcoin block templates, the attacker posts an incomplete block header to the attack contract and the corresponding coinbase transaction. The latter is necessary to allow conspirators to include their own Ethereum payment address in the block template, because if a valid block is submitted later, the smart contract will be responsible for the payment.

The miners involved in the attack can only freely change the nonce and coinbase fields (including the Ethereum address) in the generated Bitcoin block.

We point out that an attacker must obtain a Bitcoin block reward instead of a conspiracy miner. Instead, the colluder will receive a bribe in the Ethereum attack contract to compensate for the Bitcoin block reward. This requires an additional bribe payment guarantee so that the conspiracy miners do not need to trust the attack because rational miners may not be able to verify whether bribery of the block template they dig will result in an effective block.

In the original papers G.1 and F, we provide more detailed information about the block template structure.

Attack: Rational miners submit valid bitcoin blocks to the attack intelligence contract on Ethereum based on the attacker's block template, by briefly mining relays (to verify that they form a valid chain).

Since there may be multiple miners competing for the same block template, they will be motivated to release any valid POW solutions they find in a timely manner.

If the bribery attack is successful as a whole, then the attack contract will pay an additional ε bribe for each solution, which is an additional incentive for the bribe to release the solution in a timely manner. The motive for an attacker to release a solution with relevant complete blocks on the target chain comes from the rewards it receives directly and the benefits of a successful attack.

In each step, the attacker updates the Bitcoin block template each time it is submitted to the attack contract, and can add additional bribes if needed.

If no new template is submitted, the attack stops. Figure 1 provides a schematic of the ongoing visualization.


Figure 1: The ongoing, failed blockchain structure and schedule, and a successful out-of-band transaction exclusion and sorting attack. When the attack contract is released in block e0, the attack is initialized. Multiple block modules can be included in a single block, as shown by e3. Expenditure is executed in block eT. The colored block will be rewarded by the attack contract, or only its original value, or if the attack is successful, an additional bribe is obtained, ie the return is (1 + ε).

We note that the target chain and the funding chain may be out of sync, ie, two or more bitcoin blocks are dug up before finding a single Ethereum block. Therefore, an attacker can also publish a block template for multiple blocks in advance (retaining a reference to the last block filled by the miner).

Expenditure: Similar to the example of an in-band attack, once the k bitcoin block is dug after the attack is over, the miner can ask for payment in the attack contract (k is the attacker-defined security parameter).

This attack intelligence contract is responsible for verifying the validity of the submitted blocks, that is, the consistency of their PoWs with the specified block template, and all blocks form a valid attack chain. If the submitted block is valid, the attack contract will reward the miner (even if the attack chain does not succeed as the main chain), that is, the conspiracy miner is not at risk.

In any case, the first miner who submits a valid POW for the respective block template will receive a value equivalent to the full Bitcoin block reward (regardless of whether the attack failed), and if the attack is successful, an additional A ε bribe.

6, 2 attack assessment

6.2.1 Evaluation only in the case of rational miners (ω = 1) : First, we assume a scenario in which all miners are rational, that is, they can be bribed. Once the smart contract is initialized, they can immediately understand the attack. As mentioned earlier, each time an attacker submits a block template, it locks a bribe to ensure that the miner is not at risk of payment and is motivated to join the attack. For the duration of the attack in N blocks, we can pay the colleague Blofeld's Ethereum funds (budget) by evaluating the worst case scenario (ie, the attack runs N blocks but still fails). Note that only the attacker knows the exact value of N.

The necessary attack budget and the cost of a failed attack: If the attack fails, the budget of the attack contract must cover and compensate for the loss bonus (for Taiyuan payments) for each bitcoin attack chain block. The initial funds of the attacker fB, and the expected return of each bitcoin block rb (including fees), define the maximum duration of the attack N based on the compensable attack chain block:


Therefore, the collusion stipulates the operating costs of smart contract deployment and execution (such as the cost of gas in Ethereum). Compared to current block rewards, the operational costs of managing smart contracts are negligible considering the metrics in [23] and Appendix G.1. Suppose the attacker wants to specify the order of transactions in Bitcoin or exclude some transactions within an hour (ie, N = 6). Therefore, the lower limit of the attacker's budget can be derived from the current block reward, including the transaction fee: rb = 14 BTC, then 1 hour of income ≈ 84 BTC is the lower budget limit of the attack.

The cost of a successful attack: Interestingly, the lower limit of the budget only needs to make up for potential losses in the event of an attack failure, but if the attack is successful, the attacker will receive a block reward on the main chain to compensate for the rewards that must be paid to the bribery miner. Therefore, the cost of a successful attack is derived from the N · rb main chain block, and the reward paid to the briber miner must be paid in N · (rb + ε):


Since we assume rational miners, the success rate of attacks in this case is iff ε > 0. In order for the attack to succeed, the amount va obtained by transaction sorting or transaction seizure must exceed c(success).

At first glance, regardless of the outcome of the attack, the attacker must pay the conspiracy miner. We can assume that the cost of the attacker is high compared to other bribery plans. However, this ensures that miners are not exposed to risk of participation. Unlike existing bribery attacks, this only requires a low-value bribe to encourage miners to participate in the attack.

6.2.2 Assessment in the presence of altogether miners (ω+β=1) : We now discuss a more realistic scenario where not all miners will immediately turn to the attack chain, and some of the miners behave unselfishly.

Altruistic miners follow the rules of the agreement, and only when the attack chain becomes the longest chain in the network, they switch to the attack chain, they will not try to optimize revenue, which is the opposite of rational miners.

Blocks of altruistic miners may also contain transactions and transaction sequences that are not welcomed by attackers.

Therefore, an attacker may have to exclude blocks of these miners, providing a template that intentionally separates these blocks. If the altruistic miners find a block, the attacker and the conspiracy miner must dig into two blocks, making the attack chain the longest chain (the altruistic miners will follow). Therefore, the required fork depth is equal to 1.


Figure 2: Probability of different computational forces ω chasing a block on yaxis (log scale) in n blocks on the x-axis. The dashed line is the maximum probability of catching up a block after an infinite number of (n=∞) blocks (ie (ω/β)^2).

Based on the attacker's budget, we derive the probability that the attack chain will compete with the altruistic miners. The attack chain must find two more blocks than the altruistic backbone, but this must be done within the upper limit of n blocks (maximum funding attack duration).

Each new block is respectively attached to the main chain of the probability β and the attack chain of the probability ω β + ω = 1). Therefore, we look for all block sequences that may be attached to any chain and calculate the sum of the probabilities of the sequences that lead to a successful attack.

In a successful attack, i ∈ N blocks are added to the main chain, and k+i+1 blocks are added to the attack chain. The probability of such an attack is:


Observe a series of successful attacks, where the i block is added to the main chain and the k+i+1 block is added to the attack chain. For any prefix that is strictly shorter than the entire sequence, the number of additional blocks in the attack chain is less than k+1, otherwise the attack will end soon. Therefore, the last block in a successful attack is always attached to the attack chain. The number of combinations of such sequences is similar to the Catalan number, and the difference between the starting points is k:


Assuming that an attacker can only fund up to N blocks on the attack chain, the probability of a successful attack is given by the following formula:


Figure 2 summarizes the probability that different computational forces ω capture a block. It can be observed that N quickly approaches the maximum achievable probability of chasing a block in an infinite number of blocks, ie (ω/β)^2) according to [25, 28]. Based on these calculations, the attacker can decide whether to extend the attack time, increase N, and win the ongoing game with a higher probability.

6, 3 characteristics and analysis

We now analyze the important features of this approach.

Counterattack: The most effective countermeasure against transaction exclusion is to increase the cost of txV beyond the value promised by the attack contract. However, the benefit of this attack is that it can be performed out of band. As a result, victims may not be aware of such attacks, and they may only be monitoring the target cryptocurrency. Therefore, it can be said that the counterattack of the victims is difficult to implement because they cannot immediately realize the bribe funds provided by the attackers for conspiring miners.

Transaction Review DoS: In this section, we treat Bitcoin as a target, but in essence, the attack also applies to other types of cryptocurrencies. (Quasi-) Turing complete smart contract cryptocurrency, theoretically more resistant to censorship than Bitcoin's UTXO model, because they allow complex and diverse interaction patterns to trigger state changes. We believe that on the basis of this discussion, the transaction review should use Ethereum as a target cryptocurrency. Then, even if the transaction or its respective side effects can accurately identify and agree that all mine work is an unwanted behavior, in this case, there is a possibility that the victim may launch a denial of service attack.

The effect of a transaction can be represented by multiple layers of smart contract calls and interactions. Therefore, the problem arises, and miners can only understand the unnecessary behavior of the transaction by first assessing the state change of the transaction. If the resulting behavior is to be reviewed, the miner must roll back all changes and cannot charge transaction fees for their efforts. As a result, an attacker can waste every reviewer's resources without losing money. It is impossible to solve this problem directly without changing the consensus rules, but by basing based on the block module (as described in this section), the problem is transferred from the conspiracy rational miner to the attacker. Therefore, an attacker can choose to include only simple transactions, and he is convinced that these transactions cannot hide any unwanted activities, such as all value transfer transactions, calls to known contracts, such as ERC20 tokens.

Liveness: In general, the activity of chain relays generally depends on submitting new blocks to improve their state. Therefore, if the relay is in a lack of state due to the lack of committed data blocks, the long-range attack will have a higher success rate because the attacker will get extra time to calculate the long false link. The likelihood of an attack in a chain relay lacking state depends on the relevant funds.

In our specific example, activity is not an issue because the duration of the attack is limited and the definition is good.

In addition, participants have an incentive to provide the correct information to the repeater in a timely manner. For example, consider a rational miner R who digs a block template for b'3. Then R has the motivation to submit this template solution to POW in time because he is competing with other rational miners to provide incentives and bribes. Since the extra bribes can only be paid when the attack is successful, this further motivates the rational miners to release the solution in a timely manner.

In addition, in this case, the attacker can stop publishing new block templates at any stage to reduce their losses, in case the attack may fail.

7. Out-of-band transaction revision

The purpose of this attack is to bribe the miner to create a block on the blockchain branch of the target cryptocurrency, and the attacker performs a double flower.

The novelty of this attack comes from three aspects:

(i) Funds used to reward dishonesty and conspiracy during a double-flower attack are paid using the sponsored cryptocurrency, not the target cryptocurrency itself.

(ii) Funding for attacks is done through smart contracts to minimize the attacker's trust assumptions and the risk of miners participating in the attack: the conspiracy miner does not have to trust the attacker, even if the attack fails, the attack smart contract can also ensure bribery. Miners can get block rewards, making this attack cheaper than similar bribery attacks.

(iii) In addition, the use of smart contracts also opens up the possibility of crowdfunding or multiple double-attack attempts to merge into a single coordinated attack, further reducing costs or the number of participants.

7, 1 attack description

Figure 3 shows the stage of the attack and two different results.


Initialization phase: First, the attacker (Blofeld) creates an uninitialized attack contract and publishes it to the Ethereum blockchain.

This is done through a deployment transaction contained in an Ethereum data block e0 of the Ethereum account controlled by the attacker. Then, Blofeld created a pair of conflicting bitcoin transactions. The consumer transaction txB was immediately posted on the main chain in the form of bitcoin, and the double transaction tx'B was kept secret.

After the victim-defined k-block validation period, Blofeld issued an initialization transaction on the Bitcoin main chain that irrevocably defines the attack conditions in the Ethereum chain smart contract. Block e1 represents the first block on the Ethereum chain after the release of the bitcoin block bk.

The contract is initialized with K+1 new Bitcoin block templates, each carrying a transaction from the original chain to collect the fee, but not including txA, but containing the conflicting transaction tx'B.

Collusion miners can now freely mine on these block templates, where they can change the nonce and coinbase fields to find valid POWs and include their payment Ethereum addresses.





攻击阶段:被贿赂的矿工现在开始在攻击链上开采k + 1个区块,如果在主链上发现额外的块,攻击者可使用k+2到N块的新区块模板更新攻击合约,其中N是攻击者可资助的最大攻击区块数。







  1. 攻击失败(主链获胜):在这种情况下,合约必须完全补偿被贿赂的矿工,因为他们的攻击链已经失效了。每个在攻击链上挖矿并成功提交一个区块的合谋矿工都将获得该区块的奖励,而没有额外的贿赂金ϵ;
  2. 攻击成功(攻击链获胜):如果攻击链获胜,则合约执行以下操作:完全补偿(奖励+费用=1)矿工从b1开始切换到攻击链后,经历k个主链区块的奖励,2) 支付合谋矿工每个攻击链区块的贿赂金,在本例子中是从b′1到b′k+2 个区块,全部区块的奖励加上额外的ϵ作为贿赂金。







  1. 必须确保每个为实现双花攻击而投资资金的协作攻击者确实有一定的机会使其个人的双花交易成功,即,如果合约使用了其投资的资金,则一笔双花交易必须得执行;
  2. 必须确保攻击不会因协作攻击者而失败,以防他们破坏整个攻击,即参与者不可能导致攻击失败;
  3. 攻击不应依赖任何受信任的第三方;


如果恢复至少k + 1个区块的资金目标已经达成,攻击将如前所述开始。由于初始化合约的攻击者必须为包含双花交易的链生成新的区块,因此必须实现一些方法,确保其他攻击者的交易包含在b′1当中。在附录F中,我们描述了一种方法,该方法要求原始攻击者提供与他想要收集的资金一样高的抵押品,即fB。因此,这可以确保其他攻击者仅在其交易真正包含在b′1 区块的新链中时支付。否则,将从初始攻击者提交的抵押品中退款。

7、2 攻击评估

与第6节中的评估类似,我们现在开始评估攻击成功概率以及攻击所产生的成本。我们再次分成两种情况: (i)我们假设只有理性矿工存在,然后评估攻击,(ii)考虑存在利他主义矿工的情况,然后进行评估。

7.2.1 只有理性矿工情况下的评估(ω = 1) :当调整k作为攻击受害者定义的安全参数时,可得出攻击者fB 所需资金的下限,类似于第6节中的评估。


对于比特币,通常的k选择为k=6,而当前的区块奖励(包括交易费用)约为rb = 14,这为≈98 BTC ST的预算提供了一个下限,以下不等式成立:


攻击成功的成本和盈利能力:同样,预算的下限只需要在攻击失败时弥补潜在的损失。但是,如果攻击成功,它会比这个下限要便宜。成功攻击的成本由k · rb的主链区块给出,该主链块必须在攻击链上得到补偿,再加上额外的N · ϵ贿赂金。


最初的k补偿是必要的,以提供所有切换到攻击链上生产区块的矿工。由于我们假设的都是理性矿工,那么这种情况下的攻击总是成功的,前提是N ≥ k +1保持,且ϵ > 0。

对于比特币,这意味着,在k=6,rb=14,且ϵ = 0.0001的情况下,成功进行双花的成本≈ 84.0007 BTC。为了使成功的攻击有利可图,双花的值必须大于用于贿赂的值。而在比特币交易中,我们经常会看到超过84 BTC的交易。


7.2.2 存在利他矿工情况下的评估(ω+β=1) :图4显示了可贿赂算力ω的不同值,以及贿赂矿工可奖励或补偿的不同数量块的攻击成功概率。攻击开始后主链上的确认区块数设置为k=6。显然,攻击需要N > k才能成功。与经典的51%攻击一样,一旦可贿赂算力超过50%的阈值,并且应付区块数N增加,则攻击最终会成功。


图4: 双花攻击成功的概率,取决于贿赂攻击中可补偿或奖励N区块的数量。可贿赂算力ω的不同值,会造成不同的攻击成功率。确认区块数设置为6.


表2显示了与[21]中描述的鲸鱼攻击(whale attack)的对比。可以观察到,与鲸鱼攻击相比,当ω变大时,我们的攻击变得更便宜,因为我们更快地达到所需的概率,因此所支付的贿赂金就会更少。此外,如果攻击成功,我们的攻击成本低于攻击开始时为补偿所有合谋矿工(如果攻击失败)所需的预算(fB)。

因此,这种攻击的成本要比鲸鱼攻击(whale attack)要便宜85%到95%。




7、3 特性与分析




八、 讨论










Relevant information

[1] [nd]. Average Number Of Transactions Per Block. https://www.blockchain. com/en/charts/n-transactions-per-block. Accessed 2019-05-10.

[2] [nd]. BTC Relay. Accessed 2018-04-17.

[3] [nd]. CoinMarketCap: Cryptocurrency Market Capitalizations. https:// Accessed 2019-05-10.

[4] [nd]. Replace by Fee. Accessed 2019-05-11.

[5] Amitanand S Aiyer, Lorenzo Alvisi, Allen Clement, Mike Dahlin, JeanPhilippe Martin, and Carl Porth. 2005. BAR fault tolerance for cooperative services. In ACM SIGOPS operating systems review, Vol. 39. ACM, 45– 58. 20Tolerance%20for%20Cooperative%20Services%20-%20UIUC.pdf

[6] Adam Back, Matt Corallo, Luke Dashjr, Mark Friedenbach, Gregory Maxwell, Andrew Miller, Andrew Poelstra, Jorge Timón, and Pieter Wuille. 2014. Enabling blockchain innovations with pegged sidechains. 2014/11/http-_____-___-_www___-blockstream___-com__-_sidechains.pdf Accessed: 2016-07-05.

[7] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. 2012. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. ACM, 326–349.

[8] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. 2013. Recursive composition and bootstrapping for SNARKs and proof-carrying data. In Proceedings of the forty-fifth annual ACM symposium on Theory of computing. ACM, 111–120.

[9] Joseph Bonneau. 2016. Why buy when you can rent? Bribery attacks on Bitcoin consensus. In BITCOIN '16: Proceedings of the 3rd Workshop on Bitcoin and Blockchain Research.

[10] Joseph Bonneau. 2018. Hostile blockchain takeovers (short paper). In 5th Workshop on Bitcoin and Blockchain Research, Financial Cryptography and Data Security 18 (FC). Springer.

[11] Vitalik Buterin. 2016. Chain Interoperability. Chain+Interoperability.pdf Accessed: 2017-03-25.

[12] Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov,Lorenz Breidenbach, and Ari Juels. 2019. Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges. arXiv preprint arXiv:1904.05234.

[13] Christian Decker and Roger Wattenhofer. 2015. A fast and scalable payment network with bitcoin duplex micropayment channels. In Symposium on SelfStabilizing Systems. Springer, 3–18.

[14] Shayan Eskandari, Seyedehmahsa Moosavi, and Jeremy Clark. 2019. SoK: Transparent Dishonesty: front-running attacks on Blockchain. arXiv preprint arXiv:1902.05164.

[15] Uriel Feige, Amos Fiat, and Adi Shamir. 1988. Zero-knowledge proofs of identity. Journal of cryptology 1, 2 (1988), 77–94.

[16] Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2015. The bitcoin backbone protocol: Analysis and applications. In Advances in Cryptology-EUROCRYPT 2015. Springer, 281–310.

[17] Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. 2016. The Bitcoin Backbone Protocol with Chains of Variable Difficulty. Accessed: 2017-02-06.

[18] Aljosha Judmayer, Nicholas Stifter, Philipp Schindler, and Edgar Weippl. 2018. Pitchforks in Cryptocurrencies: Enforcing rule changes through offensive forking- and consensus techniques (Short Paper). In CBT'18: Proceedings of the International Workshop on Cryptocurrencies and Blockchain Technology. judmayer2018pitchfork_2018-09-05.pdf

[19] Aashish Kolluri, Ivica Nikolic, Ilya Sergey, Aquinas Hobor, and Prateek Saxena. 2018. Exploiting The Laws of Order in Smart Contracts. arXiv:1810.11605.

[20] Harry C Li, Allen Clement, Edmund L Wong, Jeff Napper, Indrajit Roy, Lorenzo Alvisi, and Michael Dahlin. 2006. BAR gossip. In Proceedings of the 7th symposium on Operating systems design and implementation. USENIX Association, 191–204.

[21] Kevin Liao and Jonathan Katz. 2017. Incentivizing blockchain forks via whale transactions. In International Conference on Financial Cryptography and Data Security. Springer, 264–279.

[22] Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena. 2017. SMART POOL : Practical Decentralized Pooled Mining. Accessed: 2017-03-22.

[23] Patrick McCorry, Alexander Hicks, and Sarah Meiklejohn. 2018. Smart Contracts for Bribing Miners. In 5th Workshop on Bitcoin and Blockchain Research, Financial Cryptography and Data Security 18 (FC). Springer. papers/bitcoin18-final14.pdf

[24] Andrew Miller, Iddo Bentov, Ranjit Kumaresan, and Patrick McCorry. 2017. Sprites: Payment Channels that Go Faster than Lightning. 1702.05812.pdf Accessed: 2017-03-22.

[25] Satoshi Nakamoto. 2008. Bitcoin: A Peer-to-Peer Electronic Cash System. https: // Accessed: 2015-07-01.

[26] Rafael Pass, Lior Seeman, and abhi shelat. 2016. Analysis of the Blockchain Protocol in Asynchronous Networks. Accessed: 2016-08-01.

[27] Joseph Poon and Thaddeus Dryja. 2016. The bitcoin lightning network. Accessed: 2016-07-07.

[28] M. Rosenfeld. 2014. Analysis of Hashrate-Based Double Spending. https: // Accessed: 2016-03-09.

[29] Ilya Sergey, Amrit Kumar, and Aquinas Hobor. 2018. Temporal Properties of Smart Contracts. In Leveraging Applications of Formal Methods, Verification and Validation. Industrial Practice – 8th International Symposium, ISoLA 2018, Limassol, Cyprus, November 5-9, 2018, Proceedings, Part IV. 323–338. papers/temporal-isola18.pdf

[30] Yonatan Sompolinsky and Aviv Zohar. 2016. Bitcoin's Security Model Revisited. Accessed: 2016-07-04.

[31] Nicholas Stifter, Aljosha Judmayer, Philipp Schindler, Alexei Zamyatin, and Edgar Weippl. 2018. Agreement with Satoshi – On the Formalization of Nakamoto Consensus. Cryptology ePrint Archive, Report 2018/400. 2018/400.pdf

[32] Jason Teutsch, Sanjay Jain, and Prateek Saxena. 2016. When cryptocurrencies mine their own business. In Financial Cryptography and Data Security (FC 2016).

[33] Itay Tsabary and Ittay Eyal. 2018. The gap game. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 713–728.

[34] Yaron Velner, Jason Teutsch, and Loi Luu. 2017. Smart contracts make Bitcoin mining pools vulnerable. In International Conference on Financial Cryptography and Data Security. Springer, 298–316.

[35] Fredrik Winzer, Benjamin Herd, and Sebastian Faust. 2019. Temporary Censorship Attacks in the Presence of Rational Miners. Cryptology ePrint Archive, Report 2019/748.

[36] Alexei Zamyatin, Dominik Harz, Joshua Lind, Panayiotis Panayiotou, Arthur Gervais, and William J. Knottenbelt. 2018. XCLAIM: Trustless, Interoperable Cryptocurrency-Backed Assets. Cryptology ePrint Archive, Report 2018/643.