Research on the Incentive Attack of the Blockchain of Work Volume Proof (PoW)

Translator's Foreword: The unlicensed workload proof (PoW) blockchain represented by Bitcoin not only faces the threat of 51% attack, but also the possibility of bribery attacks, especially the transaction sorting and exclusion attacks have caused A lot of attention, in this regard, the researchers systematically analyzed and classified bribery attacks and similar technologies (collectively called incentive attacks), and proposed three improved versions of the incentive attack method, which proves the problem domain. It has not been fully explored. Compared to previous bribery attacks, these new ways of attacking through smart contracts not only do not require trust, but also greatly reduce the cost of attack. This suggests that only honest and Byzantine actors are assumed to accurately reflect the security attributes of unlicensed PoW cryptocurrencies.

The original authors are from SBA Research, Imperial College London, University College London, IC3 and IOHK. The full list of researchers is as follows:

(Image courtesy of pxhere.com)

• Dash CEO: The Chainlock protocol can reduce network attacks by 51%, Dash security or higher than Bitcoin
• Under the attack of Facebook and Google advertising giants, how does Vidy use the blockchain to seize a piece of highland? 丨 chain node AMA
• A "three-nation kill" incident triggered by a quarterly destruction of BNB

The following is a translation of the paper:

Summary

In 2016, the feasibility of a cryptocurrency bribery attack was first proposed. Since then, the academic community has proposed various new techniques and methods. A recent 51% attack on small cryptocurrencies in the real world highlights the threat of current bribery attacks, especially for unlicensed cryptocurrencies.

This paper systematically analyzes and classifies bribery attacks and similar technologies (collectively referred to as incentive attacks). In addition, we have proved that the problem area has not been fully explored by proposing several new and improved incentive attacks.

We consider incentive attacks (without forks and near forks) as a powerful but neglected category. In particular, transaction sorting and exclusion attacks have caused academics to have serious security concerns about state-of-the-art cryptocurrencies such as smart contract platforms.

In addition, we propose the first untrusted out-of-band bribery attack, which promotes double-flowered collusion between different blockchains, even in the event of failure, to compensate the collaborators. .

Therefore, the cost of such an attack is 85% to 95% cheaper than similar bribery techniques such as whale attacks. In addition, we implemented the basic building blocks of all out-of-band attacks as Ethereum smart contracts to demonstrate their viability.

First, the introduction

"As long as the total CPU power jointly controlled by the honest nodes exceeds any of the collaborative group attacker nodes, the system is safe." – Nakamoto Satoshi [25].

Although research on the field of cryptocurrencies is increasing, it is still unclear whether Bitcoin (and Nakamoto Satoshi consensus) has incentive compatibility under actual conditions, and whether the expected attributes of the system come from the appropriate practical model of miners [ 10]. Bribery attacks, especially target incentive compatibility, assume that at least some miners act rationally, that is, they accept bribes to maximize profits. If the attacker and all bribery miners can get considerable computing power, the attack can be successful even in a short period of time. Therefore, the economic viability of obtaining most computing power is effectively emphasized through events such as Crypto51, especially for small PoW currencies.

Another serious cause of concern is the transaction sorting and exclusion attacks (eg [19]), which can be performed as a (near-forked or no-forked) stimulus attack. Therefore, the opponent's goal is to bribe the miners so that they can build new (effective) blocks in a way that is good for the opponent. A special form of this type of attack, known as front-running, is often emphasized and analyzed in recent research, focusing on its application to the Ethereum platform [12, 14].

The possibility of rational miners (without trust) to auction their block offers (ie, votes) to the highest bidders raises the fundamental security of most unlicensed blockchains and claims.

To date, most of the incentive attacks have focused on optimizing the utility of participants. In this article, we also consider how bribery can undermine the design of the mechanism and lead to the deviation of rational participants from the rules. To this end, we first systematically reveal the subject of research on bribery, front running, Goldfinger, and other related attacks. These techniques can be summarized as general term incentive attacks because they all intend to tamper with the incentives of rational actors in the system.

This article systematically proposes incentive attacks, three of which are newly proposed, two of which are unbranched and near-forked stimulus attacks that were previously not fully represented.

The third, the first, is a double-flowered collusion attack that encourages no trust in an out-of-band scenario.

In addition, we have introduced three key enhancements for motivating attacks: (i) short-lived mining relays, as a mechanism to perform trust-free, time-limited, cross-chain incentive attacks, and (ii) even if the attack fails, It also ensures that miners who are bribed can receive payments, which actually reduces the cost of such attacks, and (iii) crowdfunding attacks that further reduce the individual cost of implementing incentive attacks.

1.1 Overview of the paper

The paper begins with an overview of the commonalities of the general system model assumptions that are often analyzed and newly proposed for stimulus attacks (Section 2).

Section 3 systematically analyzes and compares literature on bribery attacks and related attacks.

In Section 4, we first outline the new pay-to-win attacks, including the main technical requirements that must be met.

Sections 5, 6 and 7 detail how to use these techniques to attack the current cryptocurrency.

In the eighth section, the paper will be discussed in general, and the final section 9 is the concluding remark.

Note: The original paper also provides extensive details on implementation (short mining relay) and assessment of individual attacks in the appendix, and readers are interested to view the original text.

Second, the general system model

For all analytics and proposed stimuli attacks, we use the following general system model. If the analyzed attack deviates from this model, it will be highlighted when describing the attack. We also introduced additional assumptions and necessary conditions related to the attack.

These incentive attacks are conducted for unlicensed proof of work (POW) cryptocurrencies. In other words, we assume that the protocol follows the design principles of Bitcoin [25] and is often referred to as the Nakamoto consensus or the Bitcoin base protocol [17, 26, 31].

Among the cryptocurrencies that were attacked, we distinguished miners who participated in the consensus agreement and tried to solve the POW problem and clients who did not participate in such activities. As with previous studies on bribery attacks [9, 21, 23, 32], we assume that a group of miners are fixed and that their respective computing power in the network remains the same. To abstract from the currency details, we use the term value as the common face value for a certain number of cryptocurrencies or any other out-of-band funds (such as fiat money).

Miners and clients may have a cryptographic currency unit and can transfer this value by creating and broadcasting a valid transaction in the network.

Moreover, as in previous work, such as [21, 23, 33], we make a simplifying assumption that the exchange rate of the currency remains constant during the attack.

The participating miners are divided into three groups, and their roles remain unchanged during the attack. Classification follows the BAR (Byzantine, altruistic, rational) [5, 20] model.

1. Byzantine miners or attackers (Blofeld) : Attacker B wants to perform an incentive attack on the target cryptocurrency , and B controls the bribe fund (FB > 0), which can be in-band or out-of-band depending on the attack scenario. It has some or no power in the target cryptocurrency (α ≥ 0). The attacker may arbitrarily deviate from the rules of the agreement.
2. Altruism or Honest Miner (Alice) : Honest Miner A always follows the rules of the agreement, so they will not accept bribes, and mining in different chain states, they will not deviate from the rules (even if this will bring more Big profit). Miner A controls some or no control power (β ≥ 0) in the target cryptocurrency.
3. Rational or bribery miners (Rachel) : The power of Miner R in the target cryptocurrency is ω ≥ 0, which maximizes short-term profits. We believe that if the miners follow a strategy that deviates from the rules of the agreement, they are “bribeable” as long as they expect higher profits than honest miners. Among the attacked cryptocurrencies, the bridging miners have a power of ω > 0.

In the analysis, we assume that miners who can bribe will not engage in other rational strategies (such as selfish mining).

In addition, we assume that the victim of a bribery attack (Vincent) is a client who has no power. While other bribery attacks model the victim as an honest miner, we also distinguish the victims of reason for a more detailed description and subsequent analysis. If Vincent has a certain amount of computational power and models it, it can be considered part of beta or ω. And α + β + ω = 1 .

Whenever we call an attack no trust, it means that there is no need to trust a third party between the briber and the bribe to ensure that the correct payment is performed for the desired behavior.

Therefore, our goal is to design an incentive attack that allows attackers and conspirators to have no incentive to betray each other in an economically reasonable situation.

2, 1 communication and timing (Communication and Timing)

Participants pass a peer-to-peer gossip network, and we assume that the network implements reliable broadcast capabilities. We further assume that all miners in the target cryptocurrency are fully aware of the attack after the attack has begun. Similar to [17], we model the opponent Blofeld as “rushing”, which means that it can see the information of all other participants, such as executing an attack, before deciding on the decision.

If multiple cryptocurrencies are involved in the scenario under consideration, ie an additional cryptocurrency fund is used to plan and fund the attack on the target cryptocurrency, then we assume that their respective average block interval and mining difficulty are It remains unchanged during the attack.

In addition, there was no simultaneous attack on cryptocurrency financing.

Third, the incentive attack systematization

Incentive attacks are a common form of bribery attacks [9], including confrontational strategies designed to manipulate the motivations of rational participants.

Here, we first introduce a general classification from two different dimensions, namely the expected impact of the attack on the transaction and its ordering and the required interference, and the depth of the block chain reorganization caused by the fork to make the attack successful.

Combined with other important features and methods, the article systematically analyzes and classifies the research subjects of incentive manipulation attacks.

3, 1 expected impact on the transaction

The core goal of an unlicensed PoW cryptocurrency is to (finally) implement a consistent and fully ordered transaction log and define the global state of the shared ledger.

We distinguish the following three main types of incentive attacks, designed to manipulate transactions and their order:

1. Transaction revision : change a previously issued, possibly confirmed transaction;
2. Trading order : change the proposed or agreed transaction order;
3. Transaction exclusion : Exclude specific transactions from the ordered log of the transaction within a limited time or indefinitely;

Some incentive attacks may allow multiple types of trading operations to occur simultaneously (see Table 1). The ability to invalidate a transaction can be considered as a result of successful execution of one or more of the above transaction manipulation attacks and does not require a separate category.

3, 2 necessary interference to the consensus

While the former transaction manipulation attack described the expected impact, here we need to consider the required interference to reach a consensus.

Specifically, we introduced three different fork requirements.

1. A deep fork is required, where a depth l is required to exceed the fork of the safety parameter k (ie, l > k). The victim defines k[16,30] and indicates the number of confirmed blocks required to accept the transaction;
2. Need near fork (Near-fork) , where the required fork depth does not depend on the victim-defined k (ie l ≤ k);
3. No need for bifurcation , no blockchain reorganization at all (ie k=0);

Attacks that do not require a fork are distinguished from the other two types of attacks by manipulating the miner's block proposal rather than a (preliminary) consensus decision (ie, the mined block). The deep and near-forked attack attempts to undo the book status update that has been confirmed by the continuous workload proof.

Some attacks, such as front-running pre-transactions or transaction revisions (victims accept k=0) attacks, can be performed as a split-free attack.

Others, such as double-flowering in the case of a victim's careful choice of k[30], may need to materially influence the consensus and violate security assumptions, but the probability is negligible [16].

Classification and comparison of 3 and 3 attacks

Based on the expected shocks and the required disturbances, we classify and we consider the work related to incentive manipulation attacks. As part of the discussion, we also introduced other features. Table 1 shows the previously proposed classifications, as well as our latest "pay-to-win" attacks.

Each of these rows represents a different attack, and each column outlines their respective attributes.

Section 3.1 provides an overview of transaction revisions, transaction sequencing, and transaction exclusion. In the literature, several bribery attacks are designed to replace or modify a particular transaction, that is, to perform a double-flower transaction [9, 21, 23].

Therefore, they do not consider the order or exclusion of defining arbitrary transactions. Despite the existence of a double flower transaction, the content of subsequent blocks can be freely defined by bribery miners.

As a result, these miners can also perform a double transaction of a transaction for free by exploiting the attack from the original attacker.

GoldfingerCon [23] can be seen as a special case of trade exclusion attacks that reward bitcoin miners and exploit empty blocks with the help of Ethereum smart contracts.

Similarly, PitchWorks [18] uses combined mining to subsidize the creation of empty (or specially crafted) blocks in the attacked chain [18].

Script puzzle 38.2% [32] and the CensorshipCon attack [23] distracted the computing power of bribery miners to gain the advantage of the remaining honest miners.

Both attacks allow arbitrary transactions to be sorted and excluded, but require opponents to control more power than the rest of the miners.

Depth forks and trade revisions are not considered directly, which requires further analysis.

The only attack that was previously implemented to implement these three attributes is the Script Puzzle double [32]. However, once such attacks are successfully carried out, rational miners are deprived of bribes, making the attack impossible to repeat.

Section 3.2 outlines the need for chain reorganization and classifies attacks that use near or deep forks when implementing an attack.

The classic double flower attack scene [28, 30] requires deep forks (l > k) to reorganize the chain. Since the attacker has complete control over the computing power required to execute the attack, he can also order the trades arbitrarily and exclude the trade from the longest chain.

Depending on the scenario and the desired attack result, for example, only sorting is relevant, then deep forks are not necessarily required.

For example, the order of unconfirmed transactions can be manipulated without the need for forks, such as performing front running [14]. At present, researchers have not conducted in-depth research on the sorting attack of smart contract cryptocurrency [29].

In this paper, we summarize this ability in the context of motivating attacks and analyze how to implement it (Section 5).

As shown in Table 1, there are three attacks requiring α > 0. The Script Puzzle 38.2% attack allows the adversary to build a computational majority with the right amount of computation, and to obtain a net profit without considering a double-flower attack. In (Script Puzzle), the opponent has no minimum computational requirements, but it is designed to be a single-shot double-flower attack. CensorshipCon also requires the attacker's power to include the uncle block from the rational miner. Since it must contain all the unearthed blocks, it requires the attacker's power to be greater than 1/3, and the bribery miner's calculations can be bribed. In [1/3, 2/3).

Note that it makes sense to limit the attacker's power to less than 1/2, otherwise the attacker does not need to perform a bribery attack, which can complete the attack on the chain by itself.

A minimum proportion of rational miner ω required for an attack to have a chance to succeed, as described and evaluated in this paper. In general, all bribery attacks must assume that at least some miners are rational in order to make bribes. Note that the Script Puzzle attack requires all miners to be rational, ie α + ω = 1.

Moving the power from the valid tip of the attacked blockchain to some other form of puzzle or alternate branch does not contribute to state transitions. For example, the CensorshipCon block in the CensorshipCon example, or another Pitchforks in the Pitchforks example.

Table 1: For stimuli attacks on cryptocurrencies, we compare the existing scheme with the newly proposed P2W scheme. If it is, the attribute is marked as ✓, if not, it is marked as ✗, and the symbol ～ indicates that there is no further detail or In the case of discussion, attributes cannot be clearly mapped to any previously defined categories. The symbol ⋆ indicates that the attack is directed at the mine pool and therefore does not intend to manipulate the chain. The symbol † indicates that the paper does not explicitly specify an out-of-band payment method, but assumes its correctness.

A smart contract is required for all attacks that require a smart contract to run as expected.

Payment, specifying the place to pay the bribe taker. Rewards can be in-band, that is, in each cryptocurrency that is attacked, or out-of-band, such as through a different cryptocurrency payment.

It can be said that miners do not want attacks to affect the value of their receiving password currency, so out-of-band incentives are especially important.

The fact that the attacker does not need to trust means whether there is a conspiracy/bribery miner to exploit the attack itself to make a profit without complying with the attack. For example, a script puzzle attack requires some form of freshness guarantee to prevent the bribe from deliberately waiting for the attack to fail before calculating the puzzle solution to get the reward. It is also possible to ask for rewarding old, honest blocks that were later submitted to the CensorshipCon as a master.

The need for no trust between the collaborators means that the bribe taker does not have to trust the attacker and receive payment after they execute the attack. In a Checklocktime bribery attack, an adversary can attempt to deceive by creating a conflict/race transaction. However, such an attempt is only possible when the attacker controls the power of α > 0.

The same is true for Whale Transaction, because the attacker must provide new high-cost transactions for each block on the attack chain at each step of the attack.

Although HistoryRevisionCon does not explicitly consider the mistrust of conspirators, an enhancement is possible. CensorshipCon requires the attacker to include the blocks generated by the conspiracy miners, so there is no need to trust.

The Script Puzzles double-flower attack was designed as a one-time attack by a fraud conspirator.

The Script Puzzles 38.2% attack does not specify how to pay, and assumes an out-of-band payment method that does not require trust.

In a front-running pre-trade attack, an attacker cannot guarantee that the required ordering is achieved at a high cost.

Subsidy means that the attack exploits certain characteristics of the cryptocurrency or environment and becomes cheaper.

In the case of CensorshipCon, rewards from the uncle block were used to subsidize the attack, while in Pitchforks, the extra income from the combined mining was used as an incentive.

Compensates if attack fails, meaning that at least some of the bribes are unconditionally paid to the bribe taker.

In order to successfully hire rational miners, such as Checklocktime [9], whale [21], and HistoryRevisionCon [23], participants must be compensated, even if the final result of the attack is a failure.

As of now, no attacks that support transaction revisions can implement this property.

If the Script Puzzle double-strike attack succeeds, it will defraud the mined miner and will pay the reward if it fails.

In a Front-running attack, even if the required sorting effect is not achieved, it usually results in high transaction costs. Therefore, in this case, it is an attribute that the attacker does not need.

3, 4 main observations

It can be observed that most bribery attacks scenes either focus on transaction revisions or focus on transaction exclusions, but simply sort transactions as a by-product. A notable exception is the front-running attack, which we believe is a subset of possible (re)ordering attacks. For example, consider pinpointing a transaction between two other transactions.

An example of such an attack can be found in [29], which also describes a vulnerability in a blocked contract.

In general, as long as a valid block is generated, any miner can freely define the order and transaction set to be included in his own block proposal.

In this article, a particularly interesting scenario is that an attacker can manipulate the order of transactions, and the attackers themselves are not miners. We have not yet understood and discussed the trading sorting attacks on smart contract cryptocurrencies [29], but in practice we are observable [12, 14].

A notable exception to the exclusion of trading attacks is the CensorshipCon [23].

In addition, we also observed the lack of out-of-band incentive attacks. In addition to the Goldfinger attack, the only technology available, the attacker needs to master a lot of computing power. Note: Proof-of-stale-blocks [22] represents a special case for the mine.

In theory, all attacks that perform payment out of band can be used to initiate a Goldfinger-style attack because the recipient's remuneration is not directly related to the value of the attacked cryptocurrency.

The question of whether such an attack is profitable depends on the external utility that the failed cryptocurrency can produce.

In the following, we propose new incentive attacks for different scenarios.

Fourth, PAY-TO-WIN incentive attack

We propose three incentives that do not require attackers and collusion miners to trust each other and win rewards. In addition, we distinguish between in-band attacks (that is, funding and enforcement of attacks within the same cryptocurrency) and out-of-band attacks (that is, attacks that are funded and coordinated on different cryptocurrencies).

This type of attack does not require the attacker to control any computational power, that is, a = 0.

This section provides an overview of such attacks, the required technical and operational requirements. Sections 5-7 detail the structure of these attacks: (i) a general overview of the attack, (ii) a step-by-step description, (iv) an attack assessment, and (v) an attack analysis attribute.

4, 1 P2W attack overview

In-Band Attack: We introduced a new in-band attack method that can be executed and coordinated on the smart contract workload proof blockchain.

In-Band Deal Sorting: This type of attack (Section 5) motivates in-band non-forked trade sorting: if the attacker asks for an unconfirmed trade, the conspiracy miner is rewarded.

Compared to front running [12], this attack uses smart contracts to directly reward miners as long as the correct sorting conditions are maintained. Current front-running attacks can be viewed as full-pay auctions [12], where lost transactions (ie, their execution fails) also unnecessarily pay high fees.

Out-of-Band Attack: We distinguish the target cryptocurrency (where the attack will be executed) from the funding cryptocurrency (where the attack will be coordinated and paid). Although the funding cryptocurrency must support smart contracts (such as Ethereum), the target cryptocurrency (such as Bitcoin) has no requirements. In fact, out-of-band attacks are hard to find because they require monitoring multiple blockchains that support smart contracts.

Out-of-Band Transaction Exclusion/Sorting: This attack (Section 6) proposes an out-of-band transaction exclusion attack in which an attacker can also specify the order in which the transactions are included. This may be used to review certain transactions (such as closing a payment channel) or to perform multiple front-running attacks immediately. To perform an attack, we describe how an attacker builds a smart contract that temporarily rewards an attacker-defined block on the target cryptocurrency.

We call this technique an ephemeral mining relay because it combines elements from the pool and chain relay (see the end of this section).

Out-of-band transaction revisions: Finally, we describe an out-of-band transaction revision attack (Section 7) that directly promotes a double-flowered collusion attack: miners are bribed by attackers to another blockchain to mine their favored branch areas Piece. This technology combines the techniques previously introduced to create a more powerful attack.

We show how to build it to always reward conspirators, regardless of the outcome of the attack. Interestingly, this makes the cost of the attack significantly lower, because when the attack fails, the necessary compensation for the collusion is reduced.

4, 2 technical requirements

The technical requirements that need to be used in the three types of trust-free attacks mentioned above are summarized as follows:

(1) A block in the block interval (on the target chain) defined by the attacker, verified in a way that does not require trust:

(a) performing a state transition (eg, a transaction is included in the blockchain);

(b) no state transition has occurred (for example, does not include a transaction);

(2) A method of trust-free that uniquely attributes the block to the miner's address, and a method of mapping the latter to the corresponding address in the sponsored cryptocurrency.

(3) A method of transferring the value of the subsidized cryptocurrency to the untrusted method of the funded cryptographic currency address uniquely owned by the conspiracy miner company (see point 2)

(4) A method of determining the target cryptocurrency state without trust after the T blocks are dug up on the attacker's predefined block (ie, the longest chain). This means that it is possible to verify the PoW of the target cryptocurrency in a smart contract that finances the cryptocurrency.

(5) A method of trust-free determination of the target cryptocurrency attack state after T-blocks are dug up on the attacker's predefined block (ie, the attack chain anchored on this particular block).

Ephemeral mining relay: In order to verify the results of the attack and pay the rewards correctly in an untrusted out-of-band scenario, we introduced the concept of a short-lived relay. The short-lived relay is a smart contract that combines the functions of chain relays [2, 11, 36] and the pool [22, 34].

However, compared to previous proposals, the mining relay can fully verify the consensus rules of the target cryptocurrency by limiting the allowed block structure. In addition, it tracks all ongoing blockchain branches, which is a necessary feature to properly validate an incentive attack. A more detailed description of the short-lived relay structure is provided in Appendix G.1 of the paper, as well as a proof-of-concept implementation and cost analysis deployed on the Ethereum to verify the bitcoin blockchain.

Based on the implementation results, this additional verification cost is approximately $1 per block, which is negligible compared to the potential economic benefits of the incentive attack.

Five, in-band transaction sorting

This "no-fork" attack, in contrast to the front-running attack [12, 14], pays additional rewards for miners to reorder unconfirmed transactions. In the front-running attack, the opponent increased the chances that their transaction was first accepted by increasing the transaction fees paid to the miners. However, the result is a full-pay auction: even if the attack fails, the miners can put the high-fee transaction into the block.

Therefore, the attacker must always pay the fee, but it has nothing to do with the attack result [12]. In contrast, the newly proposed attack ensures that the attacker pays the conspiring miner only when the attack is successful (ie, if the order of transactions required is achieved).

5, 1 attack description

Initialization: The opponent (Blofeld) observes the p2p network and launches an attack after seeing the victim's (Vincent) transaction txV. He wants to pre-register a domain name or interact with the exchange through a front-running attack (snap or snap) . First, Blofeld released his front-running transaction txB. At the same time, he uses two transaction identifiers, the required order (txB < txV), the block into which the transaction was included, and a bribe ε to issue and initialize the attack contract. Once the contract to create the transaction has been dug up, (i) the configuration is no longer changeable, and (ii) the bribe is locked until the end of the attack. This is necessary to prevent an attacker from attempting to defraud a miner by changing the payment terms after the attack is executed.

Attack: If the attack is successful, the conspiracy miner will generate a block with the desired transaction order.

Note: Even if the victim attempts to update the original transaction txV with tx'V by the replace by fee [4], the txV will still be valid and the miner can choose to include it in the block. Therefore, as long as the payment terms are met, the rational miners will incorporate txB and txV in the prescribed order, as this will result in the highest return.

Expenditure: After k blocks (k is the blockchain security parameter defined by the attacker in this example), the miners can ask for their compensation, and the smart contract will first check if the order of the two transactions is in compliance.

5, 2 evaluation

5.2.1 Evaluation only in the case of rational miners (ω = 1) : First, we assume a scenario in which all miners are rational, that is, they are bribes. The miners were motivated to collude with the attackers because the contract guarantees a ε > 0 award in addition to normal mining.

Participation in this type of attack does not require mining on another fork, so the conspiracy miner does not face the additional risk that the block he is mining is judged to be invalid. The miner can also include unconfirmed attack contract creation transactions in the same block as the sorting attack itself, and if its block becomes part of the longest chain, it can still determine whether to pay.

5.2.2 Assessment in the presence of altruistic miners (ω+β=1) : In theory, this attack is feasible in the presence of bribery miners (ω>0), but the higher the proportion of computing power The chances of success will be greater.

If 2/3 of the computing power is controlled by a rational miner, then the probability of successful attack is expected to be 2/3. There will be more relevant analysis in Section C of the Appendix.

5, 3 characteristics and analysis

We will now analyze the possible defensive strategies of the victim (Vincent). Specifically, we considered the possibility of anti-bribery.

Immediate Counter Bribing: As long as the new block is not mined, the victim can immediately commit anti-bribery through the same attack mechanism, which is an effective countermeasure against this attack. Here, an English auction (price increase auction) was conducted between the attacker and the victim, rather than a full payment auction observed in other front-running attacks.

This defensive strategy requires the victim Vincent to actively monitor the P2P network and immediately realize the attack.

Delayed Counter Bribing: If the victim Vincent has only one SPV (Simplified Payment Verification [25]) wallet, he may only be able to identify the attack after the attacker has dug a new block in the order of the transaction. Vincent has no power, he can't directly launch counterattacks to fork their respective blocks. Therefore, the cost of its successful anti-bribery attack is already much higher than the cost of the original attacker Blofeld. In addition, from the bribery attack described in Section 3 above, in this case, Vincent has no direct applicable attack. For a cost analysis of removing such a block from the chain, see Appendix C of the original paper.

Six, out of band transaction exclusion and sorting

In this section, we describe how to construct an out-of-band stimulus attack that promotes transaction exclusion and sorting. This type of attack is superior to previous attacks in some respects: for example, for an attacker who tries to incorrectly close an out-of-chain payment channel (ie, issues an old/invalid state) but prevents the victim from performing regular penalties. Class attacks may be profitable [13, 24, 27].

The advantage of out-of-band attacks is that they can be funded by any smart contract cryptocurrency, while attacks occur on different target cryptocurrencies. As a victim, such attacks are difficult to detect, and they must monitor multiple blockchains that support smart contracts. To improve readability, we use Bitcoin (target cryptocurrency) and Ethereum (funding cryptocurrency) as examples to describe the following attacks. As described in Section 4, we rely on a short-lived relay to reliably verify the status of the target cryptocurrency, the correct execution of the attack, and the processing of payments to the conspirators. For more information on relays, see Appendix G. 1 and F).

6, 1 attack description

Initialization: The attacker's target prevents unconfirmed transactions txV from being included in newly mined blocks in Bitcoin (target chain). The attacker initializes an attack intelligence contract by specifying a block template, and only when the conspiracy bitcoin miner uses it can it be rewarded. This allows the attacker to have full control over the content of the dig block, including the ordering of the transactions and whether they are included. For each block template, the corresponding bribes are conditionally locked into smart contracts, and as long as the miners provide an effective solution, they can get compensation independent of the outcome of the attack.

For Bitcoin block templates, the attacker posts an incomplete block header to the attack contract and the corresponding coinbase transaction. The latter is necessary to allow conspirators to include their own Ethereum payment address in the block template, because if a valid block is submitted later, the smart contract will be responsible for the payment.

The miners involved in the attack can only freely change the nonce and coinbase fields (including the Ethereum address) in the generated Bitcoin block.

We point out that an attacker must obtain a Bitcoin block reward instead of a conspiracy miner. Instead, the colluder will receive a bribe in the Ethereum attack contract to compensate for the Bitcoin block reward. This requires an additional bribe payment guarantee so that the conspiracy miners do not need to trust the attack because rational miners may not be able to verify whether bribery of the block template they dig will result in an effective block.

In the original papers G.1 and F, we provide more detailed information about the block template structure.

Attack: Rational miners submit valid bitcoin blocks to the attack intelligence contract on Ethereum based on the attacker's block template, by briefly mining relays (to verify that they form a valid chain).

Since there may be multiple miners competing for the same block template, they will be motivated to release any valid POW solutions they find in a timely manner.

If the bribery attack is successful as a whole, then the attack contract will pay an additional ε bribe for each solution, which is an additional incentive for the bribe to release the solution in a timely manner. The motive for an attacker to release a solution with relevant complete blocks on the target chain comes from the rewards it receives directly and the benefits of a successful attack.

In each step, the attacker updates the Bitcoin block template each time it is submitted to the attack contract, and can add additional bribes if needed.

If no new template is submitted, the attack stops. Figure 1 provides a schematic of the ongoing visualization.

Figure 1: The ongoing, failed blockchain structure and schedule, and a successful out-of-band transaction exclusion and sorting attack. When the attack contract is released in block e0, the attack is initialized. Multiple block modules can be included in a single block, as shown by e3. Expenditure is executed in block eT. The colored block will be rewarded by the attack contract, or only its original value, or if the attack is successful, an additional bribe is obtained, ie the return is (1 + ε).

We note that the target chain and the funding chain may be out of sync, ie, two or more bitcoin blocks are dug up before finding a single Ethereum block. Therefore, an attacker can also publish a block template for multiple blocks in advance (retaining a reference to the last block filled by the miner).

Expenditure: Similar to the example of an in-band attack, once the k bitcoin block is dug after the attack is over, the miner can ask for payment in the attack contract (k is the attacker-defined security parameter).

This attack intelligence contract is responsible for verifying the validity of the submitted blocks, that is, the consistency of their PoWs with the specified block template, and all blocks form a valid attack chain. If the submitted block is valid, the attack contract will reward the miner (even if the attack chain does not succeed as the main chain), that is, the conspiracy miner is not at risk.

In any case, the first miner who submits a valid POW for the respective block template will receive a value equivalent to the full Bitcoin block reward (regardless of whether the attack failed), and if the attack is successful, an additional A ε bribe.

6, 2 attack assessment

6.2.1 Evaluation only in the case of rational miners (ω = 1) : First, we assume a scenario in which all miners are rational, that is, they can be bribed. Once the smart contract is initialized, they can immediately understand the attack. As mentioned earlier, each time an attacker submits a block template, it locks a bribe to ensure that the miner is not at risk of payment and is motivated to join the attack. For the duration of the attack in N blocks, we can pay the colleague Blofeld's Ethereum funds (budget) by evaluating the worst case scenario (ie, the attack runs N blocks but still fails). Note that only the attacker knows the exact value of N.

The necessary attack budget and the cost of a failed attack: If the attack fails, the budget of the attack contract must cover and compensate for the loss bonus (for Taiyuan payments) for each bitcoin attack chain block. The initial funds of the attacker fB, and the expected return of each bitcoin block rb (including fees), define the maximum duration of the attack N based on the compensable attack chain block:

Therefore, the collusion stipulates the operating costs of smart contract deployment and execution (such as the cost of gas in Ethereum). Compared to current block rewards, the operational costs of managing smart contracts are negligible considering the metrics in [23] and Appendix G.1. Suppose the attacker wants to specify the order of transactions in Bitcoin or exclude some transactions within an hour (ie, N = 6). Therefore, the lower limit of the attacker's budget can be derived from the current block reward, including the transaction fee: rb = 14 BTC, then 1 hour of income ≈ 84 BTC is the lower budget limit of the attack.

The cost of a successful attack: Interestingly, the lower limit of the budget only needs to make up for potential losses in the event of an attack failure, but if the attack is successful, the attacker will receive a block reward on the main chain to compensate for the rewards that must be paid to the bribery miner. Therefore, the cost of a successful attack is derived from the N · rb main chain block, and the reward paid to the briber miner must be paid in N · (rb + ε):

Since we assume rational miners, the success rate of attacks in this case is iff ε > 0. In order for the attack to succeed, the amount va obtained by transaction sorting or transaction seizure must exceed c(success).

At first glance, regardless of the outcome of the attack, the attacker must pay the conspiracy miner. We can assume that the cost of the attacker is high compared to other bribery plans. However, this ensures that miners are not exposed to risk of participation. Unlike existing bribery attacks, this only requires a low-value bribe to encourage miners to participate in the attack.

6.2.2 Assessment in the presence of altogether miners (ω+β=1) : We now discuss a more realistic scenario where not all miners will immediately turn to the attack chain, and some of the miners behave unselfishly.

Altruistic miners follow the rules of the agreement, and only when the attack chain becomes the longest chain in the network, they switch to the attack chain, they will not try to optimize revenue, which is the opposite of rational miners.

Blocks of altruistic miners may also contain transactions and transaction sequences that are not welcomed by attackers.

Therefore, an attacker may have to exclude blocks of these miners, providing a template that intentionally separates these blocks. If the altruistic miners find a block, the attacker and the conspiracy miner must dig into two blocks, making the attack chain the longest chain (the altruistic miners will follow). Therefore, the required fork depth is equal to 1.

Figure 2: Probability of different computational forces ω chasing a block on yaxis (log scale) in n blocks on the x-axis. The dashed line is the maximum probability of catching up a block after an infinite number of (n=∞) blocks (ie (ω/β)^2).

Based on the attacker's budget, we derive the probability that the attack chain will compete with the altruistic miners. The attack chain must find two more blocks than the altruistic backbone, but this must be done within the upper limit of n blocks (maximum funding attack duration).

Each new block is respectively attached to the main chain of the probability β and the attack chain of the probability ω β + ω = 1). Therefore, we look for all block sequences that may be attached to any chain and calculate the sum of the probabilities of the sequences that lead to a successful attack.

In a successful attack, i ∈ N blocks are added to the main chain, and k+i+1 blocks are added to the attack chain. The probability of such an attack is:

Observe a series of successful attacks, where the i block is added to the main chain and the k+i+1 block is added to the attack chain. For any prefix that is strictly shorter than the entire sequence, the number of additional blocks in the attack chain is less than k+1, otherwise the attack will end soon. Therefore, the last block in a successful attack is always attached to the attack chain. The number of combinations of such sequences is similar to the Catalan number, and the difference between the starting points is k:

Assuming that an attacker can only fund up to N blocks on the attack chain, the probability of a successful attack is given by the following formula:

Figure 2 summarizes the probability that different computational forces ω capture a block. It can be observed that N quickly approaches the maximum achievable probability of chasing a block in an infinite number of blocks, ie (ω/β)^2) according to [25, 28]. Based on these calculations, the attacker can decide whether to extend the attack time, increase N, and win the ongoing game with a higher probability.

6, 3 characteristics and analysis

We now analyze the important features of this approach.

Counterattack: The most effective countermeasure against transaction exclusion is to increase the cost of txV beyond the value promised by the attack contract. However, the benefit of this attack is that it can be performed out of band. As a result, victims may not be aware of such attacks, and they may only be monitoring the target cryptocurrency. Therefore, it can be said that the counterattack of the victims is difficult to implement because they cannot immediately realize the bribe funds provided by the attackers for conspiring miners.

Transaction Review DoS: In this section, we treat Bitcoin as a target, but in essence, the attack also applies to other types of cryptocurrencies. (Quasi-) Turing complete smart contract cryptocurrency, theoretically more resistant to censorship than Bitcoin's UTXO model, because they allow complex and diverse interaction patterns to trigger state changes. We believe that on the basis of this discussion, the transaction review should use Ethereum as a target cryptocurrency. Then, even if the transaction or its respective side effects can accurately identify and agree that all mine work is an unwanted behavior, in this case, there is a possibility that the victim may launch a denial of service attack.

The effect of a transaction can be represented by multiple layers of smart contract calls and interactions. Therefore, the problem arises, and miners can only understand the unnecessary behavior of the transaction by first assessing the state change of the transaction. If the resulting behavior is to be reviewed, the miner must roll back all changes and cannot charge transaction fees for their efforts. As a result, an attacker can waste every reviewer's resources without losing money. It is impossible to solve this problem directly without changing the consensus rules, but by basing based on the block module (as described in this section), the problem is transferred from the conspiracy rational miner to the attacker. Therefore, an attacker can choose to include only simple transactions, and he is convinced that these transactions cannot hide any unwanted activities, such as all value transfer transactions, calls to known contracts, such as ERC20 tokens.

Liveness: In general, the activity of chain relays generally depends on submitting new blocks to improve their state. Therefore, if the relay is in a lack of state due to the lack of committed data blocks, the long-range attack will have a higher success rate because the attacker will get extra time to calculate the long false link. The likelihood of an attack in a chain relay lacking state depends on the relevant funds.

In our specific example, activity is not an issue because the duration of the attack is limited and the definition is good.

In addition, participants have an incentive to provide the correct information to the repeater in a timely manner. For example, consider a rational miner R who digs a block template for b'3. Then R has the motivation to submit this template solution to POW in time because he is competing with other rational miners to provide incentives and bribes. Since the extra bribes can only be paid when the attack is successful, this further motivates the rational miners to release the solution in a timely manner.

In addition, in this case, the attacker can stop publishing new block templates at any stage to reduce their losses, in case the attack may fail.

7. Out-of-band transaction revision

The purpose of this attack is to bribe the miner to create a block on the blockchain branch of the target cryptocurrency, and the attacker performs a double flower.

The novelty of this attack comes from three aspects:

(i) Funds used to reward dishonesty and conspiracy during a double-flower attack are paid using the sponsored cryptocurrency, not the target cryptocurrency itself.

(ii) Funding for attacks is done through smart contracts to minimize the attacker's trust assumptions and the risk of miners participating in the attack: the conspiracy miner does not have to trust the attacker, even if the attack fails, the attack smart contract can also ensure bribery. Miners can get block rewards, making this attack cheaper than similar bribery attacks.

(iii) In addition, the use of smart contracts also opens up the possibility of crowdfunding or multiple double-attack attempts to merge into a single coordinated attack, further reducing costs or the number of participants.

7, 1 attack description

Figure 3 shows the stage of the attack and two different results.

Initialization phase: First, the attacker (Blofeld) creates an uninitialized attack contract and publishes it to the Ethereum blockchain.

This is done through a deployment transaction contained in an Ethereum data block e0 of the Ethereum account controlled by the attacker. Then, Blofeld created a pair of conflicting bitcoin transactions. The consumer transaction txB was immediately posted on the main chain in the form of bitcoin, and the double transaction tx'B was kept secret.

After the victim-defined k-block validation period, Blofeld issued an initialization transaction on the Bitcoin main chain that irrevocably defines the attack conditions in the Ethereum chain smart contract. Block e1 represents the first block on the Ethereum chain after the release of the bitcoin block bk.

The contract is initialized with K+1 new Bitcoin block templates, each carrying a transaction from the original chain to collect the fee, but not including txA, but containing the conflicting transaction tx'B.

Collusion miners can now freely mine on these block templates, where they can change the nonce and coinbase fields to find valid POWs and include their payment Ethereum addresses.

一旦找到解决方案，矿工必须将其提交给攻击合约，以验证POW的正确性，并且只更改了允许的字段（nonce和coinbase）

一旦找到解决方案，矿工必须将其提交给攻击合约，以验证POW的正确性，并且只更改了允许的字段（nonce和coinbase）。如果提交的解决方案是有效的，那么合约就知道使用哪个前一区块哈希来验证下一个解决方案等等。一旦攻击者意识到以太坊P2P网络中广播了有效的解决方案，他就会使用POW解决方案完成整个区块并将其提交给比特币P2P网络。

攻击者和合谋矿工有及时提交解决方案的动机。合谋矿工希望在攻击成功的情况下获得额外的贿赂金，攻击者希望将其区块包含在比特币主链中，以获得比特币区块奖励。

同时部署和初始化攻击合约也是可能的，但是在部署交易中预先发布未初始化的攻击合约具有这样的优势：对目标链的攻击甚至在开始之前也可被众筹（见下文）。在任何情况下，重要的是在主链上的区块bk之后披露双花交易tx′B，否则Alice可能会认出这笔双花交易，并拒绝放行货物。

攻击阶段：被贿赂的矿工现在开始在攻击链上开采k + 1个区块，如果在主链上发现额外的块，攻击者可使用k+2到N块的新区块模板更新攻击合约，其中N是攻击者可资助的最大攻击区块数。

支付阶段：一旦攻击在时间T结束，参与攻击的矿工可以从合约中收取贿赂金。

为了准确地支付贿赂金，合约必须确定哪条比特币链赢得了比赛，成为了当前的最长链。

由于合谋矿工正在争夺开采区块，因此合约应已收到他们所有的攻击链区块b′x，从而准确了解攻击分支的状态。

此外，初始化合约并提供资金的攻击者，有动机向主链提供信息（如果存在这样一个冲突的长链），因为他将为每个块支付额外的贿赂金ϵ。

因此，总有一些参与者有动机将正确的最长链输入攻击合约。

攻击合约区分了两种可能的结果：

1. 攻击失败（主链获胜）：在这种情况下，合约必须完全补偿被贿赂的矿工，因为他们的攻击链已经失效了。每个在攻击链上挖矿并成功提交一个区块的合谋矿工都将获得该区块的奖励，而没有额外的贿赂金ϵ；
2. 攻击成功（攻击链获胜）：如果攻击链获胜，则合约执行以下操作：完全补偿（奖励+费用=1）矿工从b1开始切换到攻击链后，经历k个主链区块的奖励，2) 支付合谋矿工每个攻击链区块的贿赂金，在本例子中是从b′1到b′k+2 个区块，全部区块的奖励加上额外的ϵ作为贿赂金。

一旦与矿工的提款交易一起调用，合约将检查攻击是否已经完成，以及知道一个到预定区块高度bT的有效链。这确保每个参与者都有足够的时间向合约提交关于最长比特币链的信息，并且b1到bN的区块，根据[30]中规定的链长中的规则，已收到足够的确认。

如果满足验收政策，合约将解锁向向相关区块的矿工支付补偿和贿赂金。

对于攻击链上的区块，在最简单的情况下，所有被贿赂的矿工直接在CoinBase字段中提供以太坊地址，或通过比特币CoinBase交易中的Pay-to-PubKey输出直接公开其公钥，正如[23]中描述和实施的Goldfinger攻击案例。对于前k个主链区块，矿工还没有意识到攻击，他们必须向合约证明他们确实开采了各自的区块。

这是可实现的，例如，通过向智能合约提供对应于CoinBase输出中的支出的ECDSA公钥，以便检查它们是否匹配，然后重新计算相应的以太坊地址。

众筹：上面描述的攻击也打开了众筹贿赂资金的可能性。最简单的众筹方法，是允许在攻击合约部署之后，但在初始化之前捐赠资金。这种方法允许收集资金，但不为赞助人提供任何担保。

而激励多个攻击者同时执行双花攻击的解决方案，将允许在合作者之间分配攻击资金。在这种情况下，必须解决的主要挑战如下：

1. 必须确保每个为实现双花攻击而投资资金的协作攻击者确实有一定的机会使其个人的双花交易成功，即，如果合约使用了其投资的资金，则一笔双花交易必须得执行；
2. 必须确保攻击不会因协作攻击者而失败，以防他们破坏整个攻击，即参与者不可能导致攻击失败；
3. 攻击不应依赖任何受信任的第三方；

有关如何在以太坊上构建此类攻击作为资助密码货币以及比特币作为目标密码货币的详细信息，请参见原论文附录F，大致来讲，其攻击的阶段如下：（1）首先，初始化交易只宣布可能发生攻击，并且会影响从b1到bk的区块间隔。（2）然后，所有在b1区块进行交易的比特币用户，都可以决定是否投资进行攻击，以潜在地双花他们的交易。协作攻击者，将新的交易与一些以太币一起提交到合约中，以增加攻击的总资金fB。攻击者还可根据提交的比特币交易（进行双花）的总价值，指定要收集的固定资金率。

如果恢复至少k + 1个区块的资金目标已经达成，攻击将如前所述开始。由于初始化合约的攻击者必须为包含双花交易的链生成新的区块，因此必须实现一些方法，确保其他攻击者的交易包含在b′1当中。在附录F中，我们描述了一种方法，该方法要求原始攻击者提供与他想要收集的资金一样高的抵押品，即fB。因此，这可以确保其他攻击者仅在其交易真正包含在b′1 区块的新链中时支付。否则，将从初始攻击者提交的抵押品中退款。

7、2 攻击评估

与第6节中的评估类似，我们现在开始评估攻击成功概率以及攻击所产生的成本。我们再次分成两种情况： （i）我们假设只有理性矿工存在，然后评估攻击，（ii）考虑存在利他主义矿工的情况，然后进行评估。

7.2.1 只有理性矿工情况下的评估（ω = 1） ：当调整k作为攻击受害者定义的安全参数时，可得出攻击者fB 所需资金的下限，类似于第6节中的评估。

必要的攻击预算和失败攻击的成本：成功攻击中攻击链上的最小块数为k+1，即主链上所需的确认数，加上超过主链长度的1区块，因此，由条件n≥k+1必须保持攻击是可行的，因此可得出攻击者fb预算的下限。

对于比特币，通常的k选择为k=6，而当前的区块奖励（包括交易费用）约为rb = 14，这为≈98 BTC ST的预算提供了一个下限，以下不等式成立：

攻击成功的成本和盈利能力：同样，预算的下限只需要在攻击失败时弥补潜在的损失。但是，如果攻击成功，它会比这个下限要便宜。成功攻击的成本由k · rb的主链区块给出，该主链块必须在攻击链上得到补偿，再加上额外的N · ϵ贿赂金。

最初的k补偿是必要的，以提供所有切换到攻击链上生产区块的矿工。由于我们假设的都是理性矿工，那么这种情况下的攻击总是成功的，前提是N ≥ k +1保持，且ϵ > 0。

对于比特币，这意味着，在k=6，rb=14，且ϵ = 0.0001的情况下，成功进行双花的成本≈ 84.0007 BTC。为了使成功的攻击有利可图，双花的值必须大于用于贿赂的值。而在比特币交易中，我们经常会看到超过84 BTC的交易。

这进一步强调了交易量对确认时间的依赖性，如[30]所述。

7.2.2 存在利他矿工情况下的评估（ω+β=1） ：图4显示了可贿赂算力ω的不同值，以及贿赂矿工可奖励或补偿的不同数量块的攻击成功概率。攻击开始后主链上的确认区块数设置为k=6。显然，攻击需要N > k才能成功。与经典的51%攻击一样，一旦可贿赂算力超过50%的阈值，并且应付区块数N增加，则攻击最终会成功。

图4: 双花攻击成功的概率，取决于贿赂攻击中可补偿或奖励N区块的数量。可贿赂算力ω的不同值，会造成不同的攻击成功率。确认区块数设置为6.

考虑到这些概率，以及给定k和ω值，我们可计算出成功率达到99.4%所需的区块数N。

表2显示了与[21]中描述的鲸鱼攻击（whale attack）的对比。可以观察到，与鲸鱼攻击相比，当ω变大时，我们的攻击变得更便宜，因为我们更快地达到所需的概率，因此所支付的贿赂金就会更少。此外，如果攻击成功，我们的攻击成本低于攻击开始时为补偿所有合谋矿工（如果攻击失败）所需的预算（fB）。

因此，这种攻击的成本要比鲸鱼攻击（whale attack）要便宜85%到95%。

7.2.3可用资金：在可能发生众筹攻击的情况下，理论上，如果低值双花交易共同积累足够的攻击资金（fB），则可实现低值交易的双花。

一个比特币区块内转移的价值与开采一个比特币区块所分配的奖励（包括费用）之间的差异表明，使用该技术进行长距离双花攻击的的资金在理论上是可用的。去年每天链上交易的比特币（不包括找零地址）的中值约为10亿美元，而包括交易费用在内的每天挖矿奖励中值约为1500万美元。

7、3 特性与分析

此攻击的特性与第6节中描述的带外攻击相当。此外，以下方面需要进行更多的讨论。

反贿赂：如前几节所述，反贿赂是受害者抵御激励攻击的可行策略。这也说明了激励攻击的一个重要方面，即它们的可见性。一方面，目标密码货币的矿工必须认识到攻击正在进行，否则他们将无法加入其中接受贿赂金，则攻击将失败。另一方面，如果攻击的受害者认识到它的存在，他们可发起和协调反贿赂攻击。因此，如果所有理性矿工都被直接告知了此次攻击，而所有受害者/商家本身又不是矿工，并且没有监控所有可能的资助密码货币，以检查是否发生了攻击，那么就出现了激励攻击的最佳条件。

成本优化：在提议的攻击中，最大的成本驱动因素是k个主链区块的补偿，以激励所有理性矿工转向攻击链。在一个区块链中，每个区块都独特地归属于一组已知的矿工，并且这些矿工的总体算力可近似计算，补偿的支付可以各种方式进一步优化。例如，考虑一个场景，一个小矿工与其他矿工相比运气好，在k个区块内开采数个区块。然后攻击者可以将该矿工排除在补偿支付之外，因为对方不太可能对攻击链做出实质性贡献。

八、 讨论

通过对激励攻击的全面系统化归类，以及提出新的攻击方法，表明在定义无许可POW密码货币系统的基本安全保证方面，不仅算力的分布扮演着核心作用，理性矿工以及可获得的贿赂金的比例也是一个重要组成部分，这还需要进一步进行研究。我们提出的带外攻击，也有助于强调，通过与其他密码货币互联，可增加目标密码货币的攻击面。

在设计无需信任的带外攻击的过程中，我们还发现了一个有趣的类比：在抽象层次上，所呈现的攻击需要一个不同于矿池的构造，在矿池中，矿池所有者定义了智能合约中区块创建的规则。

此外，每个参与者必须能够根据提交的区块及目标密码货币的状态，以无需信任的方式申请攻击承诺的贿赂金。我们提出的短暂挖矿中继技术提供了这种功能，Luu等人[22]还提出了一种智能矿池，其本身是由智能合约管理的。然而，其设计和潜在应用并没有考虑恶意的用例。智能矿池不强制执行有效POW以外的区块内容和有效性相关的任何属性，因为参与者之间的内在激励被假定为以挖取的密码货币收集相应的奖励，只有在创建了有效区块时才可能。

基于智能合约的激励攻击，还为多个攻击者引入了无需信任众筹及利益协调的可能性，这些攻击者希望在同一时间段内执行双花攻击。结合反贿赂的研究课题，研究提出了中本聪共识激励相容性的基本问题。

一个有趣的话题是，利用激励攻击技术鼓励挖矿实体和协议参与者实行可取而非恶意行为，例如在协议升级阶段快速实现多数共识 。

九、结论

本文系统化地展示了激励攻击，为相关工作的比较和讨论提供了必要的前提和依据。我们通过描述和评估三种新的无需信任的激励攻击，来弥补一些由此发现的研究差距，这些攻击具有新的特点，并且比以前的方法要更便宜。

这一研究表明，针对密码货币的激励攻击仍然是一个开放和高度相关的研究课题，其涉及各种未经探索的领域。所有先前提出的，以及在现实中观察到的激励攻击，以及本文中描述的攻击，都表明仅假设诚实的和拜占庭的行动者并不能准确反映无许可PoW密码货币的安全属性。一旦考虑到理性的参与者，就会出现有趣的问题，此外，在一个多种密码货币共存的世界中，将它们单独建模为封闭系统可能还是不够的。

为了更准确地评估风险和安全保障，需要对激励攻击及其复杂的跨链交互，进行进一步的博弈建模和分析。

Relevant information

[1] [nd]. Average Number Of Transactions Per Block. https://www.blockchain. com/en/charts/n-transactions-per-block. Accessed 2019-05-10.

[2] [nd]. BTC Relay. https://github.com/ethereum/btcrelay. Accessed 2018-04-17.

[3] [nd]. CoinMarketCap: Cryptocurrency Market Capitalizations. https:// coinmarketcap.com/. Accessed 2019-05-10.

[4] [nd]. Replace by Fee. https://en.bitcoin.it/wiki/Replace_by_fee. Accessed 2019-05-11.

[5] Amitanand S Aiyer, Lorenzo Alvisi, Allen Clement, Mike Dahlin, JeanPhilippe Martin, and Carl Porth. 2005. BAR fault tolerance for cooperative services. In ACM SIGOPS operating systems review, Vol. 39. ACM, 45– 58. http://www.dcc.fc.up.pt/~Ines/aulas/1314/SDM/papers/BAR%20Fault% 20Tolerance%20for%20Cooperative%20Services%20-%20UIUC.pdf

[6] Adam Back, Matt Corallo, Luke Dashjr, Mark Friedenbach, Gregory Maxwell, Andrew Miller, Andrew Poelstra, Jorge Timón, and Pieter Wuille. 2014. Enabling blockchain innovations with pegged sidechains. http://newspaper23.com/ripped/ 2014/11/http-_____-___-_www___-blockstream___-com__-_sidechains.pdf Accessed: 2016-07-05.

[7] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. 2012. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. ACM, 326–349.

[8] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. 2013. Recursive composition and bootstrapping for SNARKs and proof-carrying data. In Proceedings of the forty-fifth annual ACM symposium on Theory of computing. ACM, 111–120.

[9] Joseph Bonneau. 2016. Why buy when you can rent? Bribery attacks on Bitcoin consensus. In BITCOIN '16: Proceedings of the 3rd Workshop on Bitcoin and Blockchain Research. http://fc16.ifca.ai/bitcoin/papers/Bon16b.pdf

[10] Joseph Bonneau. 2018. Hostile blockchain takeovers (short paper). In 5th Workshop on Bitcoin and Blockchain Research, Financial Cryptography and Data Security 18 (FC). Springer. http://fc18.ifca.ai/bitcoin/papers/bitcoin18-final17.pdf

[11] Vitalik Buterin. 2016. Chain Interoperability. https://static1.squarespace.com/static/55f73743e4b051cfcc0b02cf/t/5886800ecd0f68de303349b1/1485209617040/ Chain+Interoperability.pdf Accessed: 2017-03-25.

[12] Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov,Lorenz Breidenbach, and Ari Juels. 2019. Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges. arXiv preprint arXiv:1904.05234. https://arxiv.org/pdf/1904.05234.pdf

[13] Christian Decker and Roger Wattenhofer. 2015. A fast and scalable payment network with bitcoin duplex micropayment channels. In Symposium on SelfStabilizing Systems. Springer, 3–18.

[14] Shayan Eskandari, Seyedehmahsa Moosavi, and Jeremy Clark. 2019. SoK: Transparent Dishonesty: front-running attacks on Blockchain. arXiv preprint arXiv:1902.05164. https://arxiv.org/pdf/1902.05164.pdf

[15] Uriel Feige, Amos Fiat, and Adi Shamir. 1988. Zero-knowledge proofs of identity. Journal of cryptology 1, 2 (1988), 77–94.

[16] Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2015. The bitcoin backbone protocol: Analysis and applications. In Advances in Cryptology-EUROCRYPT 2015. Springer, 281–310. http://courses.cs.washington.edu/courses/cse454/15wi/papers/bitcoin-765.pdf

[17] Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. 2016. The Bitcoin Backbone Protocol with Chains of Variable Difficulty. http://eprint.iacr.org/2016/1048.pdf Accessed: 2017-02-06.

[18] Aljosha Judmayer, Nicholas Stifter, Philipp Schindler, and Edgar Weippl. 2018. Pitchforks in Cryptocurrencies: Enforcing rule changes through offensive forking- and consensus techniques (Short Paper). In CBT'18: Proceedings of the International Workshop on Cryptocurrencies and Blockchain Technology. https://www.sba-research.org/wp-content/uploads/2018/09/ judmayer2018pitchfork_2018-09-05.pdf

[19] Aashish Kolluri, Ivica Nikolic, Ilya Sergey, Aquinas Hobor, and Prateek Saxena. 2018. Exploiting The Laws of Order in Smart Contracts. arXiv:1810.11605. https://arxiv.org/pdf/1810.11605.pdf

[20] Harry C Li, Allen Clement, Edmund L Wong, Jeff Napper, Indrajit Roy, Lorenzo Alvisi, and Michael Dahlin. 2006. BAR gossip. In Proceedings of the 7th symposium on Operating systems design and implementation. USENIX Association, 191–204. http://www.cs.utexas.edu/users/dahlin/papers/bar-gossip-apr-2006.pdf

[21] Kevin Liao and Jonathan Katz. 2017. Incentivizing blockchain forks via whale transactions. In International Conference on Financial Cryptography and Data Security. Springer, 264–279. http://www.cs.umd.edu/~jkatz/papers/whale-txs.pdf

[22] Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena. 2017. SMART POOL : Practical Decentralized Pooled Mining. http://eprint.iacr.org/2017/019.pdf Accessed: 2017-03-22.

[23] Patrick McCorry, Alexander Hicks, and Sarah Meiklejohn. 2018. Smart Contracts for Bribing Miners. In 5th Workshop on Bitcoin and Blockchain Research, Financial Cryptography and Data Security 18 (FC). Springer. http://fc18.ifca.ai/bitcoin/ papers/bitcoin18-final14.pdf

[24] Andrew Miller, Iddo Bentov, Ranjit Kumaresan, and Patrick McCorry. 2017. Sprites: Payment Channels that Go Faster than Lightning. https://arxiv.org/pdf/ 1702.05812.pdf Accessed: 2017-03-22.

[25] Satoshi Nakamoto. 2008. Bitcoin: A Peer-to-Peer Electronic Cash System. https: //bitcoin.org/bitcoin.pdf Accessed: 2015-07-01.

[26] Rafael Pass, Lior Seeman, and abhi shelat. 2016. Analysis of the Blockchain Protocol in Asynchronous Networks. http://eprint.iacr.org/2016/454.pdf Accessed: 2016-08-01.

[27] Joseph Poon and Thaddeus Dryja. 2016. The bitcoin lightning network. https://lightning.network/lightning-network-paper.pdf Accessed: 2016-07-07.

[28] M. Rosenfeld. 2014. Analysis of Hashrate-Based Double Spending. https: //arxiv.org/pdf/1402.2009.pdf Accessed: 2016-03-09.

[29] Ilya Sergey, Amrit Kumar, and Aquinas Hobor. 2018. Temporal Properties of Smart Contracts. In Leveraging Applications of Formal Methods, Verification and Validation. Industrial Practice – 8th International Symposium, ISoLA 2018, Limassol, Cyprus, November 5-9, 2018, Proceedings, Part IV. 323–338. https://ilyasergey.net/ papers/temporal-isola18.pdf

[30] Yonatan Sompolinsky and Aviv Zohar. 2016. Bitcoin's Security Model Revisited. http://arxiv.org/pdf/1605.09193.pdf Accessed: 2016-07-04.

[31] Nicholas Stifter, Aljosha Judmayer, Philipp Schindler, Alexei Zamyatin, and Edgar Weippl. 2018. Agreement with Satoshi – On the Formalization of Nakamoto Consensus. Cryptology ePrint Archive, Report 2018/400. https://eprint.iacr.org/ 2018/400.pdf

[32] Jason Teutsch, Sanjay Jain, and Prateek Saxena. 2016. When cryptocurrencies mine their own business. In Financial Cryptography and Data Security (FC 2016). https://www.comp.nus.edu.sg/~prateeks/papers/38Attack.pdf

[33] Itay Tsabary and Ittay Eyal. 2018. The gap game. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 713–728. https://arxiv.org/pdf/1805.05288.pdf

[34] Yaron Velner, Jason Teutsch, and Loi Luu. 2017. Smart contracts make Bitcoin mining pools vulnerable. In International Conference on Financial Cryptography and Data Security. Springer, 298–316.

[35] Fredrik Winzer, Benjamin Herd, and Sebastian Faust. 2019. Temporary Censorship Attacks in the Presence of Rational Miners. Cryptology ePrint Archive, Report 2019/748. https://eprint.iacr.org/2019/748

[36] Alexei Zamyatin, Dominik Harz, Joshua Lind, Panayiotis Panayiotou, Arthur Gervais, and William J. Knottenbelt. 2018. XCLAIM: Trustless, Interoperable Cryptocurrency-Backed Assets. Cryptology ePrint Archive, Report 2018/643. https://eprint.iacr.org/2018/643.pdf https://eprint.iacr.org/2018/643.

附录部分：请看原论文https://eprint.iacr.org/2019/775.pdf

We will continue to update Blocking; if you have any questions or suggestions, please contact us!