- Split View
-
Views
-
Cite
Cite
Bruno Biais, Christophe Bisière, Matthieu Bouvard, Catherine Casamatta, The Blockchain Folk Theorem, The Review of Financial Studies, Volume 32, Issue 5, May 2019, Pages 1662–1715, https://doi.org/10.1093/rfs/hhy095
-
Share
Abstract
Blockchains are distributed ledgers, operated within peer-to-peer networks. We model the proof-of-work blockchain protocol as a stochastic game and analyze the equilibrium strategies of rational, strategic miners. Mining the longest chain is a Markov perfect equilibrium, without forking, in line with Nakamoto (2008). The blockchain protocol, however, is a coordination game, with multiple equilibria. There exist equilibria with forks, leading to orphaned blocks and persistent divergence between chains. We also show how forks can be generated by information delays and software upgrades. Last we identify negative externalities implying that equilibrium investment in computing capacity is excessive.
Received May 31, 2017; editorial decision July 6, 2018 by Editor Itay Goldstein.
Blockchains are decentralized protocols for recording transactions and asset ownership. In contrast with centralized protocols in which one authority is in charge of maintaining a unique common ledger, a blockchain operates within a network, whose participants each possess and update their own version of the ledger, which is therefore distributed. The blockchain design was the main innovation underlying the digital currency network Bitcoin (Nakamoto 2008), but its potential benefits in terms of cost efficiency, speed, and security, for a variety of assets and contracts, have attracted interest from a broad range of institutions and businesses.1 Blockchain experiments have been conducted for supply chains, trade finance, and financial transactions, for example by Nasdaq, the Australian Stock Exchange, BHP Billiton, Banque de France, and Ripple.
Our focus is on public blockchains, such as Bitcoin or Ethereum, which are fully decentralized and in which participants are anonymous. Public blockchains stand in contrast to private blockchains, in which a central authority can authorize participants and certify transactions. The main issue we address is whether public blockchains can be expected to generate stable consensus: Is such consensus a necessary byproduct of the blockchain protocol? Or could the blockchain protocol lead to the emergence of different, competing, versions of the ledger?
Each block, in the blockchain, offers an updated version of the ledger, taking into account recent transactions, and chained to a previous version of the ledger—that is, a previous block. In an ideal blockchain, there is a single sequence of blocks, registering the dynamics of the ledger, on which all participants agree. In contrast to this situation, there could be forks in the blockchain. In that case there are competing branches, each registering a potentially different version of the ledger. Such forks could make the ledger less stable, reliable, and useful, as they could create uncertainty about the distribution of property rights. In practice, as discussed in the next section, there have been several forks, some of which have persisted until now. We endeavor to understand the economic forces at the root of forks, and why the blockchain protocol does not seem to always be successful at avoiding them.
To study the dynamics of the blockchain, we analyze the behavior of its key participants: the miners. It is the miners who decide to which previous block a new block is chained and thus give rise to a single chain or trigger forks. We take a game-theoretic approach to analyze the strategies of the miners and the resulting equilibrium blockchain dynamics.
The rules of the game played by the miners in the major public blockchains (such as, e.g., Bitcoin or Ethereum) are set by the protocol known as “proof-of-work,” which can be sketched as follows (and is described in more details in the next section): At each point in time, miners try to validate a new block of transactions. This implies solving a purely numerical problem unrelated to the block’s content, an activity referred to as “mining.” A miner who solves his problem obtains a proof-of-work, which he attaches to his block before disseminating it through the network. The instantaneous probability that a miner solves his proof-of-work problem is increasing in his computing power. In this context, at each point in time, the identity of the miner who proposes the next block is the outcome of a random draw. This ensures that miners take turns to validate blocks, and therefore no single miner has control over the whole verification process. When a new block is disseminated through the network, it becomes part of the consensus if miners chain their next block to it.
As argued by Nakamoto (2008), proof-of-work generates a stable consensus, or in other words, a single chain, if miners always take the last solved block as the parent for their next block. This ideal blockchain is illustrated in Figure 1.
Miners, however, may choose to discard certain blocks. Suppose, for example, that the last block solved is |$B_{n}$|, but miner |$m$| chains his next block to the parent of |$B_{n}$|, that is, |$B_{n-1}$|. This starts a fork, as illustrated in Figure 2.
If some miners follow |$m$|, while others continue to attach their blocks to the original chain, there are competing versions of the ledger. This reduces the credibility and reliability of the blockchain, especially if the fork is persistent. Even if, eventually, all miners agree to attach their blocks to the same chain, the occurrence of the fork is not innocuous. The blocks in the chain eventually abandoned are orphaned. They have been mined in vain, and the corresponding computing power and energy have been wasted. Moreover, the transactions recorded in the orphaned blocks could be called in question.
A fork can also occur when some miners adopt a new version of the mining software that is incompatible with the current version. If miners fail to coordinate on the same software, this triggers a fork.
Does the blockchain protocol rule out the occurrence of forks? In the frictionless case in which information is instantaneously disseminated in the network, and there is no attempt to double-spend (such attempts are described in the next section), it is commonly assumed that a single blockchain will prevail. To examine the validity of that “folk theorem,” we design a model that captures the key features of the proof-of-work blockchain protocol: There are |$M$| risk-neutral, rational, and strategic miners. Each time a miner solves a block, he obtains a reward in the cryptocurrency associated with the branch to which his block belongs. Miners choose to which previous block to chain their current block. They do so, observing all previously solved blocks, to maximize the expectation of their cumulated rewards at an exogenous liquidation time. We solve for Markov perfect equilibria of this stochastic game.
Our analysis of this game uncovers two important economic forces at play in the blockchain.
First, miners’ actions are strategic complements: Recall their rewards are paid in the cryptocurrency associated with the chain on which they are solving blocks. We assume the value of that cryptocurrency depends on the credibility of the corresponding chain, which is higher if more miners are active on it. Hence, miners benefit from coordinating on a single chain, which they can achieve by playing the longest chain rule (hereafter LCR), as suggested by Nakamoto (2008). This sustains a Pareto-optimal equilibrium (Proposition 1). The same coordination motives, however, sustain equilibria with forks. If at some time (e.g., when a sunspot is observed) a miner anticipates all others to fork and mine a new branch, his best response is to follow them. Indeed, he rationally anticipates that any block solved out of the equilibrium path will not be accepted by other miners and the corresponding reward will be worthless (Proposition 2).
Second, we identify a countervailing force that we refer to as “vested interest”: An important feature of the blockchain is that miners cannot immediately spend or convert the cryptocurrency earned for solving blocks. Consequently, a miner who has accumulated rewards by solving several blocks on a given chain has a vested interest in this chain remaining active. In particular, the value of these rewards would drop if he moved to a different chain. Vested interests may counteract coordination motives for a group of miners, inducing them to keep mining a minority chain, and sustaining persistent forks in equilibrium (Proposition 3). Unlike temporary forks that only rely on coordination motives and would arise with atomistic miners, equilibria with persistent forks depend on miners taking into account the impact of their actions on the blockchain. It is likely, in practice, that large pools of miners, such as AntPool, BTC.com, or Slush Pool, who each represent more than 10% of the computing power, indeed behave strategically.
Next, we enrich the model and make it more realistic by incorporating further real world characteristics of blockchains, such as information delays, and instances in which miners have to choose between incompatible upgrades of the mining software. We show that like the sunspots in our basic model, these characteristics can trigger forks on the equilibrium path. And we show that the same fundamental interplay of coordination motives and vested interests as in the basic case underlies equilibria with forks in these more realistic extensions of the model.
Finally, we endogenize the computing capacity that each miner installs. Because the difficulty of the mining process is adjusted upwards when the total computing capacity in the network increases, a miner’s investment in computing power exerts a negative externality on all other miners. This gives rise to an arms race in which each miner ends up overinvesting (not unlike in Glode, Green, and Lowery 2012 and Biais, Foucault and Moinas 2016). This analysis points to another source of inefficiency in the blockchain design.
Early academic contributions on distributed consensus are in computer science. Since seminal work by Pease, Shostak, and Lamport (1980) and Lamport, Shostak, and Pease (1982), finding protocols that allow network participants to reach an agreement has been a major issue in computer science. In a Byzantine agreement (BA) setting, participants seek to agree on a common output aggregating private inputs, in the presence of “malicious” participants who try to attack, that is, disrupt the agreement. Nakamoto (2008) proposes the proof-of-work blockchain protocol to achieve consensus with high probability, in spite of potential attacks by malicious miners seeking to create a branch faster than the “honest” ones. Miller and LaViola (2014), Pass, Seeman, and Shelat (2017), and Garay, Kiayias, and Leonardos (2015) consider a larger set of attacks.2 Their results suggest that the protocol is robust as long as honest miners represent the majority of computing power.3
While these papers consider ad hoc strategies from exogenously honest or malicious participants, we study optimal strategies from rational and profit-maximizing players in a game. The computer science papers to which our analysis is the closest, by Kroll, Davey, and Felten (2013) and Carlsten et al. (2016), analyze interactions between miners as a game. Kroll, Davey, and Felten (2013) offer interesting economic intuition, but do not develop a formal game-theoretic analysis. Carlsten et al. (2016) focus on specific strategies (regarding the choice of which block to chain to, and which transactions to include in a block) and show that they constitute an equilibrium. Relative to the computer science literature, our contribution is twofold: To the best of our knowledge, our paper offers the first formal game-theoretic analysis of equilibria in the proof-of-work blockchain protocol. It is also the first to point to the importance of coordination effects in that protocol and show that they lead to multiple equilibria involving forks.
Our paper also relates to an emerging literature in economics and finance on blockchains. Harvey (2016) discusses the pros and cons of blockchains, while Raskin and Yermack (2016) and Yermack (2017) discuss their implications for central banking and corporate governance, respectively. Cong and He (2019) model the effect of blockchains on product market competition: blockchains improve contractibility and favor entry, but increase access to transaction data, which helps sustain collusive equilibria.4 While these papers focus on the consequences of blockchains deployment, we provide a formal analysis of the blockchain consensus-building mechanism itself under proof-of-work. Chiu and Koeppl (2019) also analyze the proof-of-work protocol, and focus on investors’ incentives to double-spend, while we focus on miners’ incentives to maintain consensus. The analysis of proof-of-stake protocols in Saleh (2017) is complementary to our analysis of proof-of-work. Several papers (e.g., Evans 2014) note that a problem with the Bitcoin mining incentive scheme is that miners are paid with bitcoins, which have a volatile value. In our analysis, the only source of variation in the value of rewards to a given block is the extent to which the chain including that block is actively mined. We analyze how these variations affect incentives.
1. A Primer on Blockchains
In this section we first describe the blockchain protocol and then discuss forks that occurred in blockchains.
1.1 The blockchain protocol
1.1.1 Centralized versus decentralized ledgers
A ledger is a collection of records, regarding ownership, transactions, identity, and so on. For ledgers to facilitate interactions among economic agents, it is essential that the agents reach a consensus about the state of the ledger and its authenticity. Historically, a central authority, e.g., the state and its delegates, ensured this consensus by managing and certifying the ledger. Such centralized ledgers, however, cannot operate satisfactorily if the central authority behaves opportunistically, e.g., by excluding some participants or transactions, or by distorting the ledger.
The distributed ledger technology (DLT) can overcome that obstacle. Within a distributed ledger, there is a network of participants, and each participant maintains its own ledger. When an economic transaction occurs, the trading parties send this information to the network, so that it can be validated by network participants, each including it in its own ledger. Ledgers should eventually be the same for all participants, giving rise to consensus on a single, distributed, ledger.
Blockchain is the distributed ledger protocol invented by Nakamoto (2008) when he created Bitcoin. The elegance and novelty of his solution relies in particular on its endeavor to incorporate the incentives of the participants.5 This justifies our game-theoretic approach that accounts for these incentives to investigate the properties of this protocol.
1.1.2 Proof-of-work
Decentralization of the ledger implies that its validation should not be controlled or manipulated by a single participant or a small number of colluding participants. One way to associate all participants to the validation of transactions would be to rely on majority voting. However, as noted by Nakamoto (2008, page 3): “If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs.”
The solution proposed by Nakamoto (2008) to this so-called Sybil attack is called “proof-of-work.” For convenience, participants do not validate each transaction individually but group them in blocks. One participant is designated to send his block to the network to update the ledger. In order to be designated, each participant works to solve a computational problem with adjustable difficulty (referred to as a “moderately-hard puzzle” in computer science; see Dwork and Naor 1993) attached to his block. The term “work” in proof-of-work therefore refers to using computers and electricity to perform this task. The problem to solve has nothing to do with the economic transactions included in a block. Rather, it requests using computing power to perform independent trials (similar to draws under replacement) until one finds a solution to an arbitrary numerical problem (a hash value lower than a given threshold). As nodes randomly draw candidate solutions, one of them eventually gets lucky and solves the problem before the others. Thus, proof-of-work is a way to randomize across participants who will propose the next change to the ledger.
A drawback of proof-of-work is that it requires costly computing capacity. An alternative protocol to save on electricity and hardware costs is proof-of-stake (see Saleh 2017). The basic idea is that each participant’s probability to be designated to propose a block for validation depends on the amount of cryptocurrency he owns: the larger that amount, the more frequently a participant will be chosen. Ideally, this system ensures that those who have more stake in the network (and are thus more eager to maintain consensus) are more likely to contribute to the validation process. But no major fully decentralized blockchain network uses proof-of-stake yet.6 For that reason we focus on proof-of-work in our analysis.
A property of moderately-hard puzzles is that the solution is not easy to find, but easy to verify. Hence, when they receive a block for validation, participants easily check whether the sender actually found the solution. If participants accept this block, they take it as the parent of the new block they start mining. Thus, as written by Nakamoto (2008) page 8, participants “vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them.”
This process gives rise to a chain of consecutively solved blocks, that is, the blockchain, as illustrated in Figure 1.
1.1.3 Miners
The nodes conducting the earlier-mentioned tasks are called miners, as they get rewarded for solving proof-of-work problems with newly-created units of the cryptocurrency (12.5 BTC per block on Bitcoin in 2018, and 3 ETH on Ethereum since October 2017).7 They also receive transaction fees that the originators of economic transactions can choose to offer for the validation of these transactions. These rewards are included in the block that generates them. Bitcoin imposes a 100-block delay before rewards earned through mining can be spent.
In practice, miners gather in large pools. Figure 3 presents the distribution of computing power of the pools operating on Bitcoin in May 2018. The figure illustrates that 10 mining pools represented about 86% of the total hash capacity. Pools allow miners to mutualize block discovery risk. They also coordinate individual mining strategies. For example, on https://www.bitcoinmining.com/bitcoin-mining-pools/, one can read: “If you participate in a Bitcoin mining pool then you will want to ensure that they are engaging in behavior that is in agreement with your philosophy towards Bitcoin. ... Therefore, it is your duty to make sure that any Bitcoin mining power you direct to a mining pool does not attempt to enforce network consensus rules you disagree with.”
1.1.4 Difficulty
If the total computing power increases (e.g., due to the entry of new miners), the protocol ensures that the difficulty is scaled up so that average duration between two blocks remains equal to the desired level. Thus, on Bitcoin, every 2,016 blocks, that is, approximately every two weeks, the difficulty is rescaled to ensure that the average time between blocks remains at 10 minutes.
Equation (4) implies that the instantaneous probability to find a block for miner |$m$| is increasing in his or her own computing capacity, but decreasing in the capacity of the others.
1.2 Forks
Consensus on the decentralized ledger requires that there is only one chain of blocks, observed by all and on which all agree. It is jeopardized if the chain splits into a fork, with two competing branches, each with its own version of the ledger. In the present section we review some reasons why forks can happen in blockchains, and describe forks that actually occurred.
1.2.1 Information delays
In practice, the information that a block has been solved is not transmitted instantaneously and simultaneously to all network participants. For example, miners in Siberia might learn before miners in Iceland that a block has been solved in China. Thus, it will routinely happen that a block has just been solved but some participants are not yet aware of that. If these participants solve their own block in the meantime, this starts a fork with two competing blocks attached to the same parent. Nakamoto (2008) identified that problem and suggested it would be solved if miners always chained their blocks to the longest chain (following the LCR):
Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one. (Nakamoto 2008, page 3)
1.2.2 Double-spending
The blockchain protocol was also designed to prevent “double-spending.” Suppose a miner buys an object from a seller, paying for it with bitcoins. The corresponding transaction is recorded in a block |$B$|. When the latter is validated, as soon as the seller delivers the object, the buyer has an incentive to start a fork: he could try to solve a block that does not contain his transaction, and that is chained to the parent of |$B$|, in the hope of attracting miners to his chain. If he succeeded in doing so, no block would be chained to |$B$| (i.e., |$B$| would be “orphaned” ), which would void the transfer of his bitcoins to the seller. Nakamoto (2008) argues that double-spending is unlikely to be successful because it would require solving blocks faster than the rest of the network.9
1.2.3 Software upgrades
So far we have used the term “fork” to refer to chain splits. There is another possible use of the term: In the context of open source software, forking means copying the source code of a computer program and modifying it to create a different version. As emphasized by Lerner and Tirole (2002), this gives rise to coordination issues on which version is adopted by participants. In a blockchain, a “soft fork” is the introduction of an upgraded version of the software that remains compatible with the previous version: blocks mined with the new version are considered as valid by miners still running the old version (but the opposite is in general not true). In contrast, a “hard fork” is not backward-compatible, as upgraded miners create blocks that are rejected as invalid by non-upgraded miners. As long as some miners do not accept blocks considered as valid by others, a software upgrade can trigger a fork in the blockchain. We describe here some actual unintended or intended forks triggered by software upgrades.
1.2.4 Unintended forks
An important chain split occurred on the Bitcoin blockchain in March 2013, following what developers thought to be an innocuous software upgrade: some time earlier, some miners upgraded to a new version of the software, referred to as 0.8. On March 11, 2013, there turned out to be a bug so that the miners operating with the 0.7 version rejected as invalid one block solved by the 0.8 miners and consequently the subsequent ones (thus the 0.8 upgrade was in fact an unintended hard fork, which miners identified with a delay). From that point on, the 0.8 miners worked on a chain stemming from that block, while the 0.7 worked on a competing chain, stemming from its parent. When they discovered the split, participants all wanted to revert to a single chain, but they had to decide which branch to keep and which to orphan. Achieving coordination turned out to be difficult, as illustrated by the following discussion between Bitcoin software developers and miners (reported by Narayanan 2015):
Gavin Andresen: the 0.8 fork is longer, yes? so majority hashpower is 0.8 |$\ldots$| first rule of bitcoin: majority hashpower wins
Luke Dashjr: if we go with 0.8 we are hard forking
BTC Guild: I can single handedly put 0.7 back to the majority hashpower. I just need confirmation that that’s what should be done.
Pieter Wuille: that is what should be done, but we should have consensus first.
Miners faced a dilemma. Should they follow the LCR and mine the 0.8 chain which had attracted the majority of the computing power? Or should they revert to the 0.7 version? Miners wanted to abide to the consensus, but they first needed to coordinate on what the consensus should be.
Eventually, BTC Guild, which was one of the largest pools at the time, chose to downgrade to the 0.7 version. This resulted in the 0.7 chain becoming the longest, and all miners coordinating back to it. It took 8 hours before participants could solve the problem. Consequently, more than 24 blocks, solved on the 0.8 chain, became orphaned, and their miners (including BTC Guild) lost the corresponding rewards. Commenting on this situation, Narayanan (2015) wrote:
One way to look at this is that BTC Guild sacrificed revenues for the good of the network. But these actions can also be justified from a revenue-miximizing perspective. If the BTC Guild operator believed that the 0.7 branch would win anyway (perhaps the developers would be able to convince another large pool operator), then moving first is relatively best, since delaying would only take BTC Guild further down the doomed branch.
This discussion underscores that miners’ coordination, or the lack thereof, plays an important role in the emergence and resolution of forks. It also underscores the importance of beliefs in this context: An individual miner (or a pool such as, e.g., BTC Guild) decides to chain his blocks to the branch that he believes the others will choose. Thus, beliefs about the actions of others influence one’s action. This generates a form of beauty contest, in which coordination effects are critical.
1.2.5 Intended forks
Ethereum underwent a hard fork in the summer of 2016. Following the hack of TheDAO, a large venture capital fund operating through smart contracts on Ethereum, members of the Ethereum community suggested to roll back the blockchain in order to cancel the transactions that diverted the fund’s money. They hoped all participants would coordinate on that hard fork, leading to a single active chain. Other members, however, refused to alter the history of the ledger and rejected the hard fork. Consequently, Ethereum split in two incompatible branches, Ethereum and Ethereum Classic. These two branches still exist, each corresponding to a different ledger and history of trades, and a different cryptocurrency. As of May 2018, Ethereum Classic represented about 3.5% of the hash capacity of Ethereum, and the price of ETC was about 3% of the ETH price. This episode illustrates the difficulty to achieve coordination on a single chain, the uncertainty about miners’ actions and the resulting occurrence of persistent competition between alternative chains.
Bitcoin also underwent two hard forks, in the summer and in the fall of 2017. The first fork is linked to the size of blocks that can be mined on the blockchain. The community had long been divided on how to relax the limitation of the network throughput.10 Several solutions were supported by different participants, with the threat of some to fork in order to impose their preferred solution. In the New York Agreement signed on May 2017, most mining pool operators agreed to roll out a compromise solution (SegWit2x). Yet, another way to increase throughput, Bitcoin Cash, was implemented, via a hard fork, on 1 August 2017. Bitcoin then split in two branches, with two different cryptocurrencies, Bitcoin and Bitcoin Cash. On the former branch, following the New York Agreement, a hard fork was planned for November 2017 to double the size of blocks. There was a lot of uncertainty, and discussion among miners, about who would adopt SegWit2x, and whether there would be a new chain split. Many Bitcoin community members announced that a chain split was very likely. At odds with those forecasts, the SegWit2x hard fork was abandoned. One could have thought this meant participants would coordinate on Bitcoin. Quite to the contrary, a large fraction of miners reacted by shifting from Bitcoin to Bitcoin Cash. While in early November 12-hour average hashrates were about 10 Exahashes (|$10^{18}$| hashes) per second on Bitcoin versus less than |$2$| on Bitcoin Cash, on November 12, 2017, hashrates were similar on the two branches.
The second fork, Bitcoin Gold, which occurred in the fall of 2017, relies on a different proof-of-work algorithm than Bitcoin. It allows miners to mine efficiently using generic graphics processing units (GPU) by preventing the use of specific ASIC (integrated circuits that cannot be used for any other purpose than mining and are produced by a small number of firms). While it was initially unclear whether this fork would attract computing capacity, it is now implemented with a market capitalization around
A dozen other hard forks occurred on Bitcoin in December 2017, each proposing a modified version of the mining software or reward policy (as, for instance, Bitcoin God, Super Bitcoin, Bitcoin X, Oil Bitcoin, Bitcoin World, Lightning Bitcoin...). Although it is uncertain how many of these forks will remain, these episodes underscore that it is difficult for miners to coordinate on a single chain, that chain splits are not uncommon, and that the outcome is hard to predict, even for major participants. In the next sections, we analyze the economic mechanisms that are at the roots of these forks.
2. Basic Model
In line with the previous description of the blockchain technology, we consider the following model.
2.0.1 Miners and pools
There are |$M > 2$| risk-neutral miners, indexed by |$m\in \mathcal{M} =\{1,\ldots M\}$|. Equivalently, each |$m$| can be thought of as a mining pool, since, as explained in the previous section, a pool coordinates the strategies of a group of miners.
2.0.2 Mining technology
There is a continuous flow of transactions sent for confirmation by end users.11 We assume all miners perfectly and instantaneously observe this flow, which they include in the blocks they mine.
As mentioned earlier, the time it takes miner |$m$| to solve a block problem is an exponentially distributed random variable with parameter |$\theta _{m}$|. We first consider a stationary environment, in which the number of miners, their computer capacity, and the difficulty of the task are constant (so that the |$\theta _{m}$| are constant also). Then, in Section 5, we endogenize difficulty and computing capacities.
We assume that miners do not update the set of transactions defining the block they mine until a hash problem is solved (transactions that flow in meanwhile are stored in a buffer.) Relaxing that assumption would not alter the economic mechanism we analyze here.
We also assume that at time |$z_{m}$|, exponentially distributed with parameter |$\lambda _{m}$|, miner |$m$| is hit by a liquidity shock. At time |$ z_{m}$| the miner must leave the game and sell the cryptocurrencies he earned or purchased previously to a new miner who also inherits his beliefs and preferences. Thus, exits are compensated by entries and the environment is stationary. The times at which blocks are solved and liquidity shocks occur are all independent.
2.0.3 Blockchain
At time |$0$|, there is an initial state of the ledger, encoded in |$B_{0}$|, and an initial set of transactions to be registered. Starting from |$B_{0}$|, miners start working on the first block, |$B_{1}$|, which contains this initial set of transactions. Once |$B_{1}$| is solved, miners must choose to which parent block to chain the next block (|$B_{2}$|) they mine. If miners choose |$B_{1}$| as a parent block, they continue the first chain. Alternatively, miners can choose to disregard |$B_{1}$| and attach |$ B_{2}$| to |$B_{0}$|. In that case, miners start a fork and the chain splits into two competing chains, one including |$B_{0}$| and |$B_{1}$|, the other |$ B_{0}$| and |$B_{2}$|.
As the game unfolds, a tree of blocks develops. At each vertex |$B_{k}$|, the tree includes a label, identifying the miner who solved the corresponding block, |$m(B_{k})$|. The indices of the blocks give the order in which they have been solved. That is, if |$k<n$|, then block |$B_{k}$| was solved before block |$B_{n}$|.
We first assume that at any time |$t$|, all miners observe the tree of solved blocks |$\mathcal{C} ^{t}=\{B^{t},E^{t},I^{t}\}$|, where |$B^{t}=(B_{0},\ldots B_{n})$| is the set of all blocks that have been solved by time |$t$|, |$E^{t}= \{(B_{0},B_{1}),\ldots (B_{k},B_{k^{\prime }}),\ldots \}$|, with |$0\leq k<k^{\prime }\leq n$|, is the set of edges chaining these blocks, and |$ I^{t}=(m(B_{1}),\ldots m(B_{n}))$| is the set of identities of miners who solved blocks. We then relax the assumption that |$\mathcal{C}^{t}$| is observed instantaneously to study information delays. Within a tree, a chain is a sequence of connected blocks in which each block is connected to at most one subsequent block. Thus, each fork starts a new chain. More formally, we define a fork as follows:
Fork: There is a fork at time |$t$| if and only if there exists |$(B_{i},B_{k},B_{k^{\prime }})$| included in |$B^{t}$| such that |$B_{k} \neq B_{k^{\prime }}$| and both |$(B_{i},B_{k})$| and |$(B_{i},B_{k^{\prime }})$| belong to |$E^{t}$|.
It is also useful to define the original chain for a given tree |$\mathcal{C} ^{t}$|, as follows:
Original Chain: Suppose |$E^{t}$| contains |$(B_{i},B_{k})$| and |$(B_{i},B_{k^{\prime }})$|. A chain that includes |$(B_{i},B_{k})$| preexists a chain that includes |$(B_{i},B_{k^{\prime }})$| if and only if |$ k<k^{\prime }$|. We call the original chain the chain that preexists all other chains in |$\mathcal{C}^{t}$|.
Note that the original chain is well defined since the “preexist” relation provides a complete ranking of all chains (as all chains have at least one common block, |$B_0$|).
2.0.4 Stopping times
Miners make decisions at different points in time, corresponding to a sequence of stopping times. Whenever a block is solved or a miner is hit by a liquidity shock, all miners get to make a decision. Thus, the sequence of stopping times at which miners make decisions is |$\mathcal{T=}\{0,\ldots \tau _{j},\tau _{j+1},\ldots \}$| where the next stopping time after |$\tau _{j}, \tau _{j+1}$|, is equal to |$\tau _{j+1} =\min [\tau ^{l}(\tau _{j}),\tau ^{b}(\tau _{j})], \tau ^{l}(\tau _{j})$| being the first time a liquidity shock occurs after |$\tau _{j}$| and |$\tau^{b}(\tau _{j})$| the first time a block is solved after |$\tau _{j}$|.
2.0.5 Action space
At any time |$\tau \in \mathcal{T}$|, miners observe the set |$B^{\tau }$| of all the blocks that have been solved previously. A miner’s action is the choice of which block in |$B^{\tau }$| to attach his current block to. All miners |$m\in \mathcal{M}=\{1,\ldots M\}$| face the same action space.
2.0.6 Payoffs
When miner |$m$| solves a block in a given chain, he receives a reward, included in the block he mined, and expressed in the cryptocurrency corresponding to that chain.13 As mentioned in the previous section, Bitcoin imposes a 100-block delay before rewards for mining can be spent. To capture such delays in a simple manner, we assume miner |$m$| keeps the units of cryptocurrency he earned until |$z_{m}$|, and then consumes at |$z_m$| the rewards he earned throughout the game.
We now present what determines the value of blocks’ rewards. When the cryptocurrency earned as a reward for mining a block is sold, the price it fetches depends on the credibility of the chain that contains the block. Consider two polar cases: In the first case, a block solved by a miner becomes orphaned—that is, no further blocks are attached to it, so that no miner expresses acceptance of that block and the transfer of cryptocurrency it encodes. In the second case there is a single chain to which all blocks belong, reflecting consensus on the blocks in the chain. The market value of the block’s reward in the first case (when the block ends up orphaned) is likely to be zero and is bound to be smaller than in the second case. Now turn to an intermediate case, in which the block is included in a chain competing with another one. As long as a significant fraction of the miners are working on each of the chains, the value of rewards included in the blocks of the two chains can remain positive.
More formally, the payoff for miner |$m$| from solving |$B$| is an increasing function, |$G(.)$|, defined on |$\{0,\ldots ,M\}$|, of the number of miners active at time |$z_{m}$| in the chain including |$B$|.14 For example, suppose there are two active chains at time |$z_{m}$|. If there are |$K$| miners active in the chain including |$B$|, and |$M-K$| in the other, the payoffs from solving blocks are the following: The miner who solved block |$B$|, which we denote by |$m(B)$|, earns |$G(K)$| for block |$B$|. A miner who solved a block in the other chain earns |$G(M-K)$| for that block. If a miner solved a block that belongs to both chains, because it was mined before the inception of the fork, he earns |$G(M-K)+G(K)$|.15 More generally, if a block belongs to |$I$| chains, each attracting |$K_i$| miners with |$\sum_{i=1}^{I} K_i \leq M$|, the value of this block is |$\sum_{i=1}^{I} G(K_i)$|. We set |$G(0)=G(1)=0$|, that is, when there is only one or no miner on a chain, the associated cryptocurrency has no value. Indeed, any level of consensus requires that at least two miners agree. We also assume |$G(M)$| is strictly positive, hence |$G(.)$| is strictly increasing in part of its domain. Finally, we assume that |$G$| is superadditive: when a fork occurs on a chain and creates two competing chains attracting respectively |$K_1$| and |$K_2$| miners, the total value of a unit of cryptocurrency that belongs to the two competing chains (because it was mined before the inception of the fork) is weakly lower than if the fork had not occurred. Formally, we have |$G(K_1)+G(K_2)\leq G(K_1+K_2), \forall (K_1, K_2)$| such that |$K_1+K_2 \leq M$|. This implies that the value of a block cannot be greater than |$G(M)$|, whatever the number of chains that block belongs to. Note that in our setting the payoff function |$G(.)$| depends on the total number of miners |$M$|. This captures the value of consensus: miners’ rewards depend on the relative number of miners active on each chain, rather than on the absolute one.
Our assumption that the value of the virtual currency is reduced by forks is illustrated by Figure 4, which plots the decline in bitcoin value during the March 2013 fork. The first vertical line indicates the time (around 22:00 UTC on March 11) at which miners started working on two different chains. Chats between miners realizing there was a fork started around 23:30.16 At 1:30 on March 12, a message posted on Bitcointalk asked miners to stop mining one of the two branches of the chain (the 0.8 branch). The second vertical line (approximately at 6:20) indicates the time at which the 0.7 branch caught up the 0.8 branch. By 7:30, miners had stopped mining the 0.8 branch, which became orphaned, so that the fork was no longer active. The figure illustrates that when the market realized that miners worked on different branches, this triggered a 25% drop in the value of the virtual currency (from around 48 at 1:00 to around 36 at 3:00).
2.0.7 States
At time |$\tau \in \mathcal{T}$|, a state |$\omega _{\tau }$| includes two elements:
First, |$\omega _{\tau }$| includes the tree of solved blocks |$\mathcal{C}^{\tau }=\{B^{\tau },E^{\tau },I^{\tau }\}$|. The entire set of previously solved blocks, |$B^{\tau }$|, is relevant for the miners, since they can chain a new block to any of these previously solved blocks. For each miner, the set of blocks he solved, measurable with respect to |$I^{\tau }$|, determines his payoff, and therefore influences his actions.
Second, as in Duggan (2012) or Cole and Kehoe (2000), to enable players to coordinate their actions using a public randomization device, we assume that at each time |$\tau \in \mathcal{T}$|, the realization of a sunspot random variable |$r^{\tau }$| is observed by all, and we include it in the state. |$r^{\tau }$| is uniformly distributed on |$[0,1]$| and i.i.d. over time.
Thus, we define |$\omega _{\tau }=($||$\mathcal{C}^{\tau },$||$r^{\tau })$| and denote by |$\Omega$| the set of states of the world.
2.0.8 Strategies
Miner |$m$| chooses his strategy to maximize his expected payoff at time |$ z_{m}$|. At each time |$\tau \in \mathcal{T}$|, miners observe the whole history of the game, that is, the state |$\omega _{\tau }$|, as well as, for instance, the exact timing of blocks resolution and the previous mining choices. In line with Markov perfection, we consider only strategies that are measurable with respect to |$\omega _{\tau }$|.17 A pure strategy for miner |$m$| is a function |$\sigma _{m}^{\tau }$| mapping each possible state of the blockchain |$\omega _{\tau }\in \Omega$| into an element of the action space |$B^{\tau }$|. We denote the strategy of miner |$m$| throughout the entire history of the game by |$\sigma _{m}$| and the profile of strategies for the |$M$| miners by |$\sigma =\{\sigma _{m}\}_{m\in \mathcal{M}}$|. |$\sigma$|, combined with the random variables |$\{z_{}\}_{m\in \mathcal{M}}$| and |$\{N_{m}\}_{m\in \mathcal{M}}$|, yields the transition probabilities from one state of the blockchain to the next.
2.0.9 Equilibrium
The previously described elements define our stochastic game. Our equilibrium concept is Markov perfect equilibrium, that is, subgame perfect equilibrium with strategies restricted to depend only on the current state |$\omega _{\tau }$|.
3. Equilibrium Analysis of the Basic Model
If the miner enters the market later, to replace an earlier miner hit by a liquidity shock, his maximum payoff is the same as in Equation (7), minus the price he pays for the cryptocurrency bought from the previous miner. This sunk cost does not affect his strategy, and we neglect it hereafter.
Does there exist a natural strategy enabling miners to achieve this maximum expected payoff? The definition of |$\mathcal{G}_{m}^{\max }$| implies that to obtain the maximum expected payoff, all miners should be on the same chain when any of them is hit by the liquidity shock. This is the case if all miners stick to the original chain at any time |$\tau \in \mathcal{T}$| . If they do so, the longest chain rule (LCR) trivially holds. Our first proposition states that there exists an equilibrium in which miners follow this strategy.
There exists a Markov perfect equilibrium such that on the equilibrium path there is a single chain and all miners follow the LCR, thus obtaining their maximum expected payoff, |$\mathbb E[\mathcal{G}_{m}^{\max }]$|.
The intuition for Proposition 1 is the following. When all miners up to |$\tau$| attach their blocks to the original chain, thus following the LCR, there is a single chain at |$\tau$|. If the others abide to this strategy, then |$m$| can obtain his maximum possible expected payoff, |$\mathbb E[\mathcal{G}_{m}^{\max }|\omega _{\tau }]$|, by also abiding to it. Hence there is no profitable one-shot deviation from the strategy that consists in extending the original (and thereby longest) chain. Precisely, each miner rationally anticipates that if he deviates and solves a block, the other miners will not follow him, and the block solved out of the equilibrium path will have no value.
In the context of the strategic interaction characterized in Proposition 1, miners are not really competing to solve their block before the others. That another miner solves his block before |$m$| does not, in itself, reduce |$m$|’s gains. The only thing that matters for miners to obtain the maximum payoff they get in Proposition 1 is that they coordinate well and all work on the same chain. This arises only when difficulty is constant, however. In Section 5, we study the determination of total computing capacity and discuss its allocations to different branches of the blockchain. In that context, we point out that when one miner devotes larger computing power to one branch, he raises the difficulty for the others. This brings in a competition effect, running in the opposite direction to the coordination effect discussed earlier.
It is noteworthy that the result in Proposition 1 does not depend on the number of miners |$M$|. The economic mechanism involved in Proposition 1 does not hinge on strategic behavior. It is purely driven by coordination effects, which would also be at play in a competitive environment.
Proposition 1 emphasises that attaching blocks to the original chain is a simple way for miners to coordinate their actions and results in a single chain with no fork. There might, however, be other ways for miners to coordinate in our stochastic game. In particular, they could rely on the sunspot variable |$r^{\tau }$|. We now exhibit an equilibrium in which conditioning actions on |$r^{\tau }$| leads to equilibria with forks.
Intuitively, suppose miners follow the original chain until the realization of the sunspot variable is such that miners anticipate a fork. As shown in the following, because of coordination effects, this anticipation is self-fulfilling.
More precisely, let |$\tau ^{f}$| be the first time at which the sunspot variable is above |$1-\varepsilon$| (where |$\varepsilon >0$| can be arbitrarily small), and let |$n(\tau )$| denote the index of the last block solved by time |$\tau$|. Relying on this notation, we can state our next proposition:
Consider an arbitrary integer |$f>0$| and |$\varepsilon >0$|. There exists a Markov perfect equilibrium such that the following occurs on the equilibrium path: As long as |$r^{\tau }\leq 1-\varepsilon$|, or |$f\geq n(\tau )$|, there is a single chain and all miners chain their current block to the previous block, |$B_{n(\tau )}$|. At the first time |$\tau$| such that |$r^{\tau }>1-\varepsilon$| and |$f<n(\tau )$|, each miner chains his current block to |$ B_{n(\tau )-f}$|. Afterwards, miners chain their current block to the last solved block on the chain including the edge |$(B_{n(\tau )-f},B_{n(\tau )+1})$|.
In the statement of the proposition, we focus on what happens on the equilibrium path. In the proof in the Appendix, we characterize the equilibrium strategy profile for any state. The intuition of Proposition 2 is the following: If a miner expects all to fork to |$B_{n(\tau )-f}$|, but chooses to deviate and not fork to |$B_{n(\tau )-f}$|, then he expects any block he solves will be orphaned and earn no reward. Rationally anticipating this, he chooses to do like the others and fork to |$B_{n(\tau)-f}$|.
Miners’ behavior in Proposition 2 is reminiscent of actual participants’ behavior during the 2013 Bitcoin fork reported in Section 1.2. Just like BTC Guild lost the rewards from blocks mined on the |$0.8$| branch, miners in Proposition 2 lose rewards from blocks |$B_{n(\tau )-f+1}$| to |$B_{n(\tau )}$|, since the fork stemming from |$B_{n(\tau )-f}$| becomes the only active chain. They fork nevertheless because they anticipate that the others do.
Proposition 2 is stated for any integer |$f$|. In practice, Bitcoin Core (the reference implementation of the bitcoin system) includes several hard-coded checkpoints, that is, identifiers of blocks coded into the software so that any fork starting from an earlier block is considered as invalid. In the presence of checkpoints, |$f$| cannot be larger than the distance from the last checkpoint (provided that miners do not decide to remove checkpoints from their software code.)
If we measure welfare with respect to miners’ payoffs,18 then the equilibrium in Proposition 2 is Pareto-dominated by the one in Proposition 1. In Proposition 1, every block earns the miner who solved it a reward |$G(M)$| when it is sold to a subsequent miner. Any subsequent miner who buys the reward resells it for the same price |$G(M)$|, which is therefore payoff-neutral for him. In Proposition 2, the same applies for any block that does not belong to the orphaned chain |$(B_{n(\tau )-f+1},B_{n(\tau )})$|. However, a miner who solved (or inherited) a block on the orphaned chain obtains a reward worth |$G(0)=0$| after the fork, instead of |$G(M)$| in the equilibrium of Proposition 1. Hence, the fork makes at least one miner strictly worse off without strictly increasing the payoff of any other miner.
Observe that, like Proposition 1, Proposition 2 does not depend on the number of miners |$M$|. Both propositions hinge on coordination effects, which also arise in a competitive environment.
While in the previous proposition, in spite of forking, there was eventually a single chain, we now show that forking can lead to the persistent coexistence of different branches, as in the Ethereum 2016 and Bitcoin 2017 forks discussed in Section 1.2.
The number of blocks solved by |$m$| after |$B_{n(\tau ^{f})-f}$| on any of these two chains defines the vested interest of |$m$| on that chain. We let |$v_m^{o}(\tau, \tau^f)$| and |$v_m^{n}(\tau, \tau^f)$| denote the vested interests of miner |$m$| at time |$\tau \geq \tau^f$| on the original and the new chain (respectively) when the fork starts at |$\tau^f$|. Specifically, suppose miner |$m$| keeps mining the original chain after |$\tau^f$|. At |$\tau\geq \tau^f$|, his vested interest on the original chain is then equal to |$ v_m^{o}(\tau,\tau^f)=N_{m}(\tau)-N_{m}(\tau (B_{n(\tau ^{f})-f}))$| (where |$\tau (B_{n(\tau ^{f})-f})$| is the stopping time at which |$B_{n(\tau ^{f})-f}$| is solved), while his vested interest on the new chain is |$v_m^{n}(\tau,\tau^f)=0$|. Alternatively, consider miner |$m^{\prime }$| who mines the new chain from time |$\tau ^{f}$| on. His vested interest on the original chain at time |$\tau \geq \tau_f$| is |$v_{m^{\prime }}^{o}(\tau,\tau^f)=N_{m^{\prime }}(\tau ^{f})-N_{m^{\prime }}(\tau (B_{n(\tau ^{f})-f}))$|, while his vested interest on the new chain is |$v^{n}_{m^{\prime }}(\tau,\tau^f)=N_{m^{\prime }}(\tau )-N_{m^{\prime }}(\tau ^{f})$|. For miners switching between the original chain and the new one, vested interests are a bit more intricate, but they follow the same logic.
To simplify the exposition, assume that for any |$K \in \{0,\ldots ,M\}, G(K)+G(M-K)=G(M)$|. To state our next proposition, we need to define the following condition on the realized distribution of blocks’ rewards among miners.
To illustrate Condition 1, consider the following example: M=5 and the function |$G(.)$| is defined by |$G(0)=G(1)=0$|; |$G(2)=\frac{6}{5}$|; |$G(3)=\frac{9}{5}$|; |$G(4)=G(5)=3$|, so that all properties of |$G(.)$| are satisfied.19 Assume also that all miners are identical and have the same ratio |$\frac{\theta}{\lambda}$|. Then Condition 1 holds if there are two miners (ranked 4 and 5) each with a number of blocks solved in the last |$f$| blocks larger than |$\frac{\theta}{2 \lambda}$|, and three miners (ranked 1, 2, and 3) each with a number of blocks solved in the last |$f$| blocks lower than |$\frac{\theta}{\lambda}$|. This example also highlights that there can be parameter values for which Condition 1 is never satisfied. This is the case, for instance, if |$f$| is smaller than |$\frac{\theta}{ \lambda}$|. The next proposition states that persistent forks can occur in equilibrium, as illustrated in Figure 5.
Assume that |$M \geq 4$|. Consider an arbitrary integer |$f>0$| and |$\varepsilon >0$|. Define |$\tau^{f}$| as the first time |$\tau$| at which |$r^{\tau }>1-\varepsilon$|, |$f<n(\tau )$|, and Condition 1 holds. For |$\varepsilon$| sufficiently small, there exists a Markov perfect equilibrium in which, on the equilibrium path, the following occurs: As long as |$\tau <\tau ^{f}$|, there is a single chain and all miners chain their current block to |$B_{n(\tau )}$|. At |$\tau^{f}$|, all miners |$m\leq K^*$| (defined in Condition 1) chain their current block to |$B_{n(\tau ^{f})-f}$| and follow that chain afterwards, while the other miners chain their current block to |$B_{n(\tau ^{f})}$| and follow that chain afterwards.
The intuition for the result is the following. First note that for some miners to fork, we must have that the left-hand side of Equation (11) be positive, which implies that |$ K^* \geq \frac{M}{2}$|. That is, in Proposition 3, persistent forks can occur only if a majority of miners choose to fork and this is expected by all. Next, see that if |$M\leq 3$|, Conditions (10) and (11) can only be satisfied for the degenerate function |$G(K)=0$| for all |$K$|, which contradicts our assumption that |$G(M)>0$|. This is why we assume |$M \geq 4$| in the statement of Proposition 3.
Now, suppose all miners expect that a majority will fork and this will result in two coexisting chains, and examine whether miner |$m$| prefers forking or remaining on the original chain. For |$m$|, the benefit from forking is that the blocks he will mine on the new chain will be worth |$G(K^*)$|, which is larger than the value of blocks mined on the original chain, |$G(M-K^*)$|. This benefit is large if the probability that |$m$| solves a block in any given period, |$\Pr (N_{m}(\tau ^{\prime })-N_{m}(\tau )=1)$|, is large relative to the probability that |$m$| leaves the game because of a liquidity shock, |$\Pr (z_{m}=\tau ^{\prime })$|, that is, if |$\theta_m$| is large relative to |$\lambda _{m}$|. This benefit is captured in the left-hand sides of Equations (10) and (11) in Condition 1.
On the other hand, the cost of mining the new chain is that it reduces the value of the blocks already mined on the original chain. For instance, if miner |$m>K^*$| deviates from the equilibrium strategy and mines the new chain, he reduces the value of all the blocks he solved on the original chain from |$ G(M-K^*)$| to |$G(M-K^*-1)$|. This cost is large if |$m$| has large vested interests in the original chain, that is, if |$v^{o}_m(\tau,\tau )$| is large. This cost is captured in the right-hand sides of Equations (10) and (11) in Condition 1. The incentive effect of vested interests is self-reinforcing once the fork occurred. After |$\tau^f$|, miners |$m \leq K^*$| start accumulating vested interests on the new chain while miners |$m>K^*$| continue accumulating vest interests on the original chain, entrenching further their respective strategies.
Last, the assumption that for any |$K \in \{0,\ldots ,M\}, G(K)+G(M-K)=G(M)$| ensures that miners only consider the value of rewards from blocks solved after |$B_{n(\tau ^{f})-f}$| when assessing the benefit and cost of following one chain or another.20 It therefore simplifies the presentation of Condition 1. Were this not true, the value of rewards from these earlier blocks would enter Condition 1 as well, but a persistent fork equilibrium could still be sustained.
Overall, Proposition 3 shows that the endogenous sorting between miners who prefer to stick to the original chain and those who fork is driven by two forces: the number of blocks that a miner expects to solve in the future, and his vested interest in the original chain. A miner is more likely to fork when the former is higher and the latter is lower.
Unlike in Proposition 1 and Proposition 2, the equilibrium outcome in Proposition 3 depends on the number of miners. More precisely, the trade-offs faced by the miners involve the effect of their mining strategy on the value of their rewards. If miners were competitive and their choice had no impact on the value of their rewards, this strategic effect would not arise.
Finally, note that the equilibrium outcome in Proposition 3 is Pareto-dominated by that in Proposition 1. As earlier, this is because no miner can earn more than |$G(M)$| per solved block, and blocks that belong to either branch after the fork have a strictly lower value (|$G(K^*)$| or |$G(M-K^*)$|) than |$G(M)$|.
4. Enriching the Model
So far we have considered a stylized frictionless case, in which, relying on abstract sunspots, we showed that coordination effects could lead to forks and equilibrium multiplicity. We now enrich the analysis by introducing information delays, double-spending attempts, and upgrades. We show that these realistic events can play a similar role as sunspots in triggering forks, also because of coordination effects.
4.1 Information delays
As mentioned previously, Nakamoto (2008) considered the possibility of information delays in the network, generating short-term forks, and argued these forks would be rapidly resolved, as miners would follow the longest chain rule. To examine this point, we extend our model to analyze equilibrium mining in the presence of delays. We show how the interplay between information delays and coordination effects gives rise to multiple equilibria.
To keep things as simple as possible, we assume that a delay in information transmission can happen only once. As long as there has been no delay, each time a new block |$B_{n}$| is solved, there is a probability |$\eta$| that one (and only one) of the miners does not observe that event. In that case, each of the |$M-1$| miners has an equal chance of not observing the block solved by |$m(B_{n})$|. As soon as the next block (|$B_{n+1}$|) is solved, the miner who did not observe that |$B_{n}$| was solved learns that information, along with the information that |$B_{n+1}$| has been solved. To simplify proofs, we also assume that |$G(M)=G(M-1)+G(1)$| (which implies |$M \geq 3)$|.21 In this extension of our model we obtain the following result.
When miners can observe solved blocks with a delay, there exists a Markov perfect equilibrium such that on the equilibrium path miners always mine the chain that they perceive to be the longest. If there are two chains of the same length, each miner keeps mining the chain he was mining just before.
At the equilibrium presented in Proposition 4, because of information delays, two chains of the same length can appear. At this point, there is a fork. In that case, miners continue mining the chain on which they were active before the fork. When one chain becomes strictly longer, miners apply the LCR and the shortest branch of the fork becomes orphaned. This is in line with the conjecture of Nakamoto (2008). The equilibrium described in Proposition 4 therefore illustrates the robustness of the LCR equilibrium of Proposition 1 to information delays. This, however, is not the only equilibrium. Because of coordination effects, other equilibria can be sustained, in which miners don’t behave as suggested by Nakamoto (2008). This is illustrated in the following proposition.
When miners can observe solved blocks with a delay, there exists a Markov perfect equilibrium such that on the equilibrium path miners always mine the chain that they perceive as the longest. If there are two chains of the same length, miners always chain to the forking branch, and the original chain becomes orphaned.
In Proposition 5, miners follow the LCR. Yet, when an information delay causes a fork, with two equally long branches, miners abandon the chain on which they were active and follow the fork. This equilibrium is in line with Proposition 2: Both show how coordination effects underpin equilibrium multiplicity. Yet, while in Proposition 2 forking was triggered by an abstract sunspot, in Proposition 5 it is triggered by a realistic event, information delays.
In Proposition 5 the fork is only one block long, because the delay can only affect the observation of one block. On Bitcoin, most temporary forks are one block long. We collected data from one full node operated by blockchain.info, which currently reports orphaned blocks since March 2014. We found that out of 935 reported forks between March 2014 and December 2017, 928 were only one block long. Intuitively, the frequency of such forks depends on the relative frequency of block resolution compared to network latency. For example, one-block-long forks are much more frequent on Ethereum (with one block solved every 15 seconds) than on Bitcoin (with one block solved every 10 minutes): on average there have been over 1,000 one-block long forks per day on Ethereum since January 2018 (source: https://etherscan.io/chart/uncles.).
Longer forks could arise if delays affected more blocks. Note that delays are not necessarily due to network latency. In the case of the Bitcoin March 2013 fork, delays occurred because one block was mistakenly rejected by computers running one version of the mining software and it took time for miners to become aware of that problem. As discussed in Section 1.2, miners then found it difficult to coordinate on a single chain. This is consistent with Propositions 4 and 5, which show there is a multiplicity of equilibria, making it difficult for participants to coordinate. Another example occurred during the implementation of a soft fork (BIP66) on Bitcoin in July 2015. Some mining pools representing |$40%$| of the network hashpower were mining blocks without fully validating previous blocks (a strategy referred to as “simplified payment verification mining”). They thereby accepted blocks that they should have considered as invalid, which created a 6-block-long fork on July 4, 2015, and a 3-block-long fork on July 5, 2015. Although these short-lived forks differ from persistent forks sustained by vested interests, our analysis uncovers that in both types of fork, coordination effects play a key role.
4.2 Double-spending
Another important potential issue outlined in Nakamoto (2008) is double-spending. We study later whether it can arise at equilibrium. In the spirit of the modeling of delays earlier, assume that after each block is solved, there is a probability |$\eta ^{\prime }$| that one miner has an opportunity to divert the payment |$S$| from a transaction included in the last block. To earn |$S$|, the miner needs to create a fork and ensure it becomes the only active chain. Assume the opportunity to double-spend occurs only once and denote |$\gamma (m,\tau )$| the probability that at any time |$\tau$|, |$m$| is the miner who solves the next block after |$\tau$|. As for Proposition 4, we assume that |$G(M)=G(M-1)+G(1)$| to simplify proofs (which again implies |$M \geq 3)$|.
There exists a Markov perfect equilibrium such that on the equilibrium path, miners always mine the longest chain, except the miner who has the opportunity to double-spend. The latter tries to create a fork longer than the original chain. If he succeeds, all miners chain to his fork and the original chain is orphaned.
When a miner spots a double-spending opportunity, he endeavors to solve two blocks in a row before the other miners solve any new block on the original chain. If he succeeds, the fork started by the double-spending miner becomes the longest chain. If the other miners follow the longest chain rule, they then chain their blocks to the forking branch. This enables the miner to recover |$S$| and spend it again.
The equilibrium described in Proposition 6 relies on a similar coordination effect as that of Proposition 4: miners have an interest in following the longest chain when they anticipate that all other miners do the same. This in turn can induce a miner to create a fork that will be followed by all miners if it becomes the longest. But in contrast with the case of delays, the fork does not start accidentally; it is intentionally triggered by the miner who tries to double-spend.
It is profitable to try to double-spend if Condition (12) holds. The intuition for that condition is the following. When trying to create a fork after spotting |$S$|, a miner faces a large risk that his fork does not become the longest chain. The higher |$\gamma (m,\tau )$|, the lower that risk, and the higher the double-spending |$S$|, the larger the compensation for that risk.
In practice, however, Condition (12) is unlikely to hold. A back-of-the-envelope computation suggests that if |$\lambda$| is small and there are 15 identical miners, Condition (12) can be approximated as |$ S>30G(M)$|. For Bitcoin, |$G(M)=12.5$| bitcoins in 2018, hence for Condition (12) to hold, |$S$| must be larger than |$375$| bitcoins, which is a sizable amount. This condition could be relaxed, however, if instead of deriving an equilibrium where all miners can double-spend, one focuses on an equilibrium in which only the miner with the largest computing power double-spends.
Selfish mining is a related type of attack by which a miner starts a fork in the hope that it will become longer than the original chain. In this attack, the selfish miner delays the broadcasting of the blocks he mines on the forking chain, so that the other miners continue mining the original chain. They therefore bear the risk of losing all the rewards they earned on that chain. As in the case of double-spending, selfish mining can only be profitable if a miner has a benefit other than blocks rewards.22
4.3 Upgrades
As discussed in Section 1.2, blockchain participants sometimes introduce upgraded versions of the mining software. To study the impact of these upgrades, we assume it is common knowledge that just after the |$n^{th}$| block on the original chain has been solved, a new technology is introduced. Then, miners must choose between staying with the existing technology, |$C=0$|, and adopting the new technology, |$C=1$|. From this point on, miners choose between |$C=0$| and |$C=1$| for each block they mine. To capture the notion of hard fork, we assume that miners can only chain their block to a block solved with the same technology. We also allow for the possibility that miners derive private benefits from using one technology or the other. Private benefits can reflect a cost advantage. For instance, some argued that the mining pools controlled by Bitmain, an ASIC manufacturer, favored Bitcoin Cash over SegWit because they had access to a patented mining-enhancing device that cannot be used with SegWit.23 In contrast, Bitcoin Gold is favored by miners who find it costly to rely on ASIC. Private benefits can also reflect ideological preferences. The attempt at increasing the size of blocks on Bitcoin with the SegWit2x hard fork was supported by a group of large mining pools. It was eventually defeated in November 2017 by the Bitcoin Core developers who opposed the principle of a hard fork and the idea of letting these large pools impose their solution. To model private benefits, we assume that when solving a block with technology |$C$|, miner |$m$| obtains a reward |$(1+b_{m}(C))G(K)$| where |$K$| is the number of miners active on the chain containing this block.
There exists a Markov perfect equilibrium in which, on the equilibrium path, all miners follow the LCR and choose technology |$C=0$|, and another equilibrium in which, on the equilibrium path, all miners follow the LCR and choose technology |$C=1$|.
If a miner anticipates all the other miners will choose technology |$C$|, then it is a best response for this miner to also choose |$C$|, whatever his or her private benefits. The equilibria described in Proposition 7 therefore hinge on the same coordination effects as in Propositions 1 and 2.
When miners coordinate on the same technology and on following the LCR, the level and distribution of private benefits does not affect which equilibrium will prevail. In particular, it can be that |$C=1$| is chosen at equilibrium even if all miners have a preference for |$C=0$|. We now explore how a persistent fork can also be sustained at equilibrium in the presence of private benefits. For simplicity, suppose that there are |$M-K^*$| miners with a positive private benefit for the original technology. We assume |$b_{m}(1)=0$|, |$\forall m$|, while |$b_{m}(0)=0$|, |$\forall m\leq K^*$| and |$b_{m}(0)=b>0$||$\forall m>K^*$|. Denote |$\tau ^{f}$| the time at which the new technology is introduced and assume for simplicity, as in Proposition 3, that |$G(K)+G(M-K)=G(M)$| for all |$K \in \{0,\ldots ,M\}$|.
Proposition 8 focuses on the case in which the majority of miners (|$K^*$| out of |$M$|) have no private benefits, while a minority of them strongly prefers not to adopt the upgrade. In this context, if it is expected that the majority will opt for the upgrade, then all the miners who don’t have any private benefit anyhow choose to adopt the upgrade, but the minority with strong private benefits sticks to the previous version of the software. This result is reminiscent of the persistent fork equilibrium described in Proposition 3. For similar reasons as in Proposition 3, we must have |$M\geq 4$| for the equilibrium to exist. One difference is that here, the fork is initiated by exogenous private benefits, instead of the endogenous distribution of vested interests from past solved blocks in Proposition 3. However, once the fork occurred, vested interests play the same reinforcing role as in Proposition 3 by increasing the incentives of miners to stick to the chain they initially picked.
Proposition 7, in which miners must choose between two versions of the software and coordinate on a unique version, is in line with the situation observed in November 2017, in which all miners eventually coordinated on refusing SegWit2x. Such unanimity contrasts with Proposition 8, in which a minority with strong private benefits rejects the upgrade adopted by the majority. This is in line with the situation observed in July 2016, when a minority of miners rejected the Ethereum hard fork for ideological reasons. This is also in line with the Bitcoin Gold fork, which is mined by a minority of participants, some of which have strong vested interest in that chain due to their initial allocation of Bitcoin Gold.24
As mentioned earlier, many hard forks occurred during the year 2017 on Bitcoin. Our analysis highlights that larger, unevenly distributed private benefits can trigger forks. It is likely that the increase in the network activity, and the corresponding increase in Bitcoin value, have generated larger private benefits for some miners, derived from specific technologies or mining rules, which can explain why fork attempts have been more frequent.
5. Computing Capacity and Difficulty
The previous analysis takes difficulty and computing capacity as given and fixed, independently from the choices of the miners. Correspondingly, |$\theta _{m}$| is also given and fixed for all |$m$|. In the short term this is a realistic assumption. For example, on the Bitcoin blockchain between two resets of the difficulty, that is, approximately within two weeks, difficulty remains constant in all branches. In the longer term, however, this assumption is less realistic, as miners can decide to change the computing capacity they allocate to different blockchains, and difficulties are correspondingly reset. In this section we examine separately (for simplicity) two aspects of these issues: First, holding total capacity constant, we discuss how the allocation of computing capacity to different branches changes difficulty in the different branches. Second, focusing on the equilibrium of Proposition 1 (with a single chain), we analyze the ex ante equilibrium choice of computing capacity. A key point in both aspects of the analysis is that when one miner increases his computing capacity in one branch, he increases the difficulty in that branch, which exerts a negative externality on the other miners operating in that branch.
5.1 Difficulty
Suppose that branch |$x$| attracts less miners and computing capacity than |$y$|. Then miner |$K$| faces a trade-off: if he successfully mines in branch |$x$|, his reward |$G(K)$| is lower than if he succeeds in branch |$y$|; on the other hand, his probability to solve a block is higher on |$x$| since the difficulty of mining is larger on |$y$|.
The first effect, already present in the previous subsections, makes it attractive for miners to mine where they expect the others to mine (“crowding in”). The second effect (“crowding out”) is new to this section and makes it less attractive to mine a branch where many others mine. Characterizing equilibrium in that situation is beyond the scope of the present paper. Yet two different types of externalities can be pointed to.
On the one hand, when moving from branch |$x$| to branch |$y$|, miner |$K$| exerts a positive externality on miners |$m>K$|, by increasing the value of the rewards in their branch from |$G(M-K)$| to |$G(M-K+1)$|.
On the other hand, miner |$K$| exerts a negative externality on miners |$m>K$|, by increasing the computing capacity, and hence the difficulty in branch |$y$|.
5.2 Computing capacity
We now endogenize the total computing capacity in the network, that is, the choices of hash rates |$h_{m}$| by all miners at time |$0$|. We investigate the relation between equilibrium hash capacity and the socially optimal one. Our analysis of equilibrium capacity is similar to Dimitri (2017). The contribution of this subsection, relative to Dimitri (2017), is to identify an externality in the computing capacity acquisition game, which drives a wedge between equilibrium and social optimality.
To choose |$h_{m}$|, miner |$m$| needs to anticipate how his computing capacity will affect his continuation game payoff. To do so, the miner needs to form a conjecture on the equilibrium that will prevail in the mining game. For simplicity, we assume all miners rationally anticipate that the single chain equilibrium described in Proposition 1 will prevail.
A Nash equilibrium of the computing capacity acquisition game is a vector |$ \{h_{m}^{\ast }\}_{m=1,\ldots M}$| such that |$h_{m}^{\ast }$| is the optimal choice of miner |$m$| when he anticipates the others will choose |$h_{-m}^{\ast }$|. The following proposition presents the equilibrium computing capacity of the network when all |$M$| miners choose to participate.27
Condition |$c_{m}\leq \frac{\sum_{i\in \mathcal{M}}c_{i}}{M-1}$| holds if costs, |$c_{i}$|, are not too different across miners. It ensures that the solution to Equation (17) is positive for all miners, while condition |$\frac{\sum_{i\in \mathcal{M}}c_{i}}{M-1}\leq G(M)$| ensures that it is always possible to find a value of the difficulty parameter |$D$| above one, such that the expected time between two blocks is |$X$|. Equation (17) implies that equilibrium individual computing capacity is increasing in the mining reward (|$G(M)$|), decreasing in the average duration between blocks (|$X$|) and in the unit cost |$c_{m}$|. Correspondingly, Equation (18) implies that total network capacity decreases with |$\sum_{i\in \mathcal{M}}c_{i}$|.
We now compare the equilibrium network capacity to what miners would choose if they could coordinate their choices and maximize their joint profit. To do so in the simplest possible way, we consider the special case in which all miners have the same cost |$c$| and the same |$\lambda$|.
This is decreasing in |$h$|. So miners coordinate on the smallest possible value of |$h$|, corresponding to |$D=1$|. We then have |$\sum_{i\in \mathcal{M} }h_{i}=\frac{1}{X}.$| Comparing this to Equation (18) we see that, under condition |$\frac{\sum_{i\in \mathcal{M}}c_{i}}{M-1}\leq G(M)$| of Proposition 9, in equilibrium there is overinvestment in computing capacity: If miners could cooperatively decide on their individual computing capacity, each would invest |$\frac{1}{MX}$|. But if all miners invest |$\frac{1}{MX}$|, then any miner |$m$| has an incentive to increase his own |$h$| in order to increase his probability to solve blocks, leading to an arms race in computing capacity.
As in the previous subsection, by devoting computing capacity to the mining task, a miner exerts a negative externality on the others, by increasing the difficulty. This negative externality drives a wedge between equilibrium and social optimality.
6. Conclusion
Miners’ incentives are key to the production of a robust consensus in a blockchain. This paper shows that, while miners benefit from coordinating on a single chain, thereby maintaining consensus, coordination motives can also lead to abandoning portions of the blockchain. This can jeopardize the blockchain’s key function, that is, producing a stable and immutable history of transactions. In addition, vested interests can lead to the persistence of multiple active chains.
Could these issues be overcome by communication among participants? In practice, communication among participants proved ineffective in the cases of Ethereum in 2016 and SegWit2x in 2017. This is in line with theoretical and experimental findings that communication in games does not necessarily facilitate coordination (see, e.g., Crawford 1998).
Another issue relates to the negative externalities arising in proof-of-work blockchains. First, as shown earlier, when choosing individually optimal computing capacity, miners fail to internalize the negative externality their investment generates for other miners by increasing difficulty. This implies that equilibrium capacity acquisition in proof-of-work mining is excessive. Second, proof-of-work mining generates greenhouse-effect negative externalities, whose order of magnitude is significant. As of May 2018, the electricity consumed for Bitcoin mining was equal to the electricity consumption of over 6 million U.S. households, with an average consumption per transaction of around 850 KWh.28 Pigovian taxation could curb overinvestment in mining, but it might also be difficult to put in place, given the international decentralization of mining.
This suggests moving from proof-of-work to proof-of-stake, in which participants do not have to use computing power and energy to propose blocks for consensus. Note, however, that proof-of-stake is exposed to the same coordination problems as proof-of-work, since in both protocols participants must choose which blocks to accept and are rewarded when the others agree with their choice. In addition, proof-of-stake comes with its own problems, in particular the nothing-at-stake effect: a participant can stake his cryptocurrency units on different branches, thus hindering the emergence of consensus.29
This points to a major dilemma for distributed ledgers: On the one hand, the anonymity and decentralization of public blockchains expose them to coordination failures and externalities. On the other hand, private blockchains can restore coordination and internalize externalities, but only to the extent that they involve the intervention of a centralized authority, which goes against the fundamental motivation for blockchain.
Appendix
Notation
We summarize here notation we use throughout the proofs:
-|$\tau(B_n)$| is the stopping time at which block |$B_n$| is solved.
-|$n(\tau)$| is the index of the last block solved by time |$\tau$|.
-|$N_m(\tau)$| is the total number of blocks solved by miner |$m$| by time |$\tau$|.
-|$N^\mathcal C_m(\tau)$| is the number of blocks solved by miner |$m$| on chain |$\mathcal C$| by time |$\tau$|. In particular, |$N^o_m(\tau)$| is the number of blocks solved by |$m$| on the original chain.
-|$p(B_n)$| is the index of the block to which |$B_n$| is chained (his parent).
The following lemma implies that a candidate strategy profile |$\{\sigma _{m}^{\ast }\}_{m\in \mathcal{M}}$| forms a Markov perfect equilibrium (MPE) if and only if no miner has a profitable one-shot deviation after any possible history of the game |$\omega_{\tau}$|.30
Our blockchain game is continuous at infinity.
Proof of Lemma A1
Proof of Proposition 1
The candidate equilibrium strategy specifies that miners always chain their block to the last block on the original chain. We let |$B_n$| denote that block, and check that no miner has a profitable one-shot deviation.
Consider the strategy of miner |$m$| at time |$\tau$| after history |$\omega_{\tau}$|. We break the analysis into three cases, the probabilities of which are independent of the miners’ actions (they reflect the distributions of independent Poisson processes with exogenous intensities).
(i) Suppose the next event is |$z_{m}$|. The equilibrium strategy prescribes that all miners mine the original chain. Therefore, if |$m$| follows the equilibrium strategy and chains his block to the last block on the original chain, |$B_{n}$|, he earns |$G(M)$| for each block he solved on the original chain and |$G(0)=0$| for any other block.
|$\quad$|Suppose |$m$| deviates and does not chain his block to |$B_{n}$|. By definition, he cannot earn more than |$G(M)$| for each block he solved on the original chain. In addition, he cannot earn more than |$G(1)=0$| for each block he solved on forks since all other miners mine the original chain. Hence deviating is not strictly profitable in this case.
(ii) Suppose the next event is that a block is solved by another miner than |$m$| at time |$\tau'$|.32 Then the state of the blockchain at |$\tau'$|, |$\omega_{\tau'}$|, does not depend on |$m$|’s action at |$\tau$|. By definition, |$\omega_{\tau'}$| captures all the payoff-relevant information, hence |$m$|’s action at |$\tau$| does not affect his payoff.
(iii) Suppose the next event is that |$m$| solves block |$B_{n(\tau)+1}$| at time |$\tau'$|. Since all other miners play the equilibrium strategy going forward and |$m$| himself reverts to mining the original chain after |$\tau'$| (one-shot deviation), which block |$m$| chose as a parent block at |$\tau$| does not affect the payoff |$m$| expects from previously mined blocks or from future blocks. Consequently, |$m$|’s payoff in any one-shot deviation differs from his equilibrium payoff only in the reward he obtains for |$B_{n(\tau)+1}$|. This reward is |$G(M)$| if |$m$| played the equilibrium strategy and chained |$B_{n(\tau)+1}$| to |$B_{n}$|, and |$G(0)$| if he chained |$B_{n(\tau)+1}$| to any other block as in that case, no miner will ever chain a block to |$B_{n(\tau)+1}$|. Hence deviating is strictly dominated in this case.
Overall, there is no state |$\omega _{\tau }$| in which a one-shot deviation gives |$m$| a strictly higher expected payoff than the candidate equilibrium strategy, which therefore forms a MPE. |$\blacksquare$|
Proof of Proposition 2
Let |$\tau ^{f}$| be the first time the sunspot variable is above |$1-\varepsilon$| and |$f$| is strictly lower than the number of blocks |$n(\tau)$|. We call “new chain” the chain created by the fork. Formally, for every |$\tau>\tau^f$|, the new chain, if it exists, is the chain containing |$(B_{n(\tau)-f},B_{k})$| that preexists all other chains containing |$(B_{n(\tau)-f},B_{k})$|, where |$k\equiv \min\{\hat k> n(\tau ^{f}),(B_{n(\tau)-f},B_{\hat k})\in\omega_{\tau}\}.$|
Our candidate equilibrium strategy specifies the following:
(a) Before the fork: If |$\tau <\tau ^{f}$|, miners chain their block to the last block on the original chain.
(b) At the fork inception and after the fork: If |$\tau \geq\tau ^{f}$|, miners chain their block to the last block on the new chain, or to |$B_{n(\tau)-f}$| if the new chain does not exist.
We now show that miner |$m$| does not have a profitable one-shot deviation from this strategy at time |$\tau$|.
(a) Before the fork: Since |$m$|’s actions do not affect the occurrence of the sunspot, for |$\tau<\tau^f$| the proof operates along the same lines as the proof of Proposition 1.
(b) At the fork inception and after the fork: Suppose |$\tau\geq\tau^f$|. As in the proof of Proposition 1, we can restrict attention to the case where |$m$| solves the next block, |$B_{n(\tau )+1}$|, at time |$\tau'$|. In that case, |$m'$|s equilibrium payoff differs from his payoff in a one-shot deviation only in the reward for block |$B_{n(\tau )+1}$|. Since |$m$| expects all miners, including himself, to attach their block to the last block on the new chain after |$\tau'$|, |$m$|’s reward for block |$B_{n(\tau )+1}$| is |$G(M)$| if he played the equilibrium strategy and chained his block to the last block on the new chain (or to |$B_{n(\tau)-f}$|), and |$G(0)=0$| if he chained |$B_{n(\tau )+1}$| to any other block. |$\blacksquare$|
Proof of Proposition 3
We start with preliminary steps. Consider |$\tau_f$| defined in Proposition 3, and define the new chain as in the proof of Proposition 2. Let |$v^{n}_m(\tau, \tau^f)=N_m^n(\tau)-N_m^n(\tau^f)$| be miner |$m$|’s vested interest on that chain, that is, the number of blocks he solved on the new chain after |$\tau^f$|.
To define our equilibrium strategies, we use the following condition, which we will derive explicitly in the proof:
Our candidate equilibrium strategy profile specifies the following:
(a) Before the fork: If |$\tau <\tau^{f}$|, miners chain their block to the last block on the original chain.
(b) At the fork inception and after the fork: If |$\tau \geq\tau ^{f}$| and Condition 2 holds, miners |$m\leq K^*$| chain their block to |$B_{n(\tau ^{f})-f}$| if the new chain does not exist, and to the last block on the new chain otherwise, while miners |$m>K^*$| chain their block to the last block on the original chain.
(c) After the fork off-path: Suppose |$\tau >\tau ^{f}$| and Condition 2 does not hold. Let |$\Delta\omega\equiv\omega^{\tau}\setminus \omega^{\tau^f}$| (i.e., |$\Delta\omega$| contains the history of the game between |$\tau^{f}$| and |$\tau$|). Then for every |$\tau'\geq\tau$|, all miners play the strategy prescribed after history |$\omega^{\tau'}\setminus\Delta\omega$| that is defined in (b). In playing strategies defined in (b), miners consider that the original and the new chain are defined with respect to history |$\omega^{\tau'}\setminus\Delta\omega$|.33
As will become explicit later, the specification of the equilibrium strategy in states described in (c) is useful to rule out certain types of deviations.
To show that a miner does not have a profitable one-shot deviation, we consider each case in turn.
Proof of part (a): Before the fork. Miner |$m$|’s one-shot deviation from equilibrium at time |$\tau <\tau ^{f}$| has two effects on his expected payoff. First, it can affect the distribution of vested interests on the original chain at future times |$\tau$| such that |$r^{\tau }>1-\varepsilon$|. Second, as in the proof of Proposition 2, it can impact the value of the block |$m$| chooses to mine. As in the previous proofs, these effects are affected by |$m$|’s action at |$\tau$| only if he solves the next block, |$B_{n(\tau)+1}$|.
Hence, if |$\varepsilon$| is close enough to 0, |$\Pr (\tau ^{f}<z_{m}|\omega _{\tau },z_{m})$|, and therefore the gain from reducing the likelihood of a fork via a deviation can be arbitrarily small.
Next consider the second effect. If miner |$m$| solves |$B_{n(\tau )+1}$| but this block is not on the original chain, no further block will be chained to it, since all miners henceforth play the equilibrium strategy. Hence the expected payoff for this block is |$G(0)=0$|. If instead |$m$| was following the equilibrium strategy when he solved |$B_{n(\tau )+1}$|, the expected payoff from this block is strictly positive.
Overall, the first effect, which reflects the maximum gain from a one-shot deviation can be set arbitrarily close to 0, while the second effect, which reflects the cost of a one-shot deviation, is bounded away from 0. Hence, there is no profitable one-shot deviation.
Proof of part (b): At or after the fork.
(i) Consider first a deviation by a miner |$m>K^*$|.
|$\quad$|Any deviation other than chaining to the last block on the new chain is ruled out by similar arguments as in Proposition 1. Hence we just check that |$m$| prefers to chain his block to the last block on the original chain, rather than to the last block on the new chain. As in the proof of Proposition 1, a one-shot deviation affects |$m$|’s payoff only if the next stopping time |$\tau^{\prime }$| corresponds to two possible events: either |$m$| is hit by a liquidity shock or |$m$| solves a block.
– Suppose miner |$m$| solves a block at |$\tau^{\prime }$|, that is, |$ N_{m}(\tau ^{\prime })-N_{m}(\tau )=1$|. If Condition 2 is still true at |$\tau^{\prime}$|, since every miner, including |$m$|, reverts to the equilibrium strategy from |$\tau^{\prime}$| on, the only impact of the deviation is that |$m$| earns |$G(K^*)$| for block |$B_{n(\tau^{\prime})}$| instead of |$G(M-K^*)$| under the equilibrium strategy. If Condition 2 is not true at |$\tau^{\prime}$|, then from (c), the impact of the deviation is that |$m$| earns 0 for block |$B_{n(\tau^{\prime})}$| instead of |$G(M-K^*)$| under the equilibrium strategy, and loses all rewards for blocks solved between |$\tau^f$| and |$\tau'$|.
- – Suppose miner |$m$| is hit by a liquidity shock at |$\tau^{\prime }$|, that is, |$z_{m} =\tau ^{\prime }$|. Recall that |$N^o_m(\tau)$| is the number of blocks solved by |$m$| on the original chain at time |$\tau$|. Then his payoff under the deviation isinstead of(A15)\begin{equation} v^{o}_m(\tau, \tau^f )G(M-K^*-1)+v^{n}_m(\tau, \tau^f )G(K^*+1) + N^o_{m}(\tau(B_{n(\tau ^{f})-f}))G(M) \end{equation}under the equilibrium strategy.34(A16)\begin{equation} v^{o}_m(\tau , \tau^f)G(M-K^*)+v^{n}_m(\tau, \tau^f )G(K^*)+ N^o_{m}(\tau(B_{n(\tau ^{f})-f}))G(M) \end{equation}It follows that there is no profitable deviation ifwhich is exactly inequality (A5) in Condition 2.(A17)\begin{equation} \begin{array}{l} \Pr (N_{m}(\tau ^{\prime })-N_{m}(\tau ) =1)[G(K^*)-G(M-K^*)]\leq\\[1ex] \begin{array}{rcl} &\Pr (z_{m} =\tau ^{\prime })&[v^o_m(\tau, \tau^f)(G(M-K^*) -G(M-K^*-1))\\ [1ex] && -v^{n}_m(\tau, \tau^f)(G(K^*+1)-G(K^*))] \end{array} \end{array} \end{equation}
- (ii) Consider next a deviation by a miner |$m\leq K^*$|. A symmetric reasoning yields that there is no profitable deviation ifwhich is exactly Equation (A6) in Condition 2.(A18)\begin{equation} \begin{array}{l} \Pr (N_{m}(\tau ^{\prime })-N_{m}(\tau ) =1)[G(K^*)-G(M-K^*)] \geq \\[1ex] \begin{array}{rcl} &\Pr (z_{m} =\tau ^{\prime})&[v^o_m(\tau, \tau^f)(G(M-K^*+1)-G(M-K^*)) \\ && -v^{n}_m(\tau, \tau^f)(G(K^*)-G(K^*-1))], \end{array} \end{array} \end{equation}|$\quad$|Next, see that at |$\tau=\tau^f$|, |$v^n_m(\tau^f,\tau^f)=0$| for all miners. Inequality (A5) is then written:(A19)\begin{align} &\quad \frac{\Pr (N_{m}(\tau^{\prime })-N_{m}(\tau^f ) =1)}{\Pr (z_{m} =\tau^{\prime })}[G(K^*)-G(M-K^*)] \nonumber\\ & < v^o_m(\tau^f,\tau^f)[G(M-K^*)-G(M-K^*-1)]. \end{align}
|$\quad$|See that |$\frac{\Pr (N_{m}(\tau^{\prime })-N_{m}(\tau^f ) =1)}{\Pr (z_{m}=\tau^{\prime })}= \frac{\theta_m}{\lambda_m}$|. To see this, let |$x\equiv \sum_{m^\prime\in\mathcal{M}}\lambda_{m^\prime}+\sum_{m^\prime\in\mathcal{M}}\theta_{m^\prime}$| be the cumulative intensity of all liquidity shocks and block solving times. Note that |$\Pr (N_{m}(\tau ^{\prime })-N_{m}(\tau )=1)=\int_{\tau}^{+\infty} \theta_m e^{-x(t-\tau)}dt=\frac{\theta_m}{x}.$| Similarly, |$\Pr (z_{m} =\tau ^{\prime})= \int_{\tau}^{+\infty} \lambda_m e^{-x(t-\tau)}dt=\frac{\lambda_m}{x}.$|
|$\quad$|Hence at |$\tau=\tau^f$|, (A5) is exactly Inequality (10) in Condition 1. Similarly, Inequality (A6) is then written:which is exactly Inequality (11) in Condition 1, evaluated at |$\tau=\tau_f$|.(A20)\begin{equation} \frac{\theta_m}{\lambda_m}[G(K^*)-G(M-K^*)]> v^o_m(\tau^f, \tau^f)[G(M-K^*+1)-G(M-K^*)] \end{equation}|$\quad$|Furthermore, if miners adhere to the equilibrium strategy, then miners |$ m\leq K^*$| always mine the new chain so that inequality (11) in Condition 1 at |$\tau=\tau_f$| implies that Inequality (A6) in Condition 2 is true at any |$\tau > \tau^f$|. Symmetrically, given that miners |$m> K^*$| stick to the original chain, Condition 2 is always verified after |$\tau^f$|. Hence, given that Condition 1 holds at |$\tau^f$|, for |$ \tau>\tau^f$|, Condition 2 holds on the equilibrium path.
Proof of part (c): After the fork off-path. Suppose |$\omega_{\tau}$| is as described in (c). Then given that all other players play the equilibrium, |$m$|’s payoff from adhering to the equilibrium strategy is as in (b). Following the same logic as in the proof of (b), other deviations can be ruled out. |$\blacksquare$|
Proof of Proposition 4
Our candidate equilibrium strategy specifies the following:
(a) If a miner solved a block outside the original chain thereby creating a one-block-long fork as long as the original chain, that miner chains his next block to the block he just solved.
(b) Otherwise, each miner chains his current block to the last block solved on the original chain, except if there is a fork starting with two blocks consecutively solved by the same miner, longer than the original chain. In that case, each miner chains his block to the longest chain, which miners consider to be the original chain from that point on.35
We further assume that |$G(M-1)+G(1)=G(M)$|. Indeed, there can be a transient fork created by one miner who did not observe in time the actual state of the original chain. If another miner is hit by a liquidity shock precisely when the fork is being formed, the blocks previously solved by that other miner, which with certainty will not become orphaned, are worth at the time of the fork |$G(M-1)+G(1)$|. Given equilibrium strategies, the same blocks will be worth |$G(M)$| just after the fork is resolved. Our assumption means that these blocks have the same value at and after the fork. This assumption also mirrors the assumption that |$G(1)=G(0)$|: if only one miner is not on the same chain as the others, the reward for solving blocks is not affected. We specify in what follows when this assumption is used.
Proof of part (a). Let |$B_{n}$| be the last block solved on the original chain. Suppose that at time |$\tau$|, miner |$m$| has just created a one-block-long fork as long as the original chain by solving |$B_{n(\tau)}$| that is chained to |$B_n$|’s parent, |$p(B_n)$|.36
As earlier, the relevant choice for |$m$| is between chaining his next block to |$B_{n(\tau)}$| (the equilibrium strategy) and chaining it to |$B_{n}$| (the only relevant deviation). As in the proof of Proposition 1, a one-shot deviation affects |$m$|’s payoff only if the next stopping time corresponds to two possible events: either |$m$| is hit by a liquidity shock or |$m$| solves a block.
(i) Suppose the next event is |$z_{m}$|. If |$m$| deviated and chained his block to |$B_{n}$|, his payoff is |$ G(0)+N^o_m(\tau(B_{n}))G(M).$| Indeed, all miners, including |$m$|, chain to |$B_n$|. Hence, |$m$| earns |$G(0)$| for solving block |$B_{n(\tau)}$| and |$G(M)$| for every block he solved on the original chain up to |$\tau(B_{n})$|.
|$\quad$|If, instead, |$m$| followed the equilibrium strategy and chained his block to |$B_{n(\tau)}$|, his payoff is |$ G(1)+N^{o}_{m}(\tau _{p(B_{n})})[G(M-1)+G(1)] +{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n) \}} G(M-1).$| Since |$m$| is the only miner chaining to |$B_{n(\tau)}$|, he earns |$G(1)$| for block |$B_{n(\tau)}$|. In addition, |$m$| earns |$G(M-1)+G(1)$| for each block he solved on the original chain up to |$p(B_n)$|, reflecting the occurrence of a fork where |$m$| chains to |$B_{n(\tau)}$| and the |$M-1$| other miners chain to |$ B_{n}$|. Finally, |$m$| earns |$G(M-1)$| for |$B_n$| if he solved it.
|$\quad$|Since by assumption |$G(M-1)+G(1)=G(M)$| and |$G(1)=0$|, the deviation is not strictly profitable in that case
(ii) Suppose the next event is that |$m$| solves |$B_{n(\tau)+1}$|.
- – If |$m$| deviated and chained his block to |$B_{n}$|, the original chain becomes the only active chain and |$B_{n(\tau)}$| is orphaned. |$m$|’s expected gain is(A21)\begin{align} &N^{o}_{m}(\tau(B_{n}))G(M)+G(M)\nonumber\\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right]-\mathcal L(\tau(B_{n(\tau)+1})). \end{align}
Indeed, |$m$| earns |$G(M)$| for each block he solved on the original chain up to |$B_n$| and for |$B_{n(\tau)+1}$|. The conditional expectation is his expected reward for the blocks solved after |$\tau(B_{n(\tau)+1})$| if none becomes orphaned.37|$\mathcal L(\tau(B_{n(\tau)+1})$| is the expected loss due to one of |$m$|’s blocks solved after |$\tau(B_{n(\tau)+1})$| becoming orphaned. On the equilibrium path, orphaned blocks occur if and only if a miner observes a block with delay and creates a successful fork.
- – If instead |$m$| played the equilibrium strategy and chained his block to |$B_{n(\tau)}$|, the chain including |$B_{n(\tau)}$| and |$B_{n(\tau)+1}$| becomes the longest, hence the only active one. |$m$|’s expected gain is(A22)\begin{align} &N^{o}_{m}(\tau({p(B_n)}))G(M)+2G(M)\nonumber\\[-5pt] &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right]\nonumber\\[-5pt] &\quad{} -\mathcal L(\tau(B_{n(\tau)+1})), \end{align}
It follows that there is no profitable deviation.
Proof of part (b). As earlier, |$B_n$| is the last block solved on the original chain.
(1) Suppose that at time |$\tau$|, there is no fork of two consecutive blocks solved by the same miner and longer than the original chain.
|$\quad$|For any miner |$m$| (who has not started a fork), the two relevant choices are to follow the equilibrium strategy and chain his block to |$B_{n}$|, or to create a fork by chaining his block to |$p(B_n)$| and try solving two blocks in a row (other deviations are ruled out by the same reasoning as in Proposition 1).
|$\quad$|As in the proof of Proposition 1, a one-shot deviation affects |$m$|’s payoff only if the next stopping time corresponds to two possible events: either |$m$| is hit by a liquidity shock or |$m$| solves a block. If the next event is |$z_m$|, |$m$|’s payoff is |$N_{m}^{o}(z_{m})G(M)$| (if there is no fork), or |$N_{m}^{o}(z_{m})(G(M-1)+G(1))=N_{m}^{o}(z_{m})G(M)$| (if a fork was started by another miner) whether he follows the equilibrium strategy or deviates. If the next event is that |$m$| solves block |$B_{n(\tau)+1}$|, there are two possible continuations: Either another miner does not observe that |$m$| solved |$B_{n(\tau)+1}$| or all miners observe that |$m$| solved |$B_{n(\tau)+1}$|. The probabilities of these two events are independent of |$m$|’s action, we consider them in turn.
- (i) If all miners observe that |$m$| solved |$B_{n(\tau)+1}$|, |$m$|’s expected gain if he followed the equilibrium strategy and chained |$B_{n(\tau)+1}$| to |$B_{n}$| is(A23)\begin{align} &(N_{m}^{o}(\tau _{B_{n}})+1)G(M)+\mathbb E\left[\int_{\tau (B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right]\nonumber\\ &\quad{} -\mathcal L(\tau(B_{n(\tau)+1})). \end{align}
The first term is the reward for blocks solved up to |$\tau(B_{n})$| plus the reward for mining |$B_{n(\tau)+1}$| when the latter remains on the original chain. The conditional expectation is |$m$|’s expected reward for solving blocks after |$\tau(B_{n(\tau)+1})$|. The last term, |$\mathcal L(\tau(B_{n(\tau)+1}))$|, is the expected loss due to one of |$m$|’s blocks solved after |$\tau(B_{n(\tau)+1})$| becoming orphaned.
|$\quad$||$m$|’s expected gain if he deviated and chained |$B_{n(\tau)+1}$| to |$p(B_{n})$| is38(A24)\begin{align} & \left[N_{m}^{o}(\tau(p(B_{n}))+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n) \}}\Pr (B_{n} =p(B_{n(\tau)+2})) \right]G(M) \nonumber\\[-6pt] &\quad{} +\Pr(m=m(B_{n(\tau)+2}))G(M) \nonumber\\[-6pt] &\quad{} +\mathbb E\left[\int_{\tau (B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m} \geq \tau (B_{n(\tau)+1})\right]\nonumber\\[-6pt] &\quad{} -\mathcal L(\tau (B_{n(\tau)+1})). \end{align}Indeed, |$m$| earns |$G(M)$| for all blocks solved on the original chain up to |$\tau(p(B_{n})$|, for |$B_n$| if he solved it and it remains on the active chain (if |$B_{n(\tau)+2}$| is attached to |$B_n$|), and for |$B_{n(\tau)+1}$| if it is included in the active chain (if |$m$| solves |$B_{n(\tau)+2}$|).39
|$\quad$|The second term is the continuation payoff for all blocks solved after |$ B_{n(\tau)+1}$| if they are not orphaned afterwards. The third term is the expected loss due to one of |$m$|’s blocks solved after |$\tau (B_{n(\tau)+1})$| becoming orphaned. Neither term depends on which block |$m$| chains |$B_{n(\tau)+1}$| to.
|$\quad$|Since |$N_{m}^{o}(\tau(B_{n}))\geq N_{m}^{o}(\tau(p(B_{n}))+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}\Pr (B_{n} =p(B_{n(\tau)+1}))$|, if all miners observe that |$m$| solved |$B_{n(\tau)+1}$|, |$m$|’s expected payoff is larger if he followed the equilibrium strategy than if he deviated.
- (ii) If one miner (|$m^{\prime }$|) did not observe that |$m$| solved |$B_{n(\tau)+1}$|, |$ m$|’s expected gain if he followed the equilibrium strategy is(A25)\begin{align} &[N_{m}^{o}(\tau(B_{n}))+1-\Pr (m^{\prime }=m(B_{n(\tau)+2})=m(B_{n(\tau)+3}))]G(M)\nonumber\\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right]\!. \end{align}
The first term is |$m$|’s expected reward for solving blocks up to |$B_{n(\tau)+1}$|, reflecting the risk that |$B_{n(\tau)+1}$| become orphaned if |$m^{\prime }$| solves |$ B_{n(\tau)+2}$| and |$B_{n(\tau)+3}$|. The second term is |$m$|’s continuation payoff, reflecting that |$m$| will be mining on the single active chain (be it the original one or a fork that becomes the consensus).
|$\quad$|If |$m$| deviated by chaining |$B_{n(\tau)+1}$| to |$p(B_{n})$|,40 to earn his reward on |$ B_{n(\tau)+1}$|, |$m$| needs to solve |$B_{n(\tau)+2}$| so his expected gain is(A26)\begin{align} &\left[N_{m}^{o}(\tau(p(B_n))+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}\Pr(B_{n} =p(B_{n(\tau)+2})) \right]G(M) \nonumber\\ &\quad{} +\Pr(m=m(B_{n(\tau)+2}))G(M)\nonumber\\ &\quad{} +\mathbb E[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m} \geq \tau(B_{n(\tau)+1})]. \end{align}As earlier,(A27)\begin{equation} N_{m}^{o}(\tau(B_{n}))\geq N_{m}^{o}(\tau(p(B_{n})))+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}\Pr (B_{n}=p(B_{n(\tau)+2})). \end{equation}Consequently, there is no profitable deviation if(A28)\begin{equation} 1-\Pr (m^{\prime }=m(B_{n(\tau)+2})=m(B_{n(\tau)+3}))\geq \Pr (m=m(B_{n(\tau)+2})). \end{equation}That is,which holds because(A29)\begin{equation} 1\geq \Pr (m=m(B_{n(\tau)+2}))+\Pr (m^{\prime }=m(B_{n(\tau)+2})=m(B_{n(\tau)+3})), \end{equation}(A30)\begin{align} &1\geq \Pr (m=m(B_{n(\tau)+2}))+\Pr (m^{\prime }=m(B_{n(\tau)+2}))\geq\nonumber \\ &\quad \Pr (m=m(B_{n(\tau)+2}))+\Pr (m^{\prime }=m(B_{n(\tau)+2})=m(B_{n(\tau)+3})). \end{align}This completes the first part of the proof of the optimality of the strategy stated in (b).
(iii) Suppose there is a fork starting with two blocks consecutively solved by the same miner and longer than the original chain. The equilibrium strategy then prescribes that miners chain their block to the longest chain.
|$\quad$|If one miner observed a block with delay, we are in the same situation as in Proposition 1, and there is no profitable deviation from mining the longest chain. Off the equilibrium path, however, that fork could have occurred for other reasons, and a new fork could still occur because of a delay in the future. In that case there is no profitable deviation (in particular, trying to create a fork by solving two blocks in a row is dominated by the equilibrium strategy), as shown in the first part of (b). |$\blacksquare$|
Proof of Proposition 5
Our candidate equilibrium strategy specifies the following:
(a) If a miner solved a block outside the original chain thereby creating a one-block-long fork as long as the original chain, all miners chain their next block to the fork, which miners consider to be the original chain from that point on.
(b) Otherwise, each miner chains his current block to the last block solved on the original chain.
Proof of part (a). Let |$B_{n}$| be the last block solved on the original chain, suppose |$B_{k+1}$|, with |$k \geq n$|, is chained to |$p(B_n)$|. As earlier, the relevant choice for |$m$| at time |$\tau$| is between chaining his next block to |$B_{k+1}$| (the equilibrium strategy) and chaining it to |$B_{n}$| (the only relevant deviation). As in the proof of Proposition 1, a one-shot deviation affects |$m$|’s payoff only if the next stopping time corresponds to two possible events: either |$m$| is hit by a liquidity shock or |$m$| solves a block.
- (i) Suppose the next event is |$z_{m}$|. If |$m$| deviated and chained his block to |$B_{n}$| his payoff iswhere |$G(M-1)$| is his reward if he solved block |$B_{k+1}$|, and |$G(1)$| his reward if he solved |$B_n$|. If, instead, |$m$| followed the equilibrium strategy and chained his block to |$B_{k+1}$|, his payoff is(A31)\begin{equation} {\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_{k+1})\}}G(M-1)+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}G(1)+N^{o}_{m}(\tau(p(B_{n})))G(M), \end{equation}(A32)\begin{equation} {\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_{k+1})\}}G(M)+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}G(0)+N^{o}_{m}(\tau(p(B_{n})))G(M). \end{equation}
Since by assumption |$G(M-1)\leq G(M)$| and |$G(1)=G(0)$|, the deviation is not strictly profitable.
(ii) Suppose the next event is that |$m$| solves block |$B_{n(\tau)+1}$|.
|$\quad$|If |$m$| chained his block to |$B_{n}$|, |$B_{n(\tau)+1}$| becomes orphaned since all miners, including |$m$| mine the fork after |$\tau(B_{n(\tau)+1})$|. |$m$|’s expected gain issince blocks |$B_n$| and |$B_{n(\tau)+1}$| are orphaned and earn |$G(0)$|. As before, |$\mathcal L(\tau(B_{n(\tau)+1}))$| is the expected loss due to one of the blocks solved by |$m$| after |$\tau(B_{n(\tau)+1})$| becoming orphaned.(A33)\begin{align} &N^{o}_{m}(\tau (p(B_{n})))G(M)+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_{k+1})\}}G(M)+ {\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}G(0)+G(0) \nonumber\\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right]-\mathcal L(\tau(B_{n(\tau)+1})), \end{align}|$\quad$|If instead |$m$| had chained his block to |$B_{k+1}$|, |$m$|’s expected gain issince now |$m$| earns |$G(M)$| for solving |$B_{k+2}$|.(A34)\begin{align} &N^{o}_{m}(\tau(p(B_{n})))G(M)+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_{k+1})\}}G(M)+ {\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}G(0)+G(M)\nonumber \\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right]-\mathcal L(\tau(B_{n(\tau)+1})), \end{align}|$\quad$|It follows that the deviation is strictly dominated.
Proof of part (b). As before, |$B_n$| is the last block solved on the original chain. Assume there is no one-block-long fork of the same length as the original chain at time |$\tau$|. The only relevant deviation for miner |$m$| is to try to start a fork by chaining his current block to |$p(B_n)$|. If |$z_m$| occurs, or if another miner solves the next block, |$m$|’s payoff is not affected by which block he currently mines.
Indeed, all miners chain their future blocks to the chain that contains |$B_{n(\tau)+1}$|, therefore |$m$| earns |$G(M)$| for |$B_{n(\tau)+1}$|. If |$m$| played the equilibrium strategy and chained |$B_{n(\tau)+1}$| to |$B_n$|, he obtains the same payoff, since he earns |$G(M)$| for |$B_{n(\tau)+1}$| as well. Therefore there is no profitable deviation.|$\blacksquare$|
Proof of Proposition 6
Our candidate equilibrium strategy specifies the following:
(a) If a miner has the opportunity to double-spend, he mines a block chained to the parent of the last block solved on the original chain.
(b) If a miner solves a block that creates a one-block-long fork as long as the original chain, that miner chains his next block to the block he just solved, except if he spots an opportunity to double-spend, in which case he plays according to (a).
(c) Otherwise, each miner chains his current block to the last block solved on the original chain, except if there is a fork starting with two blocks consecutively solved by the same miner, longer than the original chain. In that case, each miner chains his block to the longest chain, which miners consider to be the original chain from that point on.
The general structure of the proof is similar to that of Proposition 4. As in this previous proof, we assume that |$G(M-1)+G(1)=G(M)$| to simplify the exposition. We also clarify that the miner who earns the reward |$S$| is the one who completes a double-spending fork before being hit by his liquidity shock |$z_m$|. In particular, a miner who initiates a double-spending fork but is hit by a liquidity shock before the fork is resolved does not earn |$S$|. By contrast, a miner who successfully completes a double-spending fork initiated by the miner he replaced does earn |$S$|.
Proof of part (a). Let |$B_{n}$| be the last block solved on the original chain. Consider the strategy of miner |$m$| who spots the opportunity to double-spend at time |$\tau$|.
Following the same reasoning as earlier, the relevant choice for |$m$| is between chaining his next block to |$p(B_{n})$| (the equilibrium strategy), chaining it to |$B_{n}$|, or chaining it to |$B_{n(\tau)}$| if |$B_{n(\tau)}$| is chained to |$ p(B_n)$| and |$m=m(B_{n(\tau)})$|. (This can happen off path if |$m$| started a fork from |$p(B_n)$| and spots the double-spending opportunity right after. By assumption, |$S$| can only be earned if |$m$| creates a new fork from |$p(B_n)$|.) As in the proof for Proposition 1, we can restrict attention to the cases where the next event is that |$m$| either is hit by a liquidity shock, or solves a block.
Last, suppose |$m=m(B_{n(\tau)})$| and |$B_{n(\tau)}$| is chained to |$p(B_n)$|. If |$m$| deviated and chained his block to |$B_{n(\tau)}$|, his payoff is the same as when chaining his block to |$p(B_{n})$|, plus |$G(1)$| for solving |$B_{n(\tau)}$|.41 Since by assumption |$G(M-1)+G(1)=G(M)$| and |$G(1)=0$|, there is no profitable deviation.
Alternatively, suppose the next event is that |$m$| solves |$B_{n(\tau)+1}$|.
To analyze this case, we condition |$m$|’s payoffs on the event that |$m=m(B_{n(\tau)+2})$|, that is, |$m$| solves |$B_{n(\tau)+2}$| before being hit by a liquidity shock. This event’s probability is independent from |$m$|’s strategy, and if |$m$| follows the equilibrium strategy, then |$m$| earns |$S$| if and only if this event is true.
(i) Suppose |$m$| solves |$B_{n(\tau)+2}$|.
If |$m$| deviated and chained his block to |$B_{n}$|, his payoff is|$m$| earns |$G(M)$| for all the blocks solved on the original chain up to |$ \tau(B_{n})$|. |$m$| earns |$G(M)$| for solving |$B_{n(\tau)+1}$| and |$B_{n(\tau)+2}$|, which belong to the original chain, and for all the future blocks solved after |$\tau(B_{n(\tau)+2})$|, since |$m$| knows that no other double-spending opportunity will be spotted.(A37)\begin{align} &N^{o}_{m}(\tau(B_{n}))G(M)+2G(M)\nonumber \\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+2})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau (B_{n(\tau)+2})\right]. \end{align}|$\quad$|If |$m=m(B_{n(\tau)})$| and |$B_{n(\tau)}$| is chained to |$p(B_n)$|, if |$m$| deviated and chained |$ B_{n(\tau)+1}$| to |$B_{n(\tau)}$|, his payoff is|$m$|’s fork has succeeded and he earns |$G(M)$| on all blocks solved up to |$p(B_n)$| on the original chain, plus on |$B_{n(\tau)}$|, |$B_{n(\tau)+1}$| and |$B_{n(\tau)+2}$|.(A38)\begin{align} &N^{o}_{m}(\tau _{p(B_n)})G(M)+3G(M)\nonumber\\ &\quad{} +E\left[\int_{\tau(B_{n(\tau)+2})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m} \geq \tau(B_{n(\tau)+2})\right]. \end{align}|$\quad$|If |$m$| played the equilibrium strategy and chained |$B_{n(\tau)+1}$| to |$p(B_n)$|, his payoff is|$m$| earns |$G(M)$| for all the blocks he solved before the fork (up to |$p(B_n)$|), |$G(M)$| for |$B_{n(\tau)+1}$| and for |$B_{n(\tau)+2}$|, and for all the future blocks solved after |$\tau_{B_{n(\tau)+2}}$|, since on the equilibrium path all miners mine on the chain including |$B_{n(\tau)+2}$|. In addition, |$m$| earns |$S$| from double-spending.(A39)\begin{align} & N^{o}_{m}(\tau _{p(B_n)})G(M)+2G(M) \nonumber\\ &\quad{} +E\left[\int_{\tau(B_{n(\tau)+2})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m} \geq \tau(B_{n(\tau)+2})\right]+S. \end{align}|$\quad$|Hence, the net benefit of following the equilibrium strategy rather than deviating is |$S-\max\{{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}};{\rm 1}\kern-0.24em{\rm I}_{\{[m=m(B_{n(\tau)})]\bigcap [p(B_{n(\tau)})= p(B_n)] \}}\}G(M).$|
(ii) Suppose that either |$z_m$| occurs before |$\tau(B_{n(\tau)+2})$| or |$z_m$| occurs after |$\tau(B_{n(\tau)+2})$| but |$m$| does not solve |$B_{n(\tau)+2}$|. To write |$m$|’s payoff, we will distinguish the two events when needed.
|$\quad$|If |$m$| deviated and chained |$B_{n(\tau+1)}$| to |$B_{n}$|, his payoff is|$m$| earns |$G(M)$| for all the blocks solved up to |$\tau(B_{n})$|, for |$ B_{n(\tau)+1}$| (since it is on the original chain), and for blocks solved after |$\tau(B_{n(\tau)+2})$| if |$z_m>\tau(B_{n(\tau)+2})$|.(A40)\begin{align} &\Pr(z_m>\tau(B_{n(\tau)+2}))\mathbb E\left[\int_{\tau_{B_{n(\tau)+2}}}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}> \tau(B_{n(\tau)+2})\right] \nonumber \\ &\quad{} + N^{o}_{m}(\tau(B_{n}))G(M)+G(M). \label{dev} \end{align}|$\quad$|If |$m=m(B_{n(\tau)})$| and |$B_{n(\tau)}$| is chained to |$p(B_n)$|, if |$m$| deviated and chained |$ B_{n(\tau)+1}$| to |$B_{n(\tau)}$|, his payoff is|$m$|’s fork has succeeded and he earns |$G(M)$| on all blocks solved up to |$ p(B_n)$| on the original chain, plus on |$B_{n(\tau)}$| and |$B_{n(\tau)+1}$|.(A41)\begin{align} &\Pr(z_m>\tau(B_{n(\tau)+2}))\mathbb E\left[\int_{\tau_{B_{n(\tau)+2}}}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}> \tau(B_{n(\tau)+2})\right] \nonumber\\ &\quad{} +N^{o}_{m}(\tau(p(B_{n})))G(M)+2G(M).\label{dev2} \end{align}|$\quad$|If |$m$| played the equilibrium strategy and chained |$B_{n(\tau)+1}$| to |$p(B_n)$|, his payoff is
- – if |$z_m$| occurs first,(A42)\begin{equation} N^{o}_{m}(\tau(p(B_{n})))(G(M-1)+G(1))+ {\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}} G(M-1) +G(1). \end{equation}
|$\quad$|In that case, |$m$| has created a one-block-long fork as long as the original chain when he is hit by his liquidity shock. Therefore, he earns |$ G(M-1)+G(1)$| for all the blocks he solved on the original chain up to |$ \tau(p(B_n))$|. He also earns |$G(M-1)$| for |$B_n$| if he solved it and |$G(1)$| for |$B_{n(\tau)+1}$|.
- – if |$B_{n(\tau)+2}$| is solved by another miner before |$z_m$|,(A43)\begin{equation} N^{o}_{m}(\tau _{B_n})G(M)+ G(0) +\mathbb E\left[\int_{\tau_{B_{n(\tau)+2}}}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}> \tau(B_{n(\tau)+2})\right]. \end{equation}
|$\quad$||$m$|’s fork fails, therefore he earns |$G(M)$| for all the blocks he solved on the original chain up to |$\tau(B_n)$| and for the blocks solved after |$\tau(B_{n(\tau)+2})$|.
|$\quad$|Since |$G(M-1)=G(M)$|,42 gains earned by |$m$| on all blocks solved up to |$\tau(B_n)$| are the same in the two previous events. Hence |$m$|’s payoff if he played the equilibrium strategy when he does not solve |$B_{n(\tau)+2}$| is:(A44)\begin{align} &\Pr(z_m>\tau(B_{n(\tau)+2}))\mathbb E\left[\int_{\tau_{B_{n(\tau)+2}}}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}> \tau(B_{n(\tau)+2})\right] \nonumber \\ &\quad{} + N^{o}_{m}(\tau _{B_n})G(M). \label{eq} \end{align}|$\quad$|Hence, the net benefit of following the equilibrium strategy rather than deviating when |$m$| does not solve |$B_{n(\tau)+2}$| is the difference between Equation (A44) and the maximum of Equations (A40) and (A41), that is,(A45)\begin{equation} -\left\{G(M)+({\rm 1}\kern-0.24em{\rm I}_{\{[m=m(B_{n(\tau)})]\cap [p(B_n(\tau))= p(B_n)] \}} - {\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}) G(M) \right \}. \end{equation}|$\quad$|Overall, |$m$| always follows the equilibrium strategy (including when he solved |$B_n$|) if and only if(A46)\begin{align} &\quad \Pr[m=m(B_{n(\tau)+2})| m=m( B_{n(\tau)+1} )][S-G(M)]\nonumber\\ &\quad >(1-\Pr[m=m(B_{n(\tau)+2})| m=m(B_{n(\tau)+1} )])2G(M)\nonumber \\[1ex] &\Leftrightarrow S>\frac{G(M)(2-\Pr[m=m(B_{n(\tau)+2})| m=m( B_{n(\tau)+1} )])}{ \Pr[m=m(B_{n(\tau)+2})| m=m( B_{n(\tau)+1} )]}. \end{align}|$\quad$|Remark that |$\Pr(m=m(B_{n(\tau)+2})| m=m( B_{n(\tau)+1} ))$| is just the probability that at any time |$m$| solves the next block, which we denote |$\gamma (m, \tau)$|.
Proof of part (b). As earlier, |$B_{n}$| is the last block solved on the original chain. Suppose that at time |$\tau$|, miner |$m$| has just created a one-block-long fork as long as the original chain by solving |$B_{n(\tau)}$| that is chained to |$B_n$|’s parent, |$p(B_n)$|. The relevant choice for |$m$| at |$\tau$| is between chaining his next block to |$B_{n(\tau)}$| (the equilibrium strategy) and chaining it to |$B_{n}$| (the only relevant deviation). The reasoning is analogous to the proof of Proposition 4 part a), and hence we only sketch it here.
(i) Suppose that the next event is |$z_{m}$|.
|$\quad$|If |$m$| deviated and chained his block to |$B_{n}$|, the original chain remains the only active chain and |$m$|’s payoff iswhere the first term is the reward for |$B_{n(\tau)}$|.(A47)\begin{equation} G(0)+N^{o}_{m}(\tau(B_{n}))G(M), \end{equation}|$\quad$|If, instead, |$m$| followed the equilibrium strategy and chained his block to |$ B_{n(\tau)}$|, his payoff iswhere the first term is the reward for |$B_{n(\tau)}$|. Since |$ G(M-1)+G(1)=G(M)$| and |$G(1)=0$|, this deviation is not strictly profitable.(A48)\begin{equation} G(1)+N^{o}_{m}(\tau(p(B_{n})))[G(M-1)+G(1)] + {\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}G(M-1), \end{equation}(ii) Suppose the next event is that |$m$| solves |$B_{n(\tau)+1}$|.
|$\quad$|If |$m$| deviated and chained his block to |$B_{n}$|, the original chain remains the only active chain and |$B_{n(\tau)}$| becomes orphaned. Therefore, |$m$|’s expected payoff iswhere the second term is the reward for |$B_{n(\tau)+1}$|. As earlier, |$\mathcal L(\tau(B_{n(\tau)+1}))$|, is the expected loss due to one of |$m$|’s blocks solved after |$ \tau(B_{n(\tau)+1})$| becoming orphaned. |$\mathcal{S}(\tau(B_{n(\tau)+1}))$| is the expected benefit from |$m$| spotting a double-spending opportunity after |$\tau(B_{n(\tau)+1})$|. Note that both |$\mathcal L(\tau(B_{n(\tau)+1}))$| and |$\mathcal{S}(\tau(B_{n(\tau)+1}))$| are conditional on |$m$|’s information at |$\tau$|. For instance, if |$m$| already had a double-spending opportunity, then |$\mathcal L(\tau(B_{n(\tau)+1}))=\mathcal{S}(\tau(B_{n(\tau)+1}))=0$|.(A49)\begin{align} &N^{o}_{m}(\tau(B_{n}))G(M)+G(M) +\mathcal{S} (\tau(B_{n(\tau)+1}))-\mathcal L(\tau(B_{n(\tau)+1}))\nonumber \\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right], \end{align}|$\quad$|If instead |$m$| played the equilibrium strategy and chained |$B_{n(\tau)+1}$| to |$B_{n(\tau)}$|, the chain including |$ B_{n(\tau)}$| and |$B_{n(\tau)+1}$| becomes the longest one, and all miners hereafter chain their blocks to it. Thus |$m$|’s expected payoff is at least equal towhere the second term is the reward for |$B_{n(\tau)+1}$| and |$B_{n(\tau)+2}$|. This payoff is higher by |$S$| if |$m$| has the double-spending opportunity (the only case on the equilibrium path).(A50)\begin{align} &N^{o}_{m}(\tau _{p(B_n)})G(M)+2G(M)+\mathcal{S}(\tau(B_{n(\tau)+2}))-\mathcal L(\tau(B_{n(\tau)+2})) \nonumber\\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+2})\right], \end{align}|$\quad$|Since |${\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}\leq 1$|, |$m$| prefers to follow the equilibrium strategy.
Proof of part (c). The reasoning is analogous to the proof of Proposition 4, part (b), and we only sketch it here. |$B_n$| is the last block on the original chain.
(1) First consider the case in which there is no fork of two consecutive blocks solved by the same miner and longer than the original chain. For any miner |$m$| who does not have the double-spending opportunity, the only two relevant choices are to chain his block to |$B_{n}$| (the equilibrium strategy) and to create a fork and try solving two blocks in a row (the only relevant deviation). As in the proof of Proposition 1, we can restrict attention to the cases where the next event is that |$m$| is hit by a liquidity shock, or solves a block.
– Suppose the next event is |$z_m$|. If |$m$| followed the equilibrium strategy, his payoff is |$N_{m}^{o}(z_{m})G(M)$| (if there is no fork), or |$N_{m}^{o}(z_{m})(G(M-1)+G(1))=N_{m}^{o}(z_{m})G(M)$| (if a fork has started). If |$m$| deviated, his payoff is at most equal to |$ N_{m}^{o}(z_{m})G(M)$|.
– Suppose the next event is that |$m$| solves |$B_{n(\tau)+1}$|.
|$\quad$|If |$m$| followed the equilibrium strategy and chained |$B_{n(\tau)+1}$| to |$B_{n}$|, his expected payoff is(A51)\begin{align} & (N_{m}^{o}(\tau _{B_{n}})+1)G(M)+\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right]\nonumber\\ &\quad{} +\mathcal{S} (\tau(B_{n(\tau)+1}))-\mathcal L(\tau(B_{n(\tau)+1})). \end{align}If |$m$| deviated and chained |$B_{n(\tau)+1}$| to |$p(B_{n})$|, his expected payoff is(A52)\begin{align} & \left[N_{m}^{o}(\tau(p(B_{n}))+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}\Pr (B_{n} =p(B_{n(\tau)+2}))\right. \nonumber\\ &\quad{} \left. +\Pr(m=m(B_{n(\tau)+2}))\right]G(M) \nonumber\\ &\quad{} +\mathbb E\left[\int_{\tau (B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)G(M)dt|z_{m} \geq \tau (B_{n(\tau)+1})\right] \nonumber\\ &\quad{} +\mathcal{S}(\tau (B_{n(\tau)+1}))-\mathcal L(\tau (B_{n(\tau)+1})). \end{align}|$\quad$|Since |$ N_{m}^{o}(\tau _{B_{n}})\geq N_{m}^{o}(\tau _{p(B_{n})})+{\rm 1}\kern-0.24em{\rm I}_{\{m=m(B_n)\}}\Pr (B_{n} =p(B_{n(\tau)+2})),$||$m$|’s expected payoff is larger if he followed the equilibrium strategy than if he deviated.
(2) Consider the case in which there is a fork starting with two blocks consecutively solved by the same miner and longer than the original chain. If that fork occurred because one miner exploited a double-spending opportunity, we are in the same situation as in Proposition 1, and there is no profitable deviation from mining the longest chain.
|$\quad$|If that fork occurred for other reasons (off the equilibrium path), a new fork could still occur because of a double-spending opportunity in the future. In that case there is no profitable deviation (in particular, trying to create a fork by solving two blocks in a row is dominated by the equilibrium strategy), as shown in the first part of (c). |$\blacksquare$|
Proof of Proposition 7
Let |$\tau^f$| be the time at which the |$n^{th}$| block is solved on the original chain. Hence, |$B_{n(\tau^f)}$| is the |$n^{th}$| block on the original chain. We say that a chain “conforms” to technology |$C$| if every block on that chain solved after |$\tau^f$| is mined with technology |$C$|. We call “|$C$|-chain” the chain that contains |$B_{n(\tau^f)}$|, conforms to |$C$|, and preexists all other chains containing |$B_{n(\tau^f)}$| and conforming to |$C$|. |$N_m^{C}(\tau)$| is the number of blocks solved by |$m$| up to |$\tau$| on the |$C$|-chain.
Our candidate equilibrium strategy specifies the following:
(a) For every |$\tau<\tau^f$|, miners chain their block to the last block on the original chain.
(b) For every |$\tau\geq\tau^f$|, miners choose |$C=0$| and chain their block to the last block on the chain that contains |$B_{n(\tau^f)}$|, conforms to |$C=0$|, and preexists all other chains containing |$B_{n(\tau^f)}$| and conforming to |$C=0$|. If such a chain does not exist, miners choose |$C=0$| and chain their block to |$B_{n(\tau^f)}$|.
We consider each case in turn.
(a) Suppose |$\tau<\tau^f$|. Then using the same reasoning as in Proposition 1, a deviation is not profitable.
(b) Suppose |$\tau\geq\tau^f$|. As in the proof of Proposition 1, it is sufficient to compare payoffs when |$m$| solves the next block, |$B_{n(\tau)+1}$|.
|$\quad$|If miner |$m$| played the equilibrium strategy, that is, chose |$C=0$| and chained his block to the last block on the |$0$|-chain, or to |$B_{n(\tau^f)}$|, his payoff is(A53)\begin{align} &N_m^{0}(\tau)(1+b_m(0))G(M)+(1+b_m(0))G(M)\nonumber\\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)(1+b_m(0))G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right] \end{align}The first term is |$m$|’s rewards from blocks solved on the |$0$|-chain up to |$\tau$|. The second term is the reward from solving |$B_{n(\tau)+1}$|, and the last term is the expected value of solving future blocks on the |$0$|-chain.
|$\quad$|If instead, miner |$m$| deviated and chained his block to another block than the last one on the |$0$|-chain, using any technology |$C$|, his payoff is(A54)\begin{align} &N_m^{0}(\tau)(1+b_m(0))G(M)+(1+b_m(C))G(1)\nonumber\\ &\quad{} +\mathbb E\left[\int_{\tau(B_{n(\tau)+1})}^{z_{m}}dN_{m}(t)(1+b_m(0))G(M)dt|z_{m}\geq \tau(B_{n(\tau)+1})\right] \end{align}Hence, the only difference between |$m$|’s payoff if he deviates and his equilibrium payoff is the reward from solving block |$B_{n(\tau)+1}$|. This reward is |$(1+b_m(C))G(1)=0$| if he deviates and |$(1+b_m(0))G(M)>0$| if he plays the equilibrium strategy. It follows that a deviation is not profitable.
A symmetric argument sustains the equilibrium in which all miners choose |$C=1$|. |$\blacksquare$|
Proof of Proposition 8
We use the same notation as in the proof of Proposition 7 for the |$C$|-chain.
To define our equilibrium strategies, we need to introduce the following condition, which we will derive explicitly in the proof:
Our candidate equilibrium strategy specifies the following:
(a) Before the hard fork: If |$\tau <\tau^{f}$|, miners chain their block to the last block on the original chain.
(b) At the hard fork or after: If |$\tau =\tau^{f}$|, or if |$\tau >\tau ^{f}$|, and Condition 3 holds, miners |$m\leq K^*$| choose |$C=1$| and chain their block to |$B_{n(\tau ^{f})}$| if the |$1$|-chain does not exist, and chain their block to the last block solved on the |$1$|-chain otherwise, while miners |$m>K^*$| choose |$C=0$| and chain their block to |$B_{n(\tau ^{f})}$| if the |$0$|-chain does not exist, and chain their block to the last block on the |$0$|-chain otherwise.
(c) After the hard fork off-path: Suppose |$\tau >\tau^{f}$| and Condition 3 does not hold. Let |$\Delta\omega\equiv\omega^{\tau}\setminus \omega^{\tau^f}$| (i.e., |$\Delta\omega$| contains the history of the game between |$\tau^{f}$| and |$\tau$|). Then for every |$\tau'\geq\tau$|, all miners play the strategy prescribed after history |$\omega^{\tau'}\setminus\Delta\omega$| that is defined in (b). In playing strategies defined in (b), miners consider that the |$0$|-chain and the |$1$|-chain are defined with respect to history |$\omega^{\tau'}\setminus\Delta\omega$|.
We need to prove that a miner does not have a profitable one-shot deviation from |$\sigma ^{\ast }$|. We hereafter consider each case in turn.
Proof of part (a): Before the fork. Following the reasoning of the proof of Proposition 1, there is no profitable deviation. In particular, it is not profitable for any miner |$m \leq K^*$| to choose |$C=1$| before |$\tau^{f}$| since any block solved with |$C=1$| will, by definition, not belong to the |$1$|-chain and yield a reward of |$0$|. Also, note that unlike in the proof of Proposition 3, miners’ actions before |$\tau^{f}$| cannot after the condition under which the hard fork occurs.
Proof of part (b): at or after the fork.
(i) Consider first a deviation by a miner |$m>K^*$|.
Any deviation other than chaining to the last block on the |$1$|-chain is ruled out by similar arguments as in Proposition 1. Hence check that |$m$| prefers to mine blocks on the |$0$|-chain, rather than on the |$1$|-chain. As earlier, this one-shot deviation affects |$m$|’s payoff only if the next stopping time |$\tau^{\prime }$|, corresponds to two possible events: either |$m$| solves his block, or |$z_{m}$| occurs.
– Suppose miner |$m$| solves a block at |$\tau^{\prime }$|, that is, |$ N_{m}(\tau ^{\prime })-N_{m}(\tau )=1$|. If Condition 3 is still true at |$\tau^{\prime}$|, since every miner, including |$m$|, reverts to the equilibrium strategy from |$\tau^{\prime}$| on, the only impact of the deviation is that |$m$| earns |$G(K^*)$| for block |$B_{n(\tau^{\prime})}$| instead of |$(1+b)G(M-K^*)$| under the equilibrium strategy. If Condition 3 is not true at |$\tau^{\prime}$|, given c), the impact of the deviation is that |$m$| earns 0 for block |$B_{n(\tau^{\prime})}$| instead of |$(1+b)G(M-K^*)$| under the equilibrium strategy and loses all rewards for blocks solved between |$\tau^f$| and |$\tau'$|.
- – Suppose miner |$m$| is hit by a liquidity shock at |$\tau^{\prime }$|, that is, |$z_{m} =\tau ^{\prime }$|. Then his payoff under the deviation is(A57)\begin{align} &(N^{0}_m(\tau )-N^{0}_m(\tau^f )) (1+b) G(M-K^*-1)+(N^{1}_m(\tau )-N^{1}_m(\tau^f ))G(K^*+1)\nonumber\\ &\quad{} + N^{0}_{m}(\tau^{f})(1+b)G(M) \end{align}
instead ofunder the equilibrium strategy.43 It follows that there is no profitable deviation if(A58)\begin{align} &(N^{0}_m(\tau )-N^{0}_m(\tau^f )) (1+b) G(M-K^*)+(N^{1}_m(\tau )-N^{1}_m(\tau^f ))G(K^*)\nonumber\\ &\quad{} + N^{0}_{m}(\tau^{f})(1+b)G(M) \end{align}which is exactly Inequality (A55) in Condition 3.(A59)\begin{equation} \begin{aligned} & \Pr (N_{m}(\tau ^{\prime })-N_{m}(\tau ) =1)(G(K^*)-(1+b)G(M-K^*)) \leq \\ & \Pr (z_{m} =\tau ^{\prime }) \left\{ \begin{aligned} (N^{0}_m(\tau )-N^{0}_m(\tau^f )) (1+b)(G(M-K^*)-G(M-K^*-1)) \\ -(N^{1}_m(\tau )-N^{1}_m(\tau^f ))(G(K^*+1)-G(K^*))) \end{aligned} \right \}, \end{aligned} \end{equation}- (ii) Consider next a deviation by a miner |$m\leq K^*$|. A symmetric reasoning yields that there is no profitable deviation ifwhich is exactly Equation (A56) in Condition 3.(A60)\begin{equation} \begin{aligned} & \Pr (N_{m}(\tau ^{\prime })-N_{m}(\tau ) =1)(G(K^*)-G(M-K^*)) \geq \\ & \Pr (z_{m} =\tau ^{\prime }) \left\{ \begin{aligned} (N^{0}_m(\tau )-N^{0}_m(\tau^f ))(G(M-K^*+1)-G(M-K^*)) \\ -(N^{1}_m(\tau )-N^{1}_m(\tau^f ))(G(K^*)-G(K^*-1))) \end{aligned} \right \}, \end{aligned} \end{equation}|$\quad$|Next, see that at |$\tau=\tau^f$|, |$N^{C}_m(\tau )=N^{C}_m(\tau^f )$| for all miners. Inequality (A55) is then written:(A61)\begin{equation} (1+b)G(M-K^*) \geq G(K^*) \Leftrightarrow b \geq \frac{G(K^*)}{G(M-K^*)}-1. \end{equation}Similarly, Inequality (A56) is then written:(A62)\begin{equation} G(K^*) \geq G(M-K^*) \Leftrightarrow K^* \geq \frac{M}{2}. \end{equation}
|$\quad$|Furthermore, if miners adhere to the equilibrium strategy, then miners |$ m\leq K^*$| always mine the |$1$|-chain so that if |$K^* \geq \frac{M}{2},$| Inequality (A56) in Condition 3 is true at any |$\tau\geq \tau^f$|. Given that miners |$m> K^*$| stick to the |$0$|-chain, if |$b \geq \frac{G(K^*)}{G(M-K^*)}-1$|, inequality (A55) is always verified after |$\tau^f$|. Hence, for |$ \tau \geq \tau^f$|, Condition 3 holds on the equilibrium path.
Proof of part c): After the fork off-path. Suppose |$\omega_{\tau}$| is as described in (c). Then given that all other players play the equilibrium, |$m$|’s payoff from adhering to the equilibrium strategy is as in (b) above. Following the same logic as in the proof of (b), other deviations can be ruled out. |$\blacksquare$|
Proof of Proposition 9
Many thanks for helpful comments to our editor I. Goldstein, two anonymous referees, C. Michel, V. Glode, B. Gobillard, C. Harvey, J. Hörner, A. Kirilenko, G. Laroque, T. Mariotti, J. Prat, J. Tirole, S. Villeneuve, participants in the TSE Blockchain working group, the Inquire Conference in Liverpool, the GSE Summer Forum in Barcelona, the Africa Meeting of the Econometric Society in Algiers, the RFS Fintech Workshop and Conference, the Oxford Financial Intermediation Theory Conference, the Swissquote Conference, the Digital Economics Conference in Toulouse, the BoF/CEPR Conference on Money in the Digital Age in Helsinki, the Swiss Finance Institute Research Days in Gerzensee, and seminars at University of Geneva, Sciences Po Paris, IAST Toulouse, INRIA Paris, TSE, University of Tokyo, University of Amsterdam and University of Toronto. Financial support from the FBF-IDEI Chair on Investment banking and financial markets value chain is gratefully acknowledged. This research also benefited from the support of the Europlace Institute of Finance, and the Jean-Jacques Laffont Digital chair.
Footnotes
The blockchain is cost effective in that the administrative costs of running it are limited compared with those incurred within older technologies and institutions, such as notaries, banks, or depositories.
Eyal and Sirer (2014) analyze a specific strategy called selfish mining, by which some miners maintain a “secret” branch of blocks and then release it to the network.
See Bonneau et al. (2015) for a survey of the literature analyzing Bitcoin.
Relatedly, Catalini and Gans (2016) argue that blockchains improve verifiability and allow bypassing intermediaries. Khapko and Zoican (2017), who study endogenous settlement time, and Malinova and Park (2017), who study the impact of anonymity in financial markets, are motivated by features and capabilities of blockchains.
Section 6 of Nakamoto (2008) seminal paper is entitled “Incentive.”
Protocols inspired by proof-of-stake are currently used by Nxt or BlackCoin. The Ethereum community has been trying for a long time to develop a proof-of-stake algorithm. Their proof-of-work protocol even includes an exponential increase in difficulty (difficulty bomb) to induce miners to switch to the upcoming proof-of-stake protocol. Its development proved difficult, however, and the difficulty bomb has been delayed.
These are the main sources of cryptocurrency creation. Some blockchain protocols can also include additional rewards.
Indeed, when miners try to solve the hash problem, at each trial they have a probability |$\frac{1}{D}$| to solve the problem. The hash power |$h_{m}$| is the number of trials per unit of time.
See also Teusch, Jain, and Saxena (2016).
The Bitcoin protocol sets the maximum size of a block of transactions to one megabyte. This limit slows down the speed of transactions validation and hinders the development of the network itself.
We take the flow of transactions to be exogenous, while in practice it can actually be endogenous. For simplicity, we don’t model the transactions and model the blockchain process directly at the level of the blocks. See Carlsten et al. (2016) for an analysis of the choice of which transactions to include in a block.
Another key property of the exponential distribution is that the minimum of two exponentials, with parameters |$\theta $| and |$\theta ^{\prime }$|, is also exponential, with parameter |$\theta +\theta ^{\prime }$|. Thus, when interpreting the |$M$| players in our game as |$M$| pools, we interpret the intensity of pool |$m$|, |$\theta _{m}$|, as the sum of the intensities of all the miners active in that pool.
For simplicity, we neglect transaction fees offered by final traders, since we do not explicitly model transactions. Carlsten et al. (2016) take the opposite approach by focusing on transaction fees.
A bubble component could be added to the payoff function. In a rational bubble model (see for instance Tirole 1982 or Tirole 1985), the bubble component would be a martingale and would not affect the strategies of the miners since they are risk neutral.
We also assume that, if |$z_{m}$| occurs just after a miner attempts to fork, the not-yet-realized fork does not reduce the credibility of the current chain. That is, |$m(B)$| earns |$G(M)$| for any block |$B$| on the current chain, as long as no block creating a fork has been mined. An alternative hypothesis is that the attempt to fork reduces mining rewards. Our proofs are robust to that alternative hypothesis.
Indeed, the timing of previous block resolutions, as well as previous mining choices, are payoff irrelevant.
|$G(.)$| can be thought of as the gain from seigniorage, reflecting the value of the cryptocurrency as a medium of exchange. For simplicity, however, |$G(.)$| is exogenous in our model. So we can only define welfare in terms of the miners’ gains.
A more general example of |$G(.)$| that satisfies all our assumptions is: |$G(0)=G(1)=0$|, |$G(M)=G(M-1)=F$|, where |$F$| is a strictly positive constant, and for all |$K$| such that |$1<K<M-1$|, |$G(K)= F \frac{K}{M}$|.
Note that this assumption does not preclude that for some |$K_1 + K_2<M, G(K_1)+G(K_2) < G(K_1+K_2)$|.
This assumption simplifies the proofs but is not necessary to establish the results. If we instead assume that |$G(M-1)+G(1) < G(M)$|, the proposition would still hold provided that the probability of a liquidity shock is sufficiently small.
For instance, Eyal and Sirer (2014) consider that miners want to maximize their relative revenue, so that a selfish miner has an interest in reducing the profit of the others.
This is the ASICBOOST technology that can increase the efficiency of the SHA-256 calculation.
Bitcoin Gold developers allocated themselves 100,000 units of the new cryptocurrency by pre-mining blocks before opening the chain to the public.
Miners could also split their computing capacity across the two branches, but that would not alter the thrust of the argument.
When miner |$m$| is hit by a shock, his successor inherits the computing capacity |$h_{m}$|.
There is also an equilibrium such that all miners choose not to participate. Indeed, if a miner anticipates that the others will not install any computing capacity, his best response is not to install any capacity either since |$c_{m}>0$| and |$G(1)=0$|. We focus on the equilibrium in which the network is created.
Current proof-of-stake proposals like Casper try to alleviate this problem by imposing coin deposits that can be seized if a participant is observed to simultaneously bet on several competing branches. It is unclear, however, whether these proposals are sufficiently robust to be implementable.
See, for instance, Proposition 5.7.1 in Mailath and Samuelson (2006).
Our liquidity shock has the same impact on miner |$m$|’s long-term payoff as a discount rate equal to |$\lambda_m$|.
The next event can also be that another miner is hit by a liquidity shock. Which block |$m$| chose as a parent block is also irrelevant in this case. For brevity, we ignore this case in the remainder of the proofs.
In words, miners play as if the blocks solved between |$\tau^f$| and |$\tau$| do not exist.
Note that we used the assumption that |$\forall K$|, |$G(M)=G(M-K) + G(K)$| to write down miner |$m$|’s payoff from blocks solved before |$\tau(B_{n(\tau ^{f})-f})$|.
This is to define equilibrium strategies if a second fork occurs off the equilibrium path.
Since the equilibrium strategies are defined for all states, including those that are not on the equilibrium path, we cannot exclude that out of equilibrium, some blocks are solved outside the original chain before or after |$B_n$| is solved: |$p(B_n)$| is not necessarily |$B_{n-1}$|, and |$B_{n(\tau)}$| is not necessarily |$B_{n+1}$|.
As before, if |$z_m$| occurs when a fork starts, these previously solved blocks are worth |$G(M-1)+G(1)$|, which is equal to |$G(M)$| by assumption in that case.
Clearly, this is the only relevant deviation since |$m$| cannot obtain more if he chained |$B_{n(\tau)+1}$| to |$B_{n(\tau)}$| if |$B_{n(\tau)}$| started a fork: |$B_{n(\tau)+1}$| will never be on the active chain given the equilibrium strategies, even if |$m$| solves |$B_{n(\tau)+2}$|. A fortiori, |$m$| cannot obtain more if he decides to chain |$ B_{n(\tau)+1}$| to any block |$B_i$| with |$i<n(\tau)$| outside the original chain.
A fork can happen if one miner does not observe |$B_{n(\tau)+1}$|, but even in that case, |$B_{n(\tau)}$|, as well as all previously solved blocks, will be on the active chain and yield |$G(M)$| or |$G(M-1)+G(1)=G(M)$| depending on when |$z_{m}$| occurs.
As earlier, this is the only relevant deviation.
In that case a fork has started, so the reward for solving |$B_n$| is |$G(M-1)$|, which is lower than |$G(M)$|. This makes the deviation even less profitable.
Again, allowing for |$G(M-1)<G(M)$| only makes the condition under which the equilibrium exists more intricate.
Note that we used the assumption that |$\forall K$|, |$G(M)=G(M-K) + G(K)$| to write down miner |$m$|’s payoff from blocks solved before |$\tau^{f}$|.