Profitable Double-Spending Attacks

Our aim in this paper is to investigate the profitability of double-spending (DS) attacks that manipulate a priori mined transaction in a blockchain. Up to date, it was understood that the requirement for successful DS attacks is to occupy a higher proportion of computing power than a target network's proportion; i.e., to occupy more than 51% proportion of computing power. On the contrary, we show that DS attacks using less than 50% proportion of computing power can also be vulnerable. Namely, DS attacks using any proportion of computing power can occur as long as the chance to making a good profit is there; i.e., revenue of an attack is greater than the cost of launching it. We have novel probability theory based derivations for calculating time finite attack probability. This can be used to size up the resource needed to calculate the revenue and the cost. The results enable us to derive sufficient and necessary conditions on the value of a target transaction which make DS attacks for any proportion of computing power profitable. They can also be used to assess the risk of one's transaction by checking whether or not the transaction value satisfies the conditions for profitable DS attacks. Two examples are provided in which we evaluate the attack resources and the conditions for profitable DS attacks given 35% proportion of computing power against Syscoin and BitcoinCash networks, and quantitatively shown how vulnerable they are.


I. INTRODUCTION
blockchain is a distributed ledger which has originated from a desire to find a novel alternative to centralized ledgers such as transactions through third parties [1]. Besides the role as a ledger, a blockchain has been applied to many areas, e.g., managing the access authority to shared data in the cloud network [2] and averting collusion in e-Auction [3]. In a blockchain network based on the proof-of-work (PoW) mechanism, each peer node who ever has downloaded and installed the pertinent full blockchain protocol suite can join as a full node for the network. Full nodes, or the so-called miners, verify transactions, put them into a block, and mold the block to a chain by solving a cryptographic puzzle. Specifically, a transaction is put into a block by a single full node which solves the cryptographic puzzle for the first time among all full nodes in competition. The reward of minting a certain amount of coins and paid to its own address is given to the first puzzle solver as motivation to join and remain in the network. As a result, transactions are verified by many decentralized full nodes in the network. A number of other researchers [4], [5], [6] have analyzed the winning of rewards under various specific assumptions using game theory.
A consensus mechanism is programmed for decentralized T he authors are with the School of Electrical Engineering and Computer Science, Gwangju Institute of Science and Technology (GIST), Rep. of Korea. The asterisk * indicates the corresponding author. The e-mail addresses of authors are (jjh2014@gist.ac.kr, heungno@gist.ac.kr). peers in a network to share a common chain. If a full node succeeds in generating a new block, he/she has the latest version of the chain. All of the nodes in the network continuously communicate with each other to share the latest chain. If a node suffers from a conflict between two or more different chains, the consensus rule provides a rule that a single chain is selected. Satoshi Nakamoto suggested the longest chain consensus for Bitcoin protocol which conserves the longest chain among the conflictions [1]. There are also other consensus rules [7], e.g., GHOST [8].
Blockchains are motivated by the trust enabled by decentralized nodes. However, the decentralization mechanism is unfortunately prone to break down [9]. The PoW race is for a full node game of solving a cryptographic puzzle faster than others. As such, a node may form a pool of computing chips to increase the chance to win the PoW race. The problem is that a very limited number of pools occupy a major proportion of the computing power which operates the network. For example, the pie chart shown in Fig. 1 illustrates the proportion of computing power in the Bitcoin network as of October 2018. In the chart, five pools such as BTC.com, AntPool, ViaBTC, F2Pool, and BTC.TOP occupy a dominant proportion of the computing power. That is to say, they have recentralized the Bitcoin network [10].
Double-spending (DS) is one type of attacks made easily probable in a recentralized network. Since a few full nodes can easily occupy a sufficient proportion of computing power of the blockchain network, they are able to manipulate already confirmed transactions. Suppose that a public chain contains a target transaction which transfers the ownership of a certain amount of cryptocurrency from the attacker to a merchant for the price of a certain goods and service. Before shipping the goods, a careful merchant will wait until the transaction has been verified in a number of block confirmations by normal peers. We call this process block confirmation. At the same time, an attacker with a high computing power confidentially develops a fraudulent chain aimed at nullifying the target transaction in the public chain. After obtaining the block confirmation and making the fraudulent chain longer than the public one, the attacker then publicly announces the fraudulent chain. The consensus rule is to trust the longer chain, so the normal miners accept the fraudulent chain and discard the shorter public chain. Indeed, there have been a number of reports that cryptocurrencies such as BitcoinGold, ZenCash, Zcash, and Litecoin Cash suffered from DS attacks and millions of US dollars were lost in 2018 [11], [12], [13].
Recentralization is not the only concern for DS attacks. The advent of rental services which lend computing equipment for DS attacks can be a major concern as well [14]. Recently, rental services such as nicehash.com which provide a brokerage service between the suppliers and the consumers have indeed become available. The concern at hand is then to determine whether or not attacking with a rented computing power really returns a profit. The next concern is to find a strategy for such an attack.
Success by making DS attacks is possible but is believed to be difficult for a public blockchain with a large pool of mining network support. Nakamoto and Rosenfield provided probabilistic results of DS attack success (AS) in [1] and [15], respectively, using gambler's ruin analysis. They showed that the condition guaranteeing for making a successful DS attack is for the attacker to bring in a computing power more than the computing power which is already invested to operate the network; such an attack is thus called 51% attack. This result has been considered as the requirement for AS. This conclusion however shall be reconsidered given our result in the sequel that there are significant chances of making a good profit from DS attacks regardless of the proportion of computing power.
In this paper, our aim is to include profitability and find the requirements for DS attacks to be profitable. In our model, a DS attack succeeds if three conditions are achieved: i) block confirmation should be realized; ii) the fraudulent chain should be longer than the public chain; and iii) both conditions i) and ii) should be satisfied within a cut time.

A. Contributions
We show that attackers can expect a profitable DS attack not only in the super-50% proportion regime but also in the sub-50% proportion regime where computing power invested by the attacker is smaller than that invested by a target network. A DS attack is profitable if and only if the expectation of a profit function defined in (38) is positive.
To define a profit function, we introduce a novel set of mathematical tools. Specifically, we compute the probability distribution of the time spent for an AS. This AS time incorporates the probability of all possible AS within a cut time. The derivation of probability distribution enables us to draw results on expected revenue. Also, the expectation of AS time is used to compute expected expense spent for an attack attempt. As a result, the profit is the difference between the expected revenue and the expected expense.
We show that for a DS attack in the sub-50% proportion regime to be profitable, it is necessary to set the cut time to be finite. Otherwise, if an AS never be achieved, infinite deficit can happen. Under any finite cut time, we provide a condition on the value of target transaction which suffices a profitable DS attack.
Using these results, we provide examples of resources required for profitable attacks against BitcoinCash and Syscoin, as of December 2018 (see Section IV-B for details). Suppose that 35% proportion of computing powers is available, and the block confirmation number is 5. To compute the expected expense, we referred to the rental fee of computing power from nicehash.com. In the case of Syscoin, the expected expense is 1.810 BTC and the required value of the target transaction is 13.134 BTC. The expected AS time is around 9 minutes. In the case of BitcoinCash, the expected expense is 2.844 BTC and the required value of the target transaction is 20.639 BTC. The expected AS time is 1 hour 31 minutes.

B. Related Works
References [15] and [16] have analyzed the profitability of DS attacks in terms of revenue and opportunity cost. Opportunity cost is the expected rewards that could be paid out from normal mining and is generally a function of the time spent for an attack attempt. However, Rosenfield assumed the attack time to be a fixed number for the simple calculation of opportunity cost [15], while to simplify the estimation of attack time, Bissias et al. included an assumption that the attack stops if either the normal peers or the attacker achieves the block confirmation first [16]. On the contrary, in our model, an attack can be continued indefinitely if it brings a profit, even if the normal peers achieve block confirmation before the attacker does.
Budish conducted simulations on the profitability of DS attacks using more than 50% proportion of computing power [17]. He provided an empirical condition on the value of the target transaction that makes DS attacks not profitable. On the contrary, we consider not only the super-50% proportion regime but also the sub-50% proportion regime. We provide mathematical formulas for the required resources as functions of the computing power and block confirmation number. We also provide practical examples of profitable DS attacks against working blockchain networks.
The web-site Crypto51.app lists hourly rental fees for 50% proportion of computing power for the purpose of estimating the profit from DS attacks. However, there is no estimation of the AS time, and thus the estimation of the total cost is absent.
The probability distribution of AS time was analyzed in [18] and [19]. However, none of the results matched with our three conditions for AS. Specifically, neither analysis considered the first condition: i) block confirmation should be realized. We compare these results with ours in Section III-D in detail.

C. Organization of the Paper
Section II contains definitions of the three conditions required for a successful DS attack. DS attacks are modeled by the random walk of two independent Poisson counting processes (PCPs). Section III comprises the computation of the probabilities of DS AS and the stochastic behaviors of the first time when the DS attack is successful. In Section IV, we analyze the profitability of DS attacks, followed by providing the resources required to make them profitable. Finally, Section V concludes the paper with a summary.

II. THE ATTACK MODEL
Here, we define the conditions for a successful DS attack. DS attacks are modeled with two independent PCPs. The PCP events are carefully enumerated to account for the AS.

A. Attack Scenario
We consider blockchain networks which adopt the longest chain consensus. The longest one wins among all of the chains in competition. We assume there are two groups of miners, the normal group of miners and a single attacker. The normal group tends the public chain.
When the attacker decides to launch a DS attack, he/she issues a target transaction for the payment of goods or services to transfer the ownership of the cryptocurrency from the attacker him/herself to the victimized counterpart (VC). However, the attacker does not announce the target transaction to the normal group immediately but waits for a new block generation in the public chain. We denote the time at which this new block is generated as 0 t = . At time 0 t = , the attacker announces the target transaction to normal group so that normal group starts to put it into the public chain. At the same time, the attacker makes a fork of the public chain which stems from the newest block generated at 0 t = and builds it in secret. We refer to this secret fork as fraudulent chain. In the fraudulent chain, the target transaction is altered in a way that deceives the counterpart and benefits the attacker; one such an example is to get rid of any record of the target transaction after receiving the goods or services.
Before shipping goods or providing services to the attacker, the VC obviously chooses to wait for a few more blocks in addition to the block on which the target transaction has been entered. The number of blocks the VC chooses to wait for is referred to as the block confirmation number BC N + Î¢ in this paper. Note that the number BC N includes the block on which the target transaction is entered.
The attacker chooses to make the fraudulent chain public if his attack was successful. An attack is successful if the fraudulent chain is longer than the public chain after the moment the block confirmation is satisfied. This is possible because the public chain is always publicly open, while the fraudulent one is kept private by the attacker. However, the attacker will not wait for his success indefinitely since growing the attacker's chain incurs the expense per time spent for operating the computing power. The attack thus stops if the attack does not succeed within a cut time cut t to cut loss.
To sum up, the AS of the DS attack is declared if all of the  When the cut time of attack is set to infinite cut t = ¥ , such an attack success is called attack success with the infinite cut time (AS-ICT).

B. The Stochastic Model
We model the length of the public chain and that of the fraudulent chain by two independent PCPs time. An increment of 1 in the counting process occurs when the pertinent network adds a new block to its chain and the chain length is grown by 1 unit with each new mining success.
We rewrite the events AS and AS-ICT in terms of ( ) H t and ( ) A t . In Definition 1, the first two conditions ( ) respectively. It is convenient to define the time ( ) ( ) G are satisfied first as follow: To simplify ( ) , The first process ( ) M t is also a PCP [20] with the rate for all i + Î¢ and nÎ¢ . The state transition probabilities H p and A p are the proportions of computing power occupied by the normal miners and that by the attacker, respectively.
We define the independent and identically distributed (i.i.d.) state transition random variables for i + Î¢ .
Using the random walk, we can rewrite ( ) ( )

C. Event sets of random walk
We aim to construct the event sets of state transitions i D which imply the satisfaction of the two conditions in (10): For the purpose, we define a DS attack as random experiment as a binary sequence of length i , which is the realization of I Δ .
We We denote the event sets in (10) then can be rewritten as To construct i W , we divide it into mutually exclusive sets exactly at the j -th state j S . One of the requirements on the binary sequences of ( ) -. Thus, the requirement for the elements of ( ) ( ) is that the state changes from starting The elements of joint set ( ) G at the i -th state, since no confirmation has been obtained yet. Namely, achieving ( ) due to an insufficient number of state transitions for the block confirmation. Subsequently, i W is written as We further explore (12). Remember that in the first j transitions of ( ) : the interim transactions between j s and i s should there is no interim state to apply the requirement to. This As a result, (12) becomes For example, suppose 2 BC N = , then a sequence ( ) 5 1, 1, 1, 1, 1 After the 3-rd index, 5 Δ satisfies ( ) . The other example is a sequence ( ) 5 1, 1, 1, 1, 1 = --+ -+ Δ , which satisfies ( ) 1 G at 5 j = for the first time. In addition, at the same state index, the sequence in (11) can be rewritten as III. AS PROBABILITIES For a DS attack task ( ) , ; , which also enables to compute the expectation of the time at which a DS attack succeeds, i.e., expected AS time.
The probabilities and expectations in this section will be used to evaluate the profitability of DS attacks in Section IV.

A. AS-ICT Probability
We first compute the probability of AS-ICT with cut t = ¥ . The probability of AS-ICT is the probability that the state index i exists such that I i Î Δ W , and thus requires ( ) t implies no occurrence of AS with a finite cut t as well. That is to say, the probability of AS-ICT is also needed to compute the probability of AS.
In specific, from the mutual exclusiveness of i W for i + Î ¢ , the probability AS ICT -P of AS-ICT equals the sum of ( ) , as given in (13), it can be computed as The following Proposition 2 gives the probability ( ) n m m n m n m C n n m otherwise and Proof: As given in (13), set i W is the union of ( ) ( ) ( ) Computing the probability  [21], which is the number of random walks that consist of 1 i j -steps and never become negative, starting from point 2 BC N j at the j -th state and ending at the origin with the 1 i --th state. This number is given as Finally, substituting (19) and (20) into (18) results in (16). ■ The following Corollary 3 gives an explicit formula of the probability AS ICT -P of AS-ICT given in (15).
To compute AS P , we need the probability density function (PDF) of ( ) ( ) where ( ) t d is a Dirac delta function and (6) follows an Erlang distribution with shape parameter i and rate T l [20]. The PDF of i T is thus given as is the generalized hypergeometric function [22] defined in Appendix E with the parameter vectors and Proof: See Appendix B.

C. Expected AS Times
It will be shown to be convenient to define the AS time as The case for AS cut T t > does not need to be defined since it is not useful.
The PDF of AS T is just a scaled version of ( ) ( ) ( ) Proof: See Appendix A.

D. Comparison with Previous Works
The AS-ICT probability AS ICT -P (AS probability when indefinite cut time cut t =¥ is given) in Corollary 3 was computed by Nakamoto [1] and Rosenfield [15] using the gambler's ruin theorem [23]. In [1], Nakamoto suggested an additional assumption not in our scenario: the time spent for the first BC N blocks mined by the normal group is not random and is determined as the average time 1 H BC N linstead. In other words, the block confirmation process was not treated as the stochastic processes. In [15], Rosenfield removed the assumption proposed by Nakamoto to derive the result in Corollary 3. However, the result was still based on the gambler's ruin theorem which only computes the asymptotical behavior of n S as n®¥ by manipulating the recurrence relationship between two adjacent states. That is to say, he assumed that an indefinite number of attack chances are given to the attacker. There was no result related to the intermediate process such as Proposition 2.
In this paper, we introduce cut t , which generalize the results by Nakamoto and Rosenfield, and compute the AS probability AS P using Proposition 2. In practice, attack chances are limited since the amount of resources such as time and cost are limited, and therefore a cut time cut t is needed to cut loss.
Besides the probability T was also analyzed in [16], [18], and [19]. However, none of the results matched with the AS conditions in Definition 1.
In [18], Goffard considered the race between two PCPs

IV. THE EXPECTED PROFIT OF A DS ATTACK
The previous probabilistic analyses in [1] and [15] show that the success of DS attacks is not guaranteed when 0.5 A p < . However, DS attacks with 0.5 A p < might be pursued if they bring profit.

A. Profitable DS Attacks
Here, we analyze the profitability of DS attacks and to this end, we define profit function P of DS attack ( ) , , ; A cut BC C p t N A in terms of value C of a fraudulent transaction, the block mining reward, and the operating expense (OPEX) of the computing power. We compute the expected profit function , which is the expectation of P .

Definition 6 (Profitable Attacks
The OPEX (e.g. the rental fee for the computing power) and the block mining reward are increased by the average block mining speed A l by the attacker and the time t consumed during an attack. Thus, the OPEX and block mining rewards are expressed as functions , respectively, which can be any increasing function (e.g., linear, exponential, or log) with respect to A l and t . We define X and R , respectively, as follows: for real constants 0 g > , 1 2 , 1 x x > , and 3 4 , Subsequently, the expected profit function of a DS attack is   Proof: See Appendix D.

B. Profitable DS Attacks against Working Blockchain Networks
As of 9 th December 2018, we refer to blockchain explorers and nicehash.com (who provides the rental rates for borrowing computing power) to obtain block mining reward R and OPEX X . The parameters 1 4 , ,  X with respect to A l and AS T . Analogously, the parameters for R in (36) are set to 1 2 r r = and 3 4 r r = , leading to a linear function R with respect to A l and AS T . There are three more parameters: g , b , and 1 H l -. Parameter g is the expected cost spent per generating a block and required for computing the expected OPEX. Parameter b is the reward per generating a block. Parameter 1 H lis the average block generation time of the public chain. They are different by blockchain networks.
We consider the Syscoin and BitcoinCash networks. The parameter g is obtainable from nicehash.com. The two networks use the SHA-256 cryptographic puzzle for which the unit of computation is hash. The rental fee for 1P hashes per second for a day is around 0.04 BTC, which is around 7 4.63 10 -× BTC per second. In other words, the rental fee is approximately 22 4.63 10 -× BTC per the computing of a hash.
Once parameters b , g , and 1 H lare obtained, the required attack resources can be evaluated using Table I.

1) The Syscoin Network Parameters
The  The reward b per block mining is 38.5 SYS (without transaction fees), which is around 4 3.6 10 -× BTC per block mining.

2) The BitcoinCash Network Parameters
The average block generation time is fixed at 1 600 H l -= proportionally delays the expected AS time.

V. CONCLUSIONS
We showed that DS attacks using 50% or a less proportion of computing power can be profitable. For both the super-50% and the sub-50% proportion regimes, we provided quantitative resources required for profitable DS attacks. Specifically, we provided the probability for an AS success as well as the operating time and expense of mining rigs. We summarized the results in Table I, which enable the easy calculation of the minimum resources required for a profitable attack against any blockchain network. We showed examples of the calculations against working networks.
Our results quantitatively show the importance of network policy. The less the average block mining period and block confirmation number, the less the minimum resources required for a profitable attack. That is to say, blockchain networks pursuing fast transaction speeds are risky. A way for developers of such networks to discourage DS attacks is, for example, to restrict the value of transactions depending on the network policy. If the value of the target transaction is limited below the minimum quantity we provided, attackers cannot expect to make a profit.

A. Proof of Corollary 3
We reduce the infinite summations in (15) into an algebraic form using generating functions.
By substituting (16) into (15), the probability AS ICT -P becomes ( )  , and ( ): ( ) k G x is a generating function of binomial coefficients, and the algebraic expression for it is given in [25]: Putting Substituting (52) and (54) By rearranging the indices of summations, we arrive at We use the following relationships, . 1 By substituting (60) and (61)   We use a generating function and generalized hypergeometric functions to compute the infinite summations in (24).
By substituting ( ) (16) and (25) into (24), we arrive at By rearranging the indices of summations and the order of operands, we obtain We can define two generating functions as and ( ) ( ) We replace function ( ) (69) where vectors j a and j b respectively defined in (27)     C given in (42). ■

APPENDIX E THE GENERALIZED HYPERGEOMETRIC FUNCTION
A generalized hypergeometric series [22] is a power series where a and b are vectors of 1 , , p a a L and 1 , , q b b L , respectively. A generalized hypergeometric series defines a generalized hypergeometric function if it converges. If 1 p q < + , then the ratio of coefficients (87) goes to zero as n ® ¥ , which implies that the series converges for any finite value z and thus defines the function.