In this article I will identify the core fallacies in the "Majority is not Enough: Bitcoin Mining is Vulnerable" by Emin Gun Sirer & Ittay Eyal, provide the corrected mathematical formulas and ultimately prove that Selfish Miners never make more money than their fair share for alfa<0.5.
Before proceeding I must point out that I have no programming experience, and any simulations that have been done using the mathematical model provided in the Eyal & Sirer's paper must be rewritten accordingly to correct the flaws identified in this article.
Now let's move straight to Section 4, Analysis. The authors state:
We can now analyze the expected rewards for a system where the selfish pool has mining power of α and the others of (1 − α). [page 7]
In the article the Authors have a diagram showing the state machine illustrating the different states in which the system can be with the respective transition frequencies. Let's look at Authors' definition of zero lead state.
Zero lead is separated to states 0 and 0’. State 0 is the state where there are no branches; that is, there is only a single, global, public longest chain. State 0’ is the state where there are two public branches of length one: the main branch, and the branch that was private to the selfish miners, and published to match the main branch. [page 8]
So zero lead, according to Authors' definition, can exist in state 0 and state 0'. Going forward we find authors' equations for probability distribution marked as (1) in the paper:
mistake 1 αp0 = (1 − α)p1 + (1 − α)p2
In words, the above equation means that the probability of reaching s1 from s0, is the sum of the probabilities of the following events:
- SM has a lead of 1 and HM mines the next block. This is probability of reaching state p0' from p1.
- SM has a lead of 2 and HM mines the next block (this is the probability of reaching state p0 from p2).
mistake 2 αp1 = (1 − α)p2
In words, this equation means that the probability of reaching state p2 from p1, is the same as the probability of reaching state p0 from p2. This equation would be true if and only if gamma =1 and is wrong for this reason. If SM has a lead of 2 and HM mines the next block then SM must release both blocks in order to claim both and orphan HM's block. The new state is αp0, not αp1. These 2 mistakes alone invalidate the math in Authors' papers. The model is fundamentally flawed because it assumes that SM beats HM 100% of the time through reactive propagation.
Now let's rewrite these equations correctly.
corrected equation 1 αp0 = p1 - αp0' + (α-1)p3*
corrected equation 2 p0' = α(1 − α)p0*
corrected equation 3 αp1=p2 - p4(1-α)*
corrected equation 4 ∀k ≥ 4 : αpk = p(k+1) - (1 − α)p(k+3)*
corrected equation 5 P Σpn + p0' = 1, n: [0,∞)
Using the correct machine state equation we can now calculate revenue for the selfish miner and for the honest miner. But before proceeding let's define p0' in terms of p0.
p0'=p0α(1-α)
Now let's calculate the revenue of selfish miners that follows from each state of the machine:
R(p0') = SM finds the next block and publishes both = +2 blocks to SM 2p0'α {-p0'α for HM; if HM finds the next block +1 block to HM, p0'(1-α)}
R(p0) = If SM mines the next block, -> p1. {if HM finds the next block +1 to HM p0(1-α)}
R(p1) = If SM mines the next block, ->p2. {if HM finds the next block +1 to HM p0α(1-α)}
R(p2) = If SM mines the next block, ->p3. {if HM mines the next block +2 to SM 2(1-α) α^2p0}
R(p3) = If SM finds the next block, ->p4. {if HM finds the next block +3 blocks to SM 3(1-α)α^3p0}
R(p4) = If SM finds the next block, ->p5 {if HM finds the next block, +2 blocks to SM 2(1-α)α^4p0}
R(pn) = If SM finds the next block, ->p (n+1) {if HM finds the next block, +2 blocks to SM 2(1-α)α^np0}
RSM(tot) = 2p0α/(1-α) + 2(1-α) α^2p0 + 3(1-α)α^3p0 + Σ2(1-α)α^np0 for n: [0,∞) = by solving the limit and the rest of the equation we get:
RSM(tot) = p0[-α^4-α^3+4α^2]
Doing the same round of calculation for HM we get:
RHM (tot) = -p0'α + p0' (1-α) + p0(1-α) + p0α(1-α) + p0Σ(1-α)^n for n: [1,∞) = p0 [2α^3-4α^2+α+(1-α)/α]
Now let's calculate the actual revenue rate ratio of each agent.
Rtot = RSM(tot) + RHM (tot) = -α^4 + α^3 + α + (1-α)/α + 1
RR(SM) = RSM(tot)/Rtot
If we start with the hypothesis:
RSM(tot)/Rtot > α
we find that RSM(tot)/R(tot)>α only for α>1. Hence, this is proof that a minority miner cannot mine selfishly for a greater share than his hashrate alpha.