sfE dBnmnltB ktltTo ne atTBntm �mc TfE aLnBhBf�tmad

$R0C ∗UD0SHd

IUNE fi: ˜zoe

�arscAbs

/HE AMOUNT OF COMPUTAT0ONAL POWER DEVOTED TO ANONxMOUS: DECENTRAL0ZED BLOCKCHA0NSSUCH AS @0TCO0N"S MUST S0MULTANEOUSLx SAT0SFx TWO COND0T0ONS 0N E+U0L0BR0UMc po( A ZEROhPROffiTCOND0T0ON AMONG M0NERS: WHO ENGAGE 0N A RENThSEEK0NG COMPET0T0ON FOR THE PR0ZE ASSOC0ATEDW0TH ADD0NG THE NEwT BLOCK TO THE CHA0Ns AND p3( AN 0NCENT0VE COMPAT0B0L0Tx COND0T0ON ON THESxSTEM"S VULNERAB0L0Tx TO A öMAiOR0Tx ATTACK“: NAMELx THAT THE COMPUTAT0ONAL COSTS OF SUCH ANATTACK MUST EwCEED THE BENEffiTS% /OGETHER: THESE TWO E+UAT0ONS 0MPLx THAT pt( THE RECURR0NG:ö5OW“: PAxMENTS TO M0NERS FOR RUNN0NG THE BLOCKCHA0N MUST BE LARGE RELAT0VE TO THE ONEhOf:öSTOCK“: BENEffiTS OF ATTACK0NG 0T% /H0S 0S VERx EwPENS0VE= /HE CONSTRA0NT 0S SOFTER p0%E%: STOCKVERSUS STOCK( 0F BOTH p0( THE M0N0NG TECHNOLOGx USED TO RUN THE BLOCKCHA0N 0S BOTH SCARCE ANDNONhREPURPOSABLE: AND p00( ANx MAiOR0Tx ATTACK 0S A öSABOTAGE“ 0N THAT 0T CAUSES A COLLAPSE 0NTHE ECONOM0C VALUE OF THE BLOCKCHA0Ns HOWEVER: REL0ANCE ON NONhREPURPOSABLE TECHNOLOGx FORSECUR0Tx AND VULNERAB0L0Tx TO SABOTAGE EACH RA0SE THE0R OWN CONCERNS: AND PO0NT TO SPEC0ffiCCOLLAPSE SCENAR0OS% -N PART0CULAR: THE MODEL SUGGESTS THAT @0TCO0N WOULD BE MAiOR0Tx ATTACKED0F 0T BECAME SUffC0ENTLx ECONOM0CALLx 0MPORTANT 8 E%G%: 0F 0T BECAME A öSTORE OF VALUE“ AK0N TOGOLD 8 WH0CH SUGGESTS THAT THERE ARE 0NTR0NS0C ECONOM0C L0M0TS TO HOW ECONOM0CALLx 0MPORTANT0T CAN BECOME 0N THE ffiRST PLACE%

�1ROiECT START DATEc !EB oe: 3zoe% !0RST PUBL0C DRAFTc lAx t: 3zoe% !OR THE RECORD: THE ffiRST LARGEhSTAKES MAiOR0TxATTACK OF A WELLhKNOWN CRxPTOCURRENCx: THE ∆oel ATTACK ON @0TCO0N 4OLD: OCCURRED A FEW WEEKS LATER 0N M0DhlAx3zoe pv0LMOTH: 3zoes vONG: 3zoe(%

∗�CKNOWLEDGMENTSc THANKS ARE DUE TO rUSAN �THEx: u0TAL0K @UTER0N: �LEw !RANKEL: IOSHUA 4ANS: �USTAN 4OOLShBEE: yH0GUO gE: IO0 -TO: rTEVE JAPLAN: �N0L JASHxAP: IUDD JESSLER: ’ANDALL JROSZNER: ’OB0N kEE: IACOB kESHNO:¯EALE lAHONEx: rENDH0L lULLA0NATHAN: ,AV0D 1ARKES: IOHN rH0M: rCOTT rTORNETTA: �V0V yOHAR: AND SEM0NAR PART0hC0PANTS AT •H0CAGO @OOTH AND THE l-/ ,0G0TAL •URRENCx -N0T0AT0VE% ¯ATAL0A ,ROZDOf AND lATTHEW #"JEEFE HAVEPROV0DED EwCELLENT RESEARCH ASS0STANCE% ,0SCLOSUREc - DO NOT HAVE ANx ffiNANC0AL 0NTERESTS 0N BLOCKCHA0N COMPAN0ES ORCRxPTOCURRENC0ES: E0THER LONG OR SHORT%

†2N0VERS0Tx OF •H0CAGO @OOTH rCHOOL OF @US0NESS: ER0C%BUD0SHaCH0CAGOBOOTH%EDU

o

o azTCOzN AND THE aLOCKCHAzNc � bRzTz.2E zN t d.2ATzONS

o)o ’ENThrEEKzNG bOMPETzTzON p�MONG aLOCKCHAzN lzNERS(

∗0TCO0N 0S AN ELECTRON0C PAYMENT SYSTEM THAT REL0ES ON A COMB0NAT0ON OF CRYPTOGRAPHY AND A LARGE:ANONYMOUS: DECENTRAL0yED COLLECT0ON OF PART0C0PANTS: CALLED M0NERS: TO VER0FY TRANSACT0ONS: W0THOUTTHE NEED OF ANY TRUSTED TH0RD PARTY% /HE BAS0C DETA0LS: SL0GHTLY S0MPL0ffiED: ARE AS FOLLOWS%9 �NOWNER OF ∗0TCO0N MAY SEND CURRENCY TO ANOTHER USER BY US0NG A COMB0NAT0ON OF p0( H0S OWN PUBL0CADDRESS pAN ALPHANUMER0C STR0NG: SOMEWHAT ANALOGOUS TO AN ACCOUNT NUMBER(: p00( H0S OWN PR0VATEKEY p0%E%: PASSWORD ASSOC0ATED W0TH THAT ADDRESS(: AND p000( THE REC0P0ENT‘S PUBL0C ADDRESS TO CREATEA TRANSACT0ON W0TH A CRYPTOGRAPH0CALLY SECURE S0GNATURE% /H0S S0GNATURE HAS THE PROPERTY THAT 0TCAN ONLY BE CREATED BY SOMEONE WHO KNOWS THE SENDER‘S PR0VATE KEY pPRESUMABLY THE SENDER=(: ANDENCODES THE AMOUNT OF ∗0TCO0N TO BE TRANSFERRED FROM THE SENDER TO THE RECE0VER: BUT 0N A WAY THATAN OBSERVER OF THE S0GNATURE CANNOT 0NVERT THE 0NFORMAT0ON TO LEARN THE SENDER‘S PR0VATE KEY% rO FAR:WH0LE MAG0CAL TO THOSE UNFAM0L0AR W0TH MODERN CRYPTOGRAPHY: TH0S 0S COMPLETELY STANDARD% /HE0NNOVAT0VE 0DEA BEH0ND ∗0TCO0N 0S THE WAY THESE TRANSACT0ONS ARE PUBL0CLY RECORDED: TO MA0NTA0N APUBL0C LEDGER OF ALL TRANSACT0ONS: CALLED THE jBLOCKCHA0N“% $VERY SO OFTEN pCURRENTLY ROUGHLY TENM0NUTES(: A LARGE: ANONYMOUS: DECENTRAL0yED COLLECT0ON OF PART0C0PANTS CALLED M0NERS COMPETES 0N ACOMPUTAT0ONAL TOURNAMENT FOR THE R0GHT TO ADD A NEW BLOCK OF TRANSACT0ONS pROUGHLY TEN M0NUTES‘WORTH( TO THE PUBL0C LEDGER% /HE W0NNER OF THE COMPUTAT0ONAL TOURNAMENT 0S THE ffiRST PART0C0PANTTO SOLVE A D0ffCULT COMPUTAT0ONAL PROBLEM BASED ON BOTH THE NEW BLOCK AND PREV0OUS BLOCK OFTRANSACT0ONS% /H0S PART0C0PANT REPORTS BOTH THE NEW BLOCK OF TRANSACT0ONS AND THE SOLUT0ON TOTHE COMPUTAT0ONAL PROBLEM: AND THE OTHER PART0C0PANTS: TO QUOTE FROM ¯AKAMOTO p˜zze(: jEXPRESSTHE0R ACCEPTANCE OF THE bNEW[ BLOCK BY WORK0NG ON CREAT0NG THE NEXT BLOCK 0N THE CHA0N: US0NG THEHASH OF THE ACCEPTED BLOCK AS THE PREV0OUS HASH%“

/HE 0NCENT0VE 0SSUES RA0SED BY TH0S SYSTEM W0LL BE THE SUBiECT OF THE NEXT SECT0ON% !OR THE PURhPOSE OF TH0S SECT0ON: ASSUME THAT PART0C0PANTS 0N THE ∗0TCO0N SYSTEM BEHAVE AS THEY ARE SUPPOSEDTO: 0%E%: jHONESTLY“% kET Naknbi DENOTE THE ECONOM0C REWARD TO THE M0NER WHO W0NS THE COMPUTAhT0ONAL TOURNAMENT%3 !OR THE MOMENT TH0NK OF Naknbi AS EXOGENOUSs EQUAT0ON pt( BELOW W0LL PLACE

9!OR AN ACCESS0BLE OVERV0EW OF THE @0TCO0N BLOCKCHA0N SxSTEM: A0MED AT ECONOM0STS: H0GHLx RECOMMENDED 0S THE0NST0TUT0ONAL BACKGROUND SECT0ON OF gUBERMAN: kESHNO AND lOALLEM0 p3zo;(% !OR EMP0R0CAL FACTS ON @0TCO0N USAGE:GOOD START0NG PO0NTS ARE �THEx ET AL% p3zo7( AND @jHME ET AL% p3zofi(% !OR A GAMEhTHEORET0C ANALxS0S OF @0TCO0NM0N0NG: A GOOD START0NG PO0NT 0S @0A0S ET AL% p3zo;(% #THER HELPFUL REFERENCES 0NCLUDE THE OR0G0NAL @0TCO0N PAPER:¯AKAMOTO p3zze(: THE WEBS0TE @0TCO0N%ORG pESPEC0ALLx 0TS @0TCO0N ,EVELOPER 4U0DE(: AND: FOR A TEwTBOOK LENGTHTREATMENT: ¯ARAxANAN ET AL% p3zo7(% gUBERMAN: kESHNO AND lOALLEM0 p3zo;(: @0A0S ET AL% p3zo;( AND �THEx ET AL%p3zo7( CONTA0N HELPFUL OVERV0EWS OF THE EwTANT ACADEM0C L0TERATURE%

3/HE ECONOM0C REWARD CONS0STS OF TWO COMPONENTSc A FEE ASSOC0ATED W0TH EACH TRANSACT0ON pTH0S 0S STRATEG0CALLxR0CH 0N 0TS OWN R0GHT: SEE gUBERMAN: kESHNO AND lOALLEM0: 3zo; AND $ASLEx: #"gARA AND @ASU: 3zo;(: AND A REWARDOF öFRESHLx M0NTED“ @0TCO0NS: CURRENTLx o3%fi PER BLOCK% �S OF EARLx 3zoe: W0TH @0TCO0N PR0CES OF ROUGHLx ∆oz:zzz: THE

˜

CONSTRA0NTS ON WHAT VALUES OF Naknbi ARE POSS0BLE 0N EQU0L0BR0UM% kET a DENOTE THE PERhBLOCK COSTOF ONE UN0T OF COMPUTAT0ONAL POWER: 0NCLUD0NG BOTH VAR0ABLE COSTS SUCH AS ELECTR0C0TY AND A RENTALCOST FOR CAP0TAL EQU0PMENT% lORE FULLY: ASSUME THAT 0T TAKES ONE CH0P AND ONE UN0T OF ELECTR0C0TY TOPRODUCE ONE UN0T OF COMPUTAT0ONAL POWER: A CH0P COSTS A: THE PERhBLOCK COST OF CAP0TAL p0NCLUD0NGDEPREC0AT0ON( 0S q: AND THE PERhBLOCK COST OF ONE UN0T OF ELECTR0C0TY 0S cs THEN WE HAVE a – qA . c%�SSUME FOR NOW THAT TH0S COST 0S SYMMETR0C ACROSS ALL PART0C0PANTS AND THAT THE CH0PS ARE EAS0LYREPURPOSABLE: SO WE DO NOT HAVE TO WORRY ABOUT SUNK COSTS: ADiUSTMENT COSTS: ETC% vE W0LL REV0S0TTH0S ASSUMPT0ON 8 WH0CH - EMPHAS0yE 0S NnT SAT0SffiED FOR ∗0TCO0N AT PRESENT: DUE TO SPEC0AL0yED�r-] CH0PS THAT ARE THOUSANDS OF T0MES MORE EffC0ENT AT ∗0TCO0N M0N0NG THAN REPURPOSABLE CH0PS:THOUGH 0T DOES CAPTURE THE OR0G0NAL ¯AKAMOTO p˜zze( V0S0ON OF jONEh]12hONEhVOTE“ 8 0N DETA0L0N rECT0ON t% -F THERE ARE M UN0TS OF COMPUTAT0ONAL POWER 0N THE NETWORK: THEN EACH UN0T HAS A9APROBAB0L0TY OF W0NN0NG THE PR0yE Naknbi% 2NDER STANDARD FREE ENTRY LOG0C 8 ANY ENT0TY THAT L0KES

CAN ADD COMPUTAT0ONAL POWER TO THE NETWORK 8 THE EQU0L0BR0UM AMOUNT OF COMPUTAT0ONAL POWERDEVOTED TO BLOCKCHA0N M0N0NG: M � : 0S THUS CHARACTER0yED BYc

M�a – Naknbi po(

$QUAT0ON po( 0S THE STANDARD CHARACTER0yAT0ON OF A RENThSEEK0NG TOURNAMENTc THE PR0yE 0N THETOURNAMENT: Naknbi: 0S D0SS0PATED BY EXPEND0TURES A0MED AT W0NN0NG THE PR0yE: M

�a% /HAT ∗0TCO0N

M0N0NG CAN BE MODELED AS A RENThSEEK0NG CONTEST 0S NOW W0DELY KNOWNs SEE FOR 0NSTANCE JROLL: ,AVEYAND !ELTEN p˜zot( PG% es >UBERMAN: kESHNO AND lOALLEM0 p˜zo;( 1ROPOS0T0ON os $ASLEY: #‘>ARAAND ∗ASU p˜zo;( EQUAT0ON po(s ]H0U AND JOEPPL p˜zo;( kEMMA os AND lA: 4ANS AND /OURKYp˜zoe( EQUAT0ON p;(% �N ANALOGOUS EXAMPLE OF A RENThSEEK0NG TOURNAMENT 0S THE H0GHhFREQUENCYTRAD0NG ARMS RACEs EQUAT0ON p;( OF ∗UD0SH: ]RAMTON AND rH0M p˜zofi( 0S VERY S0M0LAR TO EQUAT0ONpo( HERE%

/HE ∗0TCO0N v0K0 ACKNOWLEDGES THE RENThSEEK0NG COMPET0T0ON AMONG M0NERS 0N DETA0L AS WELL:UNDER THE HEAD0NG jvEAKNESSES —g $NERGY ]ONSUMPT0ON“c

j%%% THE ECONOM0C EQU0L0BR0UM FOR THE M0N0NG RATE 0S REACHED WHEN GLOBAL ELECTR0C0TYCOSTS FOR M0N0NG APPROX0MATE THE VALUE OF M0N0NG REWARD PLUS TRANSACT0ON FEES% rOTHE H0GHER THE VALUE OF ONE B0TCO0N: THE H0GHER THE VALUE OF M0N0NG REWARDS AND TRANhSACT0ON FEES: THE H0GHER THE ENERGY CONSUMPT0ON OF THE B0TCO0N NETWORK 0N THE LONGRUN% lORE EffC0ENT M0N0NG GEAR DOES NOT REDUCE ENERGY USE OF THE B0TCO0N NETWORK%

LATTER COMPONENT OF THE REWARD 0S MUCH LARGER THAN THE FORMER% -N STEADx STATE: AS THE SxSTEM SLOWLx RUNS OUT OFNEW @0TCO0NS TO 0SSUE: THE FEES W0LL NEED TO BE THE LARGER COMPONENT pCF% gUBERMAN: kESHNO AND lOALLEM0: 3zo; AND$ASLEx: #"gARA AND @ASU: 3zo;(% /HE NUMBER OF TRANSACT0ONS PER BLOCK HAS RECENTLx RANGED BETWEEN ozzzh3zzz: SOTHE REWARD PER TRANSACT0ON 0S ROUGHLx ∆ozz%

t

%%% CHEAPER ENERGY L0NEARLY 0NCREASES M0N0NG ENERGY USE %%% THE SAME CONCLUS0ONS APPLYTO ALL PROOFhOFhWORK BASED CURRENC0ES%“ p∗0TCO0N v0K0: ˜zoeC: SECT0ON jvEAKNESSES —g$NERGY ]ONSUMPT0ON“(

o)3 -NCENTzVE bOMPATzBzLzTx pWzTH ’ESPECT TO lAiORzTx �TTACK(

!ROM THE ABSTRACT OF ¯AKAMOTO p˜zze(c

j/HE NETWORK T0MESTAMPS TRANSACT0ONS BY HASH0NG THEM 0NTO AN ONGO0NG CHA0N OF HASHhBASED PROOFhOFhWORK: FORM0NG A RECORD THAT CANNOT BE CHANGED W0THOUT REDO0NG THEPROOFhOFhWORK% /HE LONGEST CHA0N SERVES NOT ONLY AS PROOF OF THE SEQUENCE OF EVENTSW0TNESSED: BUT PROOF THAT 0T CAME FROM THE LARGEST POOL OF ]12 POWER% �S LnNG AS AMAinRzTx nF b12 PnWER zS CnNTRnLLED Bx NnDES TgAT ARE NnT CnnPERATzNG Tn ATTACJ TgENETWnRJ: TgExQLL GENERATE TgE LnNGEST CgAzN AND nUTPACE ATTACJERS)“ p$MPHAS0S ADDED(

rECT0ON oo OF ¯AKAMOTO p˜zze( THEN ANALYyES THE jSCENAR0O OF AN ATTACKER TRY0NG TO GENERATE ANALTERNATE CHA0N FASTER THAN THE HONEST CHA0N“ UNDER THE ASSUMPT0ON THAT THE ATTACKER CONTROLS LESSTHAN A MAiOR0TY OF THE COMPUTAT0ONAL POWER% /HE ANALYS0S SHOWS THAT SUCH AN ATTACK 0S ANALOGOUSTO A 4AMBLER‘S ’U0N PROBLEM AND THAT THE L0KEL0HOOD OF THE ATTACKER PULL0NG AHEAD OF THE HONESTPART0C0PANTS G0VEN A DEffiC0T OF v BLOCKS: OR THE L0KEL0HOOD OF A SUCCESSFUL DOUBLEhSPEND0NG ATTACK pCF%rECT0ON ˜%o( G0VEN AN ESCROW PER0OD OF v BLOCKS: 0S EXPONENT0ALLY DECL0N0NG 0N v% /HE CONCLUS0ON 0STHAT 0T jQU0CKLY BECOMES COMPUTAT0ONALLY 0MPRACT0CAL FOR AN ATTACKER TO CHANGE bTHE PUBL0C H0STORYOF TRANSACT0ONS[ 0F HONEST NODES CONTROL A MAiOR0TY OF ]12 POWER%“

vHAT ABOUT AN ATTACKER W0TH A MAiOR0TY OF COMPUTAT0ONAL POWERq -T 0S W0DELY ACKNOWLEDGED:0NCLUD0NG 0N ¯AKAMOTO p˜zze( AND ON THE ∗0TCO0N v0K0 pSECT0ONSc j�TTACKER HAS A LOT OF COMPUT0NGPOWER“ p˜zoeB( AND jlAiOR0TY ATTACK“ p˜zoeD(( THAT SUCH AN ATTACK WOULD SUCCEED%6 !ROM THEv0K0‘S SECT0ON ON jlAiOR0TY �TTACK“c j∗0TCO0N‘S SECUR0TY MODEL REL0ES ON NO S0NGLE COAL0T0ON OFM0NERS CONTROLL0NG MORE THAN HALF THE M0N0NG POWER%“

vHAT DOES 0T COST TO GA0N A MAiOR0TY OF COMPUTAT0ONAL POWERq -F THERE ARE M � UN0TS OF HONESTCOMPUTAT0ONAL POWER DEVOTED TO EACH M0N0NG TOURNAMENT: THEN THE COST TO AN OUTS0DE ATTACKEROF A S0MPLE MAiOR0TY 0S M �

a . α PER BLOCK% -F THE ATTACKER ALREADY CONTROLS SOME OF THE HONESTCOMPUTAT0ONAL POWER: THE COST OF A MAiOR0TY 0S CORRESPOND0NGLY LOWERs 0T COULD BE AS SMALL ASA�

b3 . α% rUPERhMAiOR0T0ES COST CORRESPOND0NGLY MOREs AN EXPEND0TURE OF > − M �

a PER BLOCK: FOR

6!OR ACADEM0C ANALxSES OF THE MAiOR0Tx ATTACK SEE ’OSENFELD p3zo3( AND $xAL AND r0RER p3zofl(% $xAL AND r0RERp3zofl( ALSO SHOW THAT THE @0TCO0N SxSTEM 0S VULNERABLE TO A FORM OF M0NOR0Tx ATTACK: THOUGH THE PURPOSE OF THE $xALAND r0RER p3zofl( M0NOR0Tx ATTACK 0S MORE C0RCUMSCR0BED 0N THAT 0TS PURPOSE 0S TO OBTA0N A D0SPROPORT0ONATE SHARE OFM0N0NG REWARDS: RATHER THAN TO MAN0PULATE THE BLOCKCHA0N PER SE%

fl

> < o: Y0ELDS AN ..19 SUPERhMAiOR0TY FOR AN OUTS0DE ATTACKER%

5

vE W0LL D0SCUSS TWO SPEC0ffiC POSS0B0L0T0ES FOR SUCH A MAiOR0TY ATTACK 0N DETA0L 0N rECT0ON ˜% !ORTHE PURPOSE OF TH0S SECT0ON: SUPPOSE THAT THERE EX0STS A MAiOR0TY ATTACK THAT Y0ELDS AN EXPECTEDPAYOf TO THE ATTACKER OF PPssPbi: AND THAT HAS AN EXPECTED COST TO THE ATTACKER: NET OF BLOCK REWARDS:OF � − M �

a% ∗Y EXPECTED COST NET OF BLOCK REWARDS: WE MEAN: MORE PREC0SELY: THAT 0F AN ATTACK BYAN .

.19 SUPERhMAiOR0TY ATTACKER TAKES r BLOCKS WORTH OF T0ME 0N EXPECTAT0ON pMEASURED BASED ONHOW LONG 0T TAKES THE HONEST CHA0N TO SOLVE BLOCKS(: AND THUS Y0ELDS r BLOCK REWARDS 0N EXPECTAT0ON:THEN THE TOTAL COST NET OF BLOCK REWARDS 0S >r − M �

a � rNaknbi WH0CH: US0NG Naknbi – M�a FROM po(:

Y0ELDS � – p>� o(r% !OR THE BLOCKCHA0N SYSTEM TO BE 0NCENT0VE COMPAT0BLE AGA0NST SUCH AN ATTACKREQU0RESc

� −M �a < PPssPbi p˜(

$QUAT0ON p˜( S0MPLY SAYS THAT THE COSTS OF MAN0PULAT0NG THE BLOCKCHA0N: �−M �a: MUST BE GREATER

THAN THE BENEffiTS OF DO0NG SO: PPssPbi% /HE EQUAT0ON CAPTURES THAT WHAT ENABLES THE jDECENTRAL0yEDTRUST“ OF THE BLOCKCHA0N SYSTEM 0S THE COMPUT0NG POWER DEVOTED TO MA0NTA0N0NG 0T%

$CONOM0CALLY: THE KEY TH0NG TO NOTE ABOUT p˜( 0S THAT THE COST OF MAN0PULAT0ON ON THE k>r 0SRELATED TO THE 5nW COST OF MA0NTA0N0NG THE BLOCKCHA0N: 0%E%: TO M �

a% -N CONTRAST: CONS0DER: E%G%:MUTUALLYhBENEffiC0AL COOPERAT0ON 0N A RELAT0ONSH0P AND THE ASSOC0ATED TEMPTAT0ON TO CHEAT: OR ATRUSTED BRAND THAT 0S TEMPTED TO SH0RK ON QUAL0TY% -N SUCH CASES: THE COST OF CHEAT0NG: TO THECHEAT0NG PARTY: 0S RELATED TO THE STnCJ VALUE OF THE RELAT0ONSH0P OR BRAND THEY ARE DESTROY0NG: NOTTHE 5OW COST OF 0TS MA0NTENANCE%8

!ROM A COMPUTER SECUR0TY PERSPECT0VE: THE KEY TH0NG TO NOTE ABOUT p˜( 0S THAT THE SECUR0TY OFTHE BLOCKCHA0N 0S LzNEAR 0N THE AMOUNT OF EXPEND0TURE ON M0N0NG POWER: 0%E%: L0NEAR 0N M �

a 0N THEk>r OF p˜(% -N CONTRAST: 0N MANY OTHER CONTEXTS 0NVESTMENTS 0N COMPUTER SECUR0TY Y0ELD CONVEXRETURNS pE%G%: TRAD0T0ONAL USES OF CRYPTOGRAPHY( 8 ANALOGOUSLY TO HOW A LOCK ON A DOOR 0NCREASESTHE SECUR0TY OF A HOUSE BY MORE THAN THE COST OF THE LOCK%

5-F THE ATTACK BOTH p0( USES TECHNOLOGx THAT CANNOT BE EAS0Lx REPURPOSED: AND p00( 0S A öSABOTAGE“ 0N THE SENSETHAT 0T CAUSES A MEAN0NGFUL DECL0NE 0N THE VALUE OF @0TCO0N 6 THE BLOCKCHA0N: THEN 0T 0S ECONOM0CALLx APPROPR0ATETO CHARGE THE ATTACKER NOT iUST THE RENTAL COST OF CAP0TAL EMBEDDED 0N b pALONGS0DE PURE VAR0ABLE COSTS SUCH ASELECTR0C0Tx(: BUT ALSO SOME OR ALL OF THE ffiwED COSTS OF THE E+U0PMENT HE USES% rEE rECT0ON t FOR A DETA0LED ANALxS0S%

81ERHAPS THE EARL0EST VERS0ON OF TH0S 0NS0GHT 0S DUE TO rCHELL0NG ponfi7(c övHAT MAKES MANx AGREEMENTS ENFORCEABLE0S ONLx THE RECOGN0T0ON OF FUTURE OPPORTUN0T0ES FOR AGREEMENT THAT W0LL BE EL0M0NATED 0F MUTUAL TRUST 0S NOT CREATEDAND MA0NTA0NED: AND WHOSE VALUE OUTWE0GHS THE MOMENTARx GA0N FROM CHEAT0NG 0N THE PRESENT 0NSTANCE%“ !OR MOREREFERENCES AND D0SCUSS0ON GOOD START0NG PO0NTS ARE ¯OBEL 1R0ZE •OMM0TTEE p3zzfi( AND lA0LATH AND rAMUELSONp3zz7(%

fi

o)t dCONOMzC kzMzT OF THE aLOCKCHAzN -c N < P�

-N THE HOPEDhFOR EQU0L0BR0UM 0N WH0CH PART0C0PANTS ARE HONEST: THE AMOUNT OF COMPUTAT0ONAL POWERDEVOTED TO MA0NTA0N0NG THE BLOCKCHA0N 0S CHARACTER0yED BY THE RENThSEEK0NG COMPET0T0ON AMONGM0NERS: po(% ]OMB0N0NG po( W0TH THE 0NCENT0VE COMPAT0B0L0TY COND0T0ON: p˜(: WE HAVE THE EQU0L0BR0UMCONSTRA0NTc

Naknbi <PPssPbi

�pt(

-N WORDSc THE EQU0L0BR0UM PERhBLOCK PAYMENT TO M0NERS FOR RUNN0NG THE BLOCKCHA0N MUST BELARGE RELAT0VE TO THE ONEhOf BENEffiTS OF ATTACK0NG 0T%7 $QUAT0ON pt( PLACES POTENT0ALLY SER0OUSECONOM0C CONSTRA0NTS ON THE APPL0CAB0L0TY OF THE ¯AKAMOTO p˜zze( BLOCKCHA0N 0NNOVAT0ON% ∗YANALOGY: 0MAG0NE 0F USERS OF THE u0SA NETWORK HAD TO PAY FEES TO u0SA: EVERY TEN M0NUTES: THAT WERELARGE RELAT0VE TO THE VALUE OF A SUCCESSFUL ONEhOf ATTACK ON THE u0SA NETWORK%

3 sWO 1OSSzBzLzTzES FOR PVrrVae∗EFORE DESCR0B0NG TWO LEAD0NG POSS0B0L0T0ES FOR MAiOR0TY ATTACKS: LET US CLAR0FY WHAT: TECHNOLOG0CALLY:A MAiOR0TY ATTACKER CAN AND CANNOT DO% ∗ECAUSE A MAiOR0TY ATTACKER CAN SOLVE COMPUTAT0ONAL PUyhyLES FASTER: 0N EXPECTAT0ON: THAN THE HONEST M0NOR0TY: THE ATTACKER CAN CREATE AN ALTERNAT0VE LONGESTCHA0N OF TRANSACT0ONS: AND REPLACE THE HONEST CHA0N W0TH THE ALTERNAT0VE CHA0N AT A STRATEG0CALLYOPPORTUNE MOMENT% /H0S ALLOWS THE ATTACKER TO CONTROL WHAT TRANSACT0ONS GET ADDED TO THE PUBL0CBLOCKCHA0N: AND ALLOWS THE ATTACKER: W0TH0N COMPUTAT0ONAL L0M0TS: TO REMOVE RECENT TRANSACT0ONSFROM THE PUBL0C BLOCKCHA0N pBY CREAT0NG AN ALTERNAT0VE CHA0N START0NG FROM THE RECENT PAST: ANDCATCH0NG UP(% /HE ATTACKER EVEN EARNS THE BLOCKCHA0N REWARDS: 0%E%: THE Naknbi PER PER0OD: FOR EACHPER0OD OF H0S ALTERNAT0VE CHA0N AFTER HE MAKES 0T THE NEW LONGEST PUBL0C CHA0N%+

vHAT THE ATTACKER CANNnT DO 0S TO CREATE NEW TRANSACT0ONS THAT SPEND OTHER PART0C0PANTS‘∗0TCO0NS% ]REAT0NG NEW TRANSACT0ONS THAT SPEND OTHER PART0C0PANTS‘ CO0NS WOULD REQU0RE NOT iUST AMAiOR0TY OF COMPUTAT0ONAL POWER: BUT ENOUGH COMPUTAT0ONAL POWER TO BREAK MODERN CRYPTOGRAPHYc

7�S NOTED ABOVE: E+UAT0ON po( 0S W0DELx KNOWN: AS 0S @0TCO0N"S VULNERAB0L0Tx TO A MAiOR0Tx ATTACK: FROM WH0CHE+UAT0ON p3( 0S ESSENT0ALLx TAUTOLOG0CALs SEE: FOR EwAMPLE: THE EwCELLENT D0SCUSS0ON OF MAiOR0Tx ATTACKS 0N @ONNEAUp3zoe(% /O THE EwTENT TH0S PAPER MAKES AN 0NTELLECTUAL CONTR0BUT0ON: 0T 0S TO PUT po( AND p3( 0NTO A COMMON THEORET0CALLANGUAGE: TO NOTE THAT THEx 0MPLx pt(: AND THEN TO ANALxZE THE ECONOM0C 0MPL0CAT0ONS OF pt(% /O Mx KNOWLEDGE:E+UAT0ON pt( 0S NEW TO TH0S PAPER%

1@LOCKCHA0N REWARDS DO NOT VEST FOR ozz PER0ODS pSEE @0TCO0N 1ROTOCOL ’ULES: SECT0ON öqTwq MESSAGES“: 0TEM oosAND @0TCO0N ,EVELOPER 4U0DE: SECT0ON ö/RANSACT0ON ,ATA“ p@0TCO0N v0K0: 3zo;s @0TCO0N%ORG: 3zoe((: SO AS LONG ASTHE ATTACKER REPLACES THE HONEST CHA0N W0TH0N ozz PER0ODS: HE EARNS THE BLOCKCHA0N REWARD FOR EVERx BLOCK HE ADDS%-F HE REPLACES THE HONEST CHA0N AFTER ozz PER0ODS 0T 0S SOMEWHAT AMB0GUOUS: AT LEAST TO Mx CURRENT READ0NG OF THE@0TCO0N 1ROTOCOL: WHAT HAPPENS TO THE BLOCK REWARDS THAT HAVE ALREADx VESTED ON THE PART OF THE HONEST CHA0N THATHAS NOW BEEN REPLACED% lx BEST GUESS 0S THAT THOSE @0TCO0NS WOULD BECOME UNUSABLE AND THAT THE ATTACKER WOULDGET NEW @0TCO0NS FOR ALL PER0ODS OF THE CHA0N HE REPLACED%

7

CREAT0NG A TRANSACT0ON THAT SPENDS ANOTHER PART0C0PANT‘S CO0NS REQU0RES LEARN0NG THE0R PR0VATE KEY%� MAiOR0TY ATTACKER CANNOT S0MPLY jSTEAL ALL THE ∗0TCO0NS%“�

3)o ö,O2BLE rPENDzNG“ �TTACK

/HE MOST W0DELY D0SCUSSED MAN0PULAT0ON A MAiOR0TY ATTACKER CAN ENGAGE 0N 0S KNOWN 0N THE L0TEhRATURE AS jDOUBLE SPEND0NG“% �N ATTACKER COULD p0( SPEND ∗0TCO0NS: 0%E%: ENGAGE 0N A TRANSACT0ON 0NWH0CH HE SENDS H0S ∗0TCO0NS TO SOME MERCHANT 0N EXCHANGE FOR GOODS OR ASSETSs THEN p00( ALLOW THATTRANSACT0ON TO BE ADDED TO THE PUBL0C BLOCKCHA0N p0%E%: THE LONGEST CHA0N(s AND THEN SUBSEQUENTLYp000( REMOVE THAT TRANSACT0ON FROM THE PUBL0C BLOCKCHA0N: BY BU0LD0NG AN ALTERNAT0VE LONGEST CHA0N:WH0CH HE CAN DO W0TH CERTA0NTY G0VEN H0S MAiOR0TY OF COMPUT0NG POWER% /HE MERCHANT: UPONSEE0NG THE TRANSACT0ON ADDED TO THE PUBL0C BLOCKCHA0N 0N p00(: G0VES THE ATTACKER GOODS OR ASSETS 0NEXCHANGE FOR THE ∗0TCO0NS: PERHAPS AFTER AN ESCROW PER0OD% ∗UT: WHEN THE ATTACKER REMOVES THETRANSACT0ON FROM THE PUBL0C BLOCKCHA0N 0N p000(: THE MERCHANT EfECT0VELY LOSES H0S ∗0TCO0NS: ALLOW0NGTHE ATTACKER TO jDOUBLE SPEND“ THE CO0NS ELSEWHERE%

�S SHOULD BE CLEAR: WH0LE TH0S PROBLEM 0S CALLED THE jDOUBLE SPEND0NG“ PROBLEM: THE jDnUBLE“PART 0S A M0SNOMER 8 THE ATTACKER CAN REhSPEND H0S ∗0TCO0NS ARB0TRAR0LY MANY T0MES%

/O TRANSLATE THE jDOUBLE SPEND0NG“ PROBLEM 0NTO VALUES FOR PPssPbi AND �: LET US MAKE THEFOLLOW0NG ASSUMPT0ONSc

o% THERE ARE e TRANSACT0ONS 0N A BLOCKs˜% THE ATTACKER ENGAGES 0N e D0ST0NCT TRANSACT0ONS pRELAX0NG TH0S 0N E0THER D0RECT0ON 0S D0SCUSSEDBELOW(s EACH TRANSACT0ON CAN BE 0NTERPRETED AS COM0NG FROM A SEPARATE ADDRESS HE CONTROLSsFOR S0MPL0C0TY ALL e OF THE TRANSACT0ONS GET ADDED TO THE PUBL0C BLOCKCHA0N 0N WHAT WE W0LLCALL BLOCK o: W0TH BLOCK z REFERR0NG TO THE STATE OF THE BLOCKCHA0N PR0OR TO THE ATTACKs

‡gERE 0S A DETA0LED EwCERPT ON WHAT MAiOR0Tx ATTACKERS CAN AND CANNOT DO FROM THE @0TCO0N v0K0: UNDER ö�TTACKERHAS A LOT OF COMPUT0NG POWER“cö�N ATTACKER THAT CONTROLS MORE THAN fiz) OF THE NETWORK"S COMPUT0NG POWER CAN: FOR THE T0ME THAT HE 0S 0NCONTROL: EwCLUDE AND MOD0Fx THE ORDER0NG OF TRANSACT0ONS% /H0S ALLOWS H0M TOc] ’EVERSE TRANSACT0ONS THAT HE SENDS WH0LE HE"S 0N CONTROL% /H0S HAS THE POTENT0AL TO DOUBLEhSPEND TRANSACT0ONSTHAT PREV0OUSLx HAD ALREADx BEEN SEEN 0N THE BLOCK CHA0N%

] 1REVENT SOME OR ALL TRANSACT0ONS FROM GA0N0NG ANx CONffiRMAT0ONS%] 1REVENT SOME OR ALL OTHER M0NERS FROM M0N0NG ANx VAL0D BLOCKS%

/HE ATTACKER b�Nosc] ’EVERSE OTHER PEOPLE"S TRANSACT0ONS W0THOUT THE0R COOPERAT0ON%] 1REVENT TRANSACT0ONS FROM BE0NG SENT AT ALL pTHEx"LL SHOW AS z6UNCONffiRMED(%] •HANGE THE NUMBER OF CO0NS GENERATED PER BLOCK%] •REATE CO0NS OUT OF TH0N A0R%] rEND CO0NS THAT NEVER BELONGED TO H0M%“ p@0TCO0N v0K0: 3zoea(

;

t% THE AVERAGE VALUE OF THE TRANSACT0ONS THE ATTACKER ENGAGES 0N 0S mtsoPlrPbsgnls TH0S CAN BE 0NhTERPRETED AS A STAT0ST0C ON THE H0GHESThVALUE TRANSACT0ONS THAT ARE POSS0BLE ON THE ∗0TCO0NSYSTEMs

fl% MERCHANTS WA0T FOR AN ESCROW PER0OD OF c BLOCKS: COUNT0NG FROM THE BLOCK 0N WH0CH THETRANSACT0ON 0S ffiRST ADDED TO THE PUBL0C BLOCKCHA0N: BEFORE SEND0NG THE GOODS OR ASSETSs

fi% THE HONEST M0NERS HAVE COMPUTAT0ONAL POWER OF M � AND THE ATTACKER HAS POWER OF >M � : W0TH> < os

7% THE ATTACKER OBTA0NS BLOCK REWARDS OF Naknbi PER BLOCK OF THE ATTACKs;% THE ATTACK DOES NOT AfECT THE SUBSEQUENT VALUE OF ∗0TCO0NS pTH0S W0LL BE D0SCUSSED 0N rECT0ONS˜%˜ AND t(%

40VEN THESE ASSUMPT0ONS: THE VALUE OF THE ATTACK 0S PPssPbi – emtsoPlrPbsgnl% ,EffiNE ksoPlrPbsgnl – Naknbii%

/HEN pt( CAN BE REWR0TTEN AScksoPlrPbsgnl <

mtsoPlrPbsgnl

�pfl(

WHERE ksoPlrPbsgnl 0S THE PERhTRANSACT0ON PAYMENT TO M0NERS FOR RUNN0NG THE BLOCKCHA0N: mtsoPlrPbsgnl

REPRESENTS THE S0yE OF THE TRANSACT0ONS THAT ARE POSS0BLE US0NG THE BLOCKCHA0N: AND � REPRESENTS THENET COST OF THE ATTACK%

/O COMPUTE � WE RUN COMPUTAT0ONAL S0MULAT0ONS: REPORTED 0N /ABLE o: FOR D0fERENT VALUES OFCOMPUTAT0ONAL POWER > AND ESCROW PER0OD c% 1ANEL � REPORTS THE EXPECTED DURAT0ON OF THE ATTACKp0N BLOCKS(: 1ANEL ∗ REPORTS THE EXPECTED GROSS COMPUTAT0ONAL COST OF THE ATTACK p0N UN0TS OFM

�a – Naknbi(: AND 1ANEL ] REPORTS THE EXPECTED COST NET OF BLOCK REWARDS p0N UN0TS OFM

�a – Naknbi(:

0%E%: �%!OR 0NTU0T0ON: ffiRST FOCUS ON THE c – z COLUMN: 0%E%: NO ESCROW PER0OD% -N TH0S CASE: THE BESThCASE

SCENAR0O FOR AN ATTACKER 0S THAT THEY SOLVE TWO COMPUTAT0ONAL PUyyLES BEFORE THE HONEST M0NERSSOLVE TWO COMPUTAT0ONAL PUyyLESs 0N SUCH CASE: AFTER SOME HONEST M0NER REPORTS BLOCK o WH0CH0NCLUDES THE ATTACKER‘S TRANSACT0ONS: THE ATTACKER CAN REPORT ALTERNAT0VE BLOCKS o∗ AND ˜∗ SUCH THATTHE CHA0N ϵ ϵ ϵ . z. o∗. ˜∗ 0S THE NEW LONGEST CHA0N AND EXCLUDES H0S TRANSACT0ONS% �S THE ATTACKER‘SCOMPUTAT0ONAL POWER GROWS: TH0S BESThCASE SCENAR0O BECOMES 0NCREAS0NGLY L0KELY: TO THE PO0NT WHERE0F > – fi: THE EXPECTED DURAT0ON OF THE ATTACK 0S iUST ˜%o˜ BLOCKS% v0TH LOWER COMPUTAT0ONAL POWER:THE ATTACK TAKES LONGER 0N EXPECTAT0ON: BUT 0S USUALLY CHEAPER: BOTH GROSS AND NET% !OR EXAMPLE: 0F> – oϵ˜fi THE ATTACK HAS EXPECTED DURAT0ON OF 7%fifl BLOCKS: GROSS COSTS OF eϵoeNaknbi: AND NET COSTSOF oϵ7flNaknbi%

¯OW FOCUS ON THE c – 7 COLUMN: A COMMONLYhD0SCUSSED ESCROW PER0OD: CORRESPOND0NG TO ABOUTONE HOUR pFOR EXAMPLE: SEE THE ∗0TCO0N v0K0 SECT0ONS ON j�LTERNAT0VE >0STORY �TTACK“ AND j�TTACKERHAS A kOT OF ]OMPUT0NG 1OWER“ p∗0TCO0N v0K0: ˜zoeA:B((% -F: SAY > – oϵ˜fi: THE EXPECTED ATTACK

e

DURAT0ON 0S otϵflo BLOCKS W0TH AN EXPECTED COST NET OF BLOCK REWARDS OF � – tϵtfi%

1LUGG0NG TH0S VALUE OF � 0NTO pfl( Y0ELDS ksoPlrPbsgnl < 4tso�lr�bscnl6�68 % /H0S MEANS THAT FOR THE

BLOCKCHA0N SYSTEM TO BE ROBUST AGA0NST TH0S DOUBLEhSPEND0NG ATTACK WOULD REQU0RE THAT THE PERhTRANSACT0ON PAYMENT TO M0NERS FOR RUNN0NG THE BLOCKCHA0N EXCEEDS 9

6�68 · tz) OF THE H0GHESThVALUETRANSACT0ONS THAT ARE POSS0BLE THROUGH THE SYSTEM% /H0S CAN BE 0NTERPRETED AS AN 0MPL0C0T TAX8 0F mtsoPlrPbsgnl – ∆ozz: THEN THE 0MPL0C0T TRANSACT0ONS COST ON A ∆ozz PURCHASE MUST BE AT LEAST∆tz% /HE TAX 0S LARGER AS A PERCENTAGE ON CHEAPER TRANSACT0ONS: W0TH CHEAP DEffiNED RELAT0VE TO THELARGEST FEAS0BLE TRANSACT0ONS% !OR EXAMPLE: 0F THE MOST EXPENS0VE GOODS THAT COULD BE OBTA0NED 0NTHE SYSTEM ARE WORTH ∆ozz: THEN THE 0MPL0C0T TAX ON A ∆oz TRANSACT0ON WOULD NEED TO BE 0N EXCESSOF tzz)%

�DD 0N SOME D0ffCULTY OF COORD0NAT0NG e PURCHASES AT ONCE: SOME 0NEffC0ENCY OF THE ATTACKER‘STECHNOLOGY RELAT0VE TO THE MARG0NAL HONEST M0NERS‘ TECHNOLOGY: OR ANY OTHER FORM OF jSL0PPAGE“FOR THE ATTACKER OF THE BENEffiTS RELAT0VE TO emtsoPlrPbsgnl OR THE COSTS RELAT0VE TO � − M �

a: AND 0T 0SEASY TO 0MAG0NE THAT ksoPlrPbsgnl ON THE ORDER OF ∆oh∆oz 0S ENOUGH FOR THE SYSTEM TO BE ROBUST TOMAiOR0TY ATTACK FOR PURCHASES OF ON THE ORDER OF ∆ozzh∆ozzz% /H0S MAY BE A REASONABLE DESCR0PT0ONOF ∗0TCO0N 0N MANY OF 0TS LEAD0NG EARLY USE CASES:¯ SUCH AS MODESThS0yED PURCHASES OF 0LLEGAL GOODSAND COMPUTER EQU0PMENT: MODESThS0yED 0NTERNAT0ONAL REM0TTANCES pE%G%: ∗0TCO0N AS AN ALTERNAT0VETO vESTERN 2N0ON(: ETC%

-F mtsoPlrPbsgnl 0S MUCH H0GHER: HOWEVER 8 AND REMEMBER: TH0S 0S A STAT0ST0C ON THE LARGEST TRANhSACT0ON S0yES THAT ARE POSS0BLE 8 THEN ksoPlrPbsgnl NEEDS TO BE COMMENSURATELY H0GHER AS WELL: FORTHE SYSTEM NOT TO 0NCENT0V0yE A MAiOR0TY ATTACK% !OR EXAMPLE: SUPPOSE ∗0TCO0N 0S USED AS A jSTORE OFVALUE“ AK0N TO GOLD: AS HAS BEEN D0SCUSSED BY ]OCHRANE p˜zo;(: ]OWEN p˜zo;A:B( AND MANY OTHERS%rUPPOSE 0T 0S POSS0BLE TO CONVERT ∆o:zzz:zzz OF ∗0TCO0N 0NTO OTHER FORMS OF WEALTH 0N THE LARGESTTRANSACT0ONS 0N THE SYSTEM% /HEN: EVEN W0TH AN ESCROW PER0OD OF c – ozz BLOCKS: AND AN ATTACKPER0OD OF iUST ONE BLOCK‘S WORTH OF TRANSACT0ONS: THEN: FOCUS0NG NOW ON > – oϵzfi: YOU WOULD NEEDksoPlrPbsgnl <

9¯�3∆oC · ∆oze;zz FOR THE SYSTEM NOT TO 0NDUCE A MAiOR0TY ATTACK% $VEN AN ESCROW

PER0OD OF c – ozzz BLOCKS 8 o WEEK AT oz M0NUTES PER BLOCK 8 AND AN ATTACK PER0OD OF iUST ONEBLOCK‘S WORTH OF TRANSACT0ONS WOULD REQU0RE ksoPlrPbsgnl · ∆oe;zz% -F THE ATTACKER 0NSTEAD ATTACKSSAY ˜ BLOCKS‘ WORTH OF TRANSACT0ONS pPERHAPS SPREAD OUT OVER T0ME(: THEN EVEN W0TH c – ozzz THESYSTEM REQU0RES ksoPlrPbsgnl · ∆t;flzz NOT TO BE VULNERABLE TO TH0S MAiOR0TY ATTACK%

$SSENT0ALLY: FOR THE SYSTEM TO BE USABLE FOR LARGE TRANSACT0ONS REQU0RES 0MPL0C0T TAX RATES THAT

4rEE: FOR 0NSTANCE: @jHME ET AL% p3zofi(% /HE AUTHORS OF rOSKA AND •HR0ST0N p3zofi( REPORT 0N A PR0VATE COMMUN0hCAT0ON THAT 0N THE0R DATA: BASED ON o7 D0fERENT ONL0NE ANONxMOUS MARKETPLACES OVER THE PER0OD 3zoth3zofi: THAT THEAVERAGE TRANSACT0ON THEx OBSERVE 0S AROUND ∆ozzh∆ofiz DEPEND0NG ON HOW THE DATA 0S CUT% /HEx REPORT THAT THEREARE ZERO ∆ol. TRANSACT0ONS AND THAT ∆oz:zzz. TRANSACT0ONS ARE EwTREMELx RARE% rEE ALSO THE SECT0ON ö@ULK -TEMS“0N •HR0ST0N p3zo;( FOR DETA0LS ON THE SMALL NUMBER OF ∆oz:zzz. TRANSACT0ONS THEx DO OBSERVE%

n

L0KELY RENDER 0T UNUSABLE FOR SMALLER TRANSACT0ONS%

3)3 örABOTAGE“ �TTACK

#NE SEEM0NGLY OBV0OUS RESPONSE TO THE LOG0C 0N THE PREV0OUS SECT0ON 0S THAT THE MAiOR0TY ATTACKWOULD BE jNOT0CED“ BY ∗0TCO0N USERS: PERHAPS AFTER A PER0OD OF 0N0T0AL CONFUS0ON% �S A RESULT: THEARGUMENT GOES: WH0LE THE ATTACK WOULD 0NDEED WORK 0N THE SENSE OF OBTA0N0NG THE HOPEDhFOR GOODSOR ASSETS: THERE 0S AN ADD0T0ONAL COST TO CONS0DER 0N THAT THE ATTACK W0LL HARM THE SUBSEQUENT VALUEOF THE ATTACKER‘S OWN ∗0TCO0N HOLD0NGS 8 WH0CH THE ATTACKER MUST HAVE TO ENGAGE 0N THE ATTACK 0NTHE ffiRST PLACE% /HE ∗0TCO0N v0K0 CLASS0ffiES THE MAiOR0TY ATTACK 0NTO 0TS j1ROBABLY ¯OT A 1ROBLEM“CATEGORY FOR TH0S REASON: MAK0NG THE FOLLOW0NG ARGUMENTc

j� M0NER W0TH MORE THAN fiz) HASH POWER 0S 0NCENT0VED TO REDUCE THE0R M0N0NG POWERAND REFRA0N FROM ATTACK0NG 0N ORDER FOR THE0R M0N0NG EQU0PMENT AND B0TCO0N 0NCOME TORETA0N 0TS VALUE%“ p∗0TCO0N v0K0: ˜zoeD: SECT0ON jlAiOR0TY �TTACK“(

!ORMALLY: LET US ASSUME THAT THE DOUBLEhSPEND0NG ATTACK ANALYyED 0N rECT0ON ˜%o CAUSES A PROPORhT0ONAL DEC0NE 0N THE VALUE OF ∗0TCO0N OF †PssPbi: AND THAT THE ATTACKER HOLDS THE M0N0MUM AMOUNTOF ∗0TCO0N NECESSARY TO CONDUCT THE ATTACK: NAMELY emtsoPlrPbsgnl WORTH% !OR TH0S SECT0ON: WE MA0NhTA0N THE ASSUMPT0ON THAT THE TECHNOLOGY USED FOR THE ATTACK CAN BE REPURPOSEDs WE W0LL CONS0DERBLOCKCHA0NhSPEC0ffiC M0N0NG EQU0PMENT 0N DETA0L pAS MENT0ONED 0N THE v0K0 QUOTE ABOVE( 0N THE NEXTSECT0ON% /HE †PssPbi DECL0NE 0N THE VALUE OF ∗0TCO0N MOD0ffiES EQUAT0ON pfl( TO BEc92

ksoPlrPbsgnl <po�†PssPbi(

p>� o . †PssPbi(rmtsoPlrPbsgnl pfl∗(

/HE LARGER 0S †PssPbi: THE SMALLER 0S THE 0MPL0C0T TAX ON THE SYSTEM NECESSARY TO DETER THEMAiOR0TY ATTACK: 0%E%: THE LEVEL OF ksoPlrPbsgnl NECESSARY TO SUPPORT A G0VEN LEVEL OF mtsoPlrPbsgnl% !OREXAMPLE: 0F †PssPbi – o: 0%E%: 0F THE ATTACK CAUSES A TOTAL COLLAPSE OF THE VALUE OF ∗0TCO0N: THEATTACKER LOSES EXACTLY AS MUCH 0N ∗0TCO0N VALUE AS HE GA0NS FROM DOUBLE SPEND0NGs 0N EfECT: THERE0S NO CHANCE TO jDOUBLE“ SPEND AFTER ALL% -N TH0S RESPECT: THE ARGUMENT ON THE ∗0TCO0N v0K0 0SCORRECT% >OWEVER: †PssPbi 0S SOMETH0NG OF A jP0CK YOUR PO0SON“ PARAMETER% -F †PssPbi 0S SMALL: THENTHE SYSTEM 0S VULNERABLE TO THE DOUBLEhSPEND0NG ATTACK DESCR0BED 0N rECT0ON ˜%o: AND THE 0MPL0C0TTRANSACT0ONS TAX ON ECONOM0C ACT0V0TY US0NG THE BLOCKCHA0N HAS TO BE H0GH% -F †PssPbi 0S LARGE: THENA SHORT T0ME PER0OD OF ACCESS TO A LARGE AMOUNT OF COMPUT0NG POWER CAN SABOTAGE THE BLOCKCHA0N%

92/HE ATTACKER GETS A BENEffiT OF imtso�lr�bscnl: BUT TO REAL0ZE TH0S BENEffiT HAS TO HOLD @0TCO0NS WORTH TH0S AMOUNT:SO THE NET BENEffiT OF THE ATTACK 0S po�‡�ss�bi(imtso�lr�bscnl% /HE ATTACKER PAxS GROSS COMPUTAT0ONAL COSTS OF .s −E

�b:

WHERE s 0S THE EwPECTED DURAT0ON OF THE ATTACK% gE GETS BLOCK REWARDS OF s − E�b WH0CH THEN DECL0NE 0N VALUE Bx

PROPORT0ON ‡�ss�bi: SO THE NET COST 0S p. � o . ‡�ss�bi(s − E�bα rUBST0TUT0NG ioso�lr�bscnl — Naknbi — E

�b AND

REARRANG0NG x0ELDS pfl∗(%

oz

-F †PssPbi 0S LARGE: ONE MUST THEN CONS0DER THE POSS0B0L0TY OF AN ATTACKER WHO 0S MOT0VATED BYSABOTAGE PER SE: RATHER THAN DOUBLE SPEND0NGs CALL TH0S VALUE PrPansPec% � WELLhKNOWN EARLY PAPERON THE DOUBLE SPEND0NG PROBLEM: ’OSENFELD p˜zo˜(: NOTES EXACTLY TH0S POSS0B0L0TYc

j-N TH0S SECT0ON WE W0LL ASSUME p , k b0%E%: THAT THE ATTACKER DOES NOT HAVE A MAiOR0TY[%#THERW0SE: ALL BETS ARE Of W0TH THE CURRENT ∗0TCO0N PROTOCOL %%% /HE HONEST M0NERS:WHO NO LONGER RECE0VE ANY REWARDS: WOULD QU0T DUE TO LACK OF 0NCENT0VEs TH0S W0LL MAKE0T EVEN EAS0ER FOR THE ATTACKER TO MA0NTA0N H0S DOM0NANCE% /H0S W0LL CAUSE E0THER THECOLLAPSE OF ∗0TCO0N OR A MOVE TO A MOD0ffiED PROTOCOL% �S SUCH: TgzS ATTACJ zS BEST SEENAS AN ATTEMPT Tn DESTRnx azTCnzN: MOT0VATED NOT BY THE DES0RE TO OBTA0N ∗0TCO0N VALUE:BUT RATHER W0SH0NG TO MA0NTA0N ENTRENCHED ECONOM0CAL SYSTEMS OR OBTA0N SPECULAT0VEPROffiTS FROM HOLD0NG A SHORT POS0T0ON%“ p$MPHAS0S �DDED(

vHAT 0S THE VALUE OF PrPansPecq -T 0S HARD TO SAY OF COURSE: BUT EASY TO 0MAG0NE THAT THE MAGN0TUDESARE ALREADY LARGE: AND WOULD BE LARGER ST0LL 0F ∗0TCO0N AND6OR THE BLOCKCHA0N L0VE UP TO THE0R HYPE%#PEN 0NTEREST ON ]l$ AND ]∗#$ ∗0TCO0N FUTURES 8 WH0CH G0VES A SENSE OF MAGN0TUDES FOR WHATCOULD BE MADE AT PRESENT FROM A SHORThSELL0NG ATTACK 8 0S ABOUT ∆o7z M0LL0ON AS OF lARCH ˜zoe%99

-N COMPAR0SON: OPEN 0NTEREST ON ]l$ 4OLD !UTURES 8 WH0CH MAY G0VE A MORE APPROPR0ATE SENSEOF MAGN0TUDES FOR THE HYPOTHET0CAL SCENAR0O 0N WH0CH ∗0TCO0N 0S USED AS A jSTORE OF VALUE“ 8 0SABOUT ∆7fi B0LL0ON%93 /HE MARKET CAP0TAL0yAT0ON OF ∗0TCO0N 8 WH0CH PERHAPS G0VES ANOTHER SENSE OFMAGN0TUDES FOR THE AMOUNT OF ECONOM0C HARM A BAD ACTOR COULD CAUSE BY SABOTAG0NG THE SYSTEM8 0S PRESENTLY ON THE ORDER OF ∆ozzh∆˜zz B0LL0ON% /HE MARKET CAP0TAL0yAT0ON OF THE GOLD STOCK 0S ONTHE ORDER OF ∆;%fi TR0LL0ON p]OWEN: ˜zo;A(%

lORE BROADLY: MANY HAVE ARGUED THAT THE ¯AKAMOTO p˜zze( BLOCKCHA0N 0NNOVAT0ON COULD BEUSEFUL FOR DOMA0NS 0NCLUD0NG GLOBAL SUPPLY CHA0NS: LAND PROVENANCE: 0DENT0TY MANAGEMENT: MED0CALRECORDS: AND EVEN VOT0NG pCF% v0K0PED0A p˜zoe( FOR A VAR0ETY OF REFERENCES(% !OR EXAMPLE 4OLDMANrACHS p˜zoe( DESCR0BES THE jBLOCKCHA0N TECHNOLOGY bTHAT[ WAS OR0G0NALLY DEVELOPED AS PART OF THED0G0TAL CURRENCY ∗0TCO0N“ AS j/HE ¯EW /ECHNOLOGY OF /RUST“: AND DESCR0BES APPL0CAT0ONS SUCH ASj�N 0NTERNAT0ONAL -, BLOCKCHA0N: ACCESS0BLE ANYWHERE 0N THE WORLD: bTHAT[ ALLOWS PEOPLE TO PROVETHE0R 0DENT0TY: CONNECT W0TH FAM0LY MEMBERS AND EVEN RECE0VE MONEY W0THOUT A BANK ACCOUNT%“vH0LE 0N SOME CASES TH0S USE OF THE WORD jBLOCKCHA0N“ APPEARS TO BE MARKET0NG FOR OLDER 0DEASFROM COMPUTER SC0ENCE pE%G%: D0STR0BUTED LEDGERS OR DATABASES W0TH KNOWN: TRUSTED PART0ES(: TO THE

99#N lARCH fi: 3zoe: OPEN 0NTEREST 0N •l$ 4ROUP @0TCO0N !UTURES WAS o733 CONTRACTS p•l$ 4ROUP: 3zoe�(:EACH OF WH0CH TRACKS THE VALUE OF fi @0TCO0NS: AND OPEN 0NTEREST 0N •@#$ @0TCO0N !UTURES WAS finte CONTRACTS p•BOE:3zoe(: EACH OF WH0CH TRACKS THE VALUE OF o @0TCO0N% �T THE lARCH fi: 3zoe @0TCO0N PR0CE OF ABOUT ∆oo:fizz: TH0S OPEN0NTEREST 0S WORTH ABOUT ∆nt M0LL0ON ON •l$ AND ∆7e M0LL0ON ON •@#$%

93lARCH fi OPEN 0NTEREST 0N THE •l$ 4OLD !UTURES WAS flnn:7z3 CONTRACTS: EACH WORTH ozz TROx OUNCES OF GOLD OR∆otz:zzz AT THE CURRENT GOLD PR0CE OF ROUGHLx ∆otzz PER OUNCE •l$ 4ROUP p3zoea(%

oo

EXTENT THAT THE ¯AKAMOTO p˜zze( BLOCKCHA0N 0S USED 0N THESE W0DER DOMA0NS: ONE SHOULD REALLYWORRY ABOUT THE VALUE OF PrPansPec%

t aLOCKCHAzNhrPECzffiC lzNzNG sECHNOLOGx

/HE ANALYS0S 0N rECT0ONS oh˜ ASSUMED THAT THE ATTACKER‘S COST OF WAG0NG THE MAiOR0TY ATTACK WASPROPORT0ONAL TO THE PERhBLOCK j5OW“ COST OF M0N0NG THE BLOCK CHA0N% !ORMALLY: WE ASSUMED THAT THEPERhBLOCK COST OF ONE UN0T OF COMPUTAT0ONAL POWER WAS a – qA.c: 0%E%: THE RENTAL COST OF A CH0P qAPLUS THE PERhBLOCK PERhCH0P COST OF ELECTR0C0TY c: AND THAT THE ATTACKER‘S COST OF WAG0NG THE MAiOR0TYATTACK WAS � −M �

a: W0TH � REPRESENT0NG THE DURAT0ON OF THE ATTACK NET OF BLOCK REWARDS% >OWEVER:0F BOTH p0( THE TECHNOLOGY NECESSARY FOR M0N0NG THE BLOCKCHA0N 0S SPEC0ffiC p0%E%: NONhREPURPOSABLE(:AND p00( THE ATTACK HARMS THE SUBSEQUENT VALUE OF THAT TECHNOLOGY: THEN 0T MAY BE APPROPR0ATE TOCHARGE THE ATTACKER A STOCK COST RATHER THAN A 5OW COST% -MPORTANTLY: p0( AND p00( SEEM L0KELY TOHOLD FOR THE ∗0TCO0N BLOCKCHA0N AT PRESENT%

t)o eLOW VS) rTOCK bOSTS OF �TTACK

lORE FULLY: THE 5OW COST APPROACH USED 0N rECT0ONS oh˜ 0S APPROPR0ATE UNDER THE FOLLOW0NG FOURSCENAR0OSc

bASE noc sHE MOST EfCzENT CHzPS FOR MzNzNG THE BLOCKCHAzN zN .2ESTzON ARE REP2RPOSAhBLE FOR OTHER 2SES) /H0S CORRESPONDS TO THE OR0G0NAL V0S0ON OF ¯AKAMOTO p˜zze(: WHO DESCR0BEDTHE BLOCKCHA0N CONSENSUS PROTOCOL AS jONEh]12hONEhVOTE“% >OWEVER: 0T DOES NnT CORRESPOND TO∗0TCO0N M0N0NG AT PRESENTs THE MOST EffC0ENT CH0PS ARE �r-]S pAPPL0CAT0ON SPEC0ffiC 0NTEGRATED C0RhCU0TS( USEFUL ONLY FOR ∗0TCO0N M0N0NG% !OR $THEREUM: THE SECOND LARGEST CRYPTOCURRENCY BY MARKETCAP0TAL0yAT0ON: THE MOST EffC0ENT CH0PS AT PRESENT ARE 412S pGRAPH0CS PROCESS0NG UN0TS(: WH0CHARE REPURPOSABLEs HOWEVER: �r-]S FOR THE $THEREUM BLOCKCHA0N WERE RECENTLY ANNOUNCED: W0THAVA0LAB0L0TY 0N IULY ˜zoe p#‘kEARY: ˜zoe(%

¯OTABLY: MANY CRYPTOCURRENCY BLOCKCHA0NS: 0NCLUD0NG $THEREUM‘S: ARE SPEC0ffiCALLY DES0GNED TOBE j�r-] RES0STANT“%96 ’OUGHLY: TH0S MEANS THAT THE PROOFhOFhWORK FUNCT0ON 0S DES0GNED SO THAT

96/HE $THEREUM v0K0"S MA0N WH0TE PAPER p$THEREUM v0K0: 3zoe�( LAMENTS THAT öTHE b@0TCO0N[ M0N0NG ALGOR0THM0S VULNERABLE TO TWO FORMS OF CENTRAL0ZAT0ON% !0RST: THE M0N0NG ECOSxSTEM HAS COME TO BE DOM0NATED Bx �r-•S %%%%TH0S MEANS THAT @0TCO0N M0N0NG 0S NO LONGER A H0GHLx DECENTRAL0ZED AND EGAL0TAR0AN PURSU0T“% -T THEN ARGUES THAT 0NTHE EVENT THAT �r-•S ARE DES0GNED FOR $THEREUM: THAT ö$THEREUM CONTRACTS CAN 0NCLUDE ANx K0ND OF COMPUAT0ON:SO AN $THEREUM �r-• WOULD ESSENT0ALLx BE AN �r-• FOR GENERAL COMPUTAT0ON 8 0%E%: A BETTER •12%“ /HE RECENTLxANNOUNCED $THEREUM �r-•S ARE CONTROVERS0AL W0TH0N THE $THEREUM DEVELOPER COMMUN0Tx: WH0CH WAS REPORTED TOHAVE CONS0DERED MOD0Fx0NG THE $THEREUM PROTOCOL TO BLOCK THE USE OF �r-•S pgU0LLET: 3zoe(% -T REMA0NS TO BE SEENHOW REPURPOSABLE THESE $THEREUM �r-•S W0LL BE%

o˜

�r-]S DO NOT MEAN0NGFULLY 0MPROVE UPON GENERALhPURPOSE CH0PS% -F A BLOCKCHA0N 0S 0N FACT �r-]RES0STANT: THEN THE REPURPOSAB0L0TY ASSUMPT0ON 0S APPROPR0ATE%

bASE n3c sHE MOST EfCzENT CHzPS ARE SPECzALzyED: B2T THERE ARE REP2RPOSABLE CHzPSTHAT ARE EfCzENT ENO2GH FOR THE P2RPOSE OF AN ATTACK) !ORMALLY: DENOTE BY a� THEPERhBLOCK PERhCOMPUTAT0ONAL UN0T COST OF THE MOST EffC0ENT SPEC0AL0yED CH0P: AND DENOTE BY 3a THEPERhBLOCK PERhCOMPUTAT0ONAL UN0T COST OF THE BEST REPURPOSABLE CH0P% /HE COST OF AN ATTACK US0NGREPURPOSABLE CH0PS WOULD BE � − M �3a% -F 3a 0S W0TH0N A REASONABLE FACTOR OF a� THEN THE COST OFTHE ATTACK CAN REASONABLY BE MODELED AS A 5OW COST: NOT A STOCK% /H0S 0S NnT CURRENTLY THECASE FOR ∗0TCO0N M0N0NG: AS THE BEST SPEC0AL0yED CH0PS ARE ON THE ORDER OF ozzzhozzzz T0MES MOREECONOM0CALLY EffC0ENT THAN THE BEST REPURPOSABLE CH0PS%95

bASE ntc sHE MOST EfCzENT CHzPS ARE SPECzALzyED: AND THERE EXzST PREVzO2ShGENERATzONSPECzALzyED CHzPS THAT ARE NOT ECONOMzCALLx EfCzENT FOR MzNzNG B2T ARE EfCzENT ENO2GHFOR THE P2RPOSE OF AN ATTACK: AND EXzST zN LARGE .2ANTzTx) rUPPOSE THAT THE MOST EffhC0ENT SPEC0AL0yED CH0P COSTS A� AND USES ENERGY c�: FOR PERhBLOCK PERhCOMPUTAT0ONAL UN0T COST OFa� – qA� . c�: AND THAT THERE EX0STS A PREV0OUS GENERAT0ON SPEC0AL0yED CH0P W0TH PERhBLOCK PERhCOMPUTAT0ONAL UN0T ENERGY COST OF 3c SUCH THAT 3c < qA� . c�% /HAT 0S: THE NEW CH0P 0MPROVED ONTHE ENERGY EffC0ENCY OF THE OLD CH0P BY ENOUGH THAT 0T WOULD BE 0NEffC0ENT TO USE THE OLD CH0P FORM0N0NG EVEN 0F 0T WERE FREE% /HE MARKET PR0CE OF THE OLD CH0PS W0LL THEREFORE BE NEGL0G0BLE 8 THEYARE SPEC0AL0yED AND NO LONGER ECONOM0CALLY USEFUL FOR THE0R ONE PURPOSE% /HE COST OF AN ATTACKUS0NG SUCH CH0PS WOULD BE � − M �3c% -F 3c 0S W0TH0N A REASONABLE FACTOR OF c� AND THERE ARE A LARGEENOUGH NUMBER OF THE PREV0OUShGENERAT0ON CH0PS AVA0LABLE TO AMASS M � OF COMPUTAT0ONAL POWER:THEN THE 5OW COST APPROACH 0S APPROPR0ATE%

bASE n5c sHE MOST EfCzENT CHzPS ARE SPECzALzyED: THERE ARE NEzTHER REASONABLx EfhCzENT REP2RPOSABLE CHzPS NOR OLDER GENERATzON SPECzALzyED CHzPS: B2T THE ATTACK DOESNOT CA2SE A DECLzNE zN THE VAL2E OF MzNzNG E.2zPMENT: z)E): zT zS NOT A SABOTAGEp†PssPbi – z() -N TH0S SCENAR0O: 5OW COSTS ARE APPROPR0ATE BECAUSE AN ATTACKER pESPEC0ALLYAN 0NS0DER( WOULD PAY A 5OW COST FOR THE ATTACK: AND THEN COULD RESUME M0N0NG AS USUAL% #R: THEATTACKER pESPEC0ALLY AN OUTS0DER( COULD ATTACK THE BLOCKCHA0N REPEATEDLY: PAY0NG A 5OW COST EACHT0ME%

95/HE @0TMA0N �NTM0NER rn R0G: DESCR0BED 0N MORE DETA0L 0N FOOTNOTE o7 AND ONE OF THE MOST EffC0ENT @0TCO0N�r-• R0GS: HAS A COST OF ∆oo7z AND A HASH RATE OF ot/g6S: FOR A CAP0TAL COST PER HASH RATE OF ∆z%zen ∆64g6S% -NCONTRAST: MOST 412S HAVE HASH RATES OF BELOW o4g6S p@0TCO0N v0K0: 3zofis /AxLOR: 3zo;( AND COSTS 0N EwCESS OF∆ozz PER CH0P: FOR A CAP0TAL COST PER HASH RATE OF MORE THAN ∆ozz ∆64g6S: A D0fERENCE OF AT LEAST ozzzw ON CAP0TALCOSTS% �r-•S ARE ALSO MORE ENERGx EffC0ENT THAN 412S%

ot

>OWEVER: THE 5OW COST APPROACH 0S NnT APPROPR0ATE 0Fc

bASE nfic sHE MOST EfCzENT CHzPS ARE SPECzALzyED: THERE ARE NEzTHER REASONABLx EfhCzENT REP2RPOSABLE CHzPS NOR OLDER GENERATzON SPECzALzyED CHzPS: AND THE ATTACK zS ASABOTAGE) -MPORTANTLY: CASE 9fi SEEMS TO BE THE ACCURATE CASE FOR ∗0TCO0N C0RCA SPR0NG ˜zoe%∗0TCO0N �r-] CH0PS ARE CURRENTLY THOUSANDS OF T0MES MORE ECONOM0CALLY EffC0ENT FOR THE ∗0TCO0NHASH0NG PROBLEM THAN REPURPOSABLE CH0PS: AND: W0TH THE DRAMAT0C R0SE OF ∗0TCO0N‘S VALUE OVER THEPAST SEVERAL YEARS: THE ∗0TCO0N �r-] MARKET SEEMS TO MOSTLY HAVE BEEN TRY0NG TO CATCH UP W0THDEMAND pE%G%: rAMSUNG RECENTLY ANNOUNCED 0T 0S ENTER0NG p’USSELL: ˜zoe((: SO THERE 0S NOT A GLUT OFPREV0OUShGENERAT0ON CH0PS THAT COULD BE CHEAPLY DEPLOYED FOR AN ATTACK%

t)3 dCONOMzC kzMzT OF THE aLOCKCHAzN --c M �A < PpVansVec

/O ANALYyE CASE 9fi: CONS0DER THE EXTREME 0N WH0CH THE ATTACK CAUSES A TOTAL COLLAPSE OF THEECONOM0C VALUE OF THE BLOCKCHA0N: 0NCLUD0NG THE SPEC0AL0yED EQU0PMENTs TH0S 0S THE CASE FOR WH0CHTHE 0NCENT0VE CONSTRA0NT AGA0NST THE ATTACK 0S LEAST CONSTRA0N0NG% /HE 0NCENT0VE CONSTRA0NT p˜( CANBE REWR0TTEN: APPROX0MATELY:98 AS

M�A < PrPansPec p˜∗(

-N COMPAR0SON TO p˜(: NOW THERE 0S A STOCK VALUE ON THE k>r OF THE CONSTRA0NT AS OPPOSED TO A5OW VALUE% vHEREAS THE k>r OF p˜( WAS L0KELY ON THE ORDER OF A FEW M0LL0ON DOLLARS pPOTENT0ALLY EVENLESS(: THE k>r OF p˜∗(: G0VEN CURRENT ∗0TCO0N M0N0NG TECHNOLOGY: MAY BE ON THE ORDER OF ∆o%fi∗Nh∆˜∗N%97 rT0LL: EQUAT0ON p˜∗( 0S A SER0OUS CONSTRA0NT ON THE BLOCKCHA0N% !0RST: THE BLOCKCHA0N‘SSECUR0TY 0S ST0LL L0NEAR 0N COMPUTAT0ON EXPENSE: AS 0N p˜(% rECOND: FOR p˜∗( RATHER THAN p˜( TO BE THERELEVANT 0NCENT0VE CONSTRA0NT: ONE HAS TO CONCEDE BOTH p0( THE POSS0B0L0TY OF SABOTAGE: AND p00( THATTHE SECUR0TY OF THE BLOCKCHA0N REL0ES ON THE USE OF H0GHLY SPEC0AL0yED EQU0PMENT%

98/HE EwPRESS0ON DROPS THE NONhCAP0TAL COSTS OF THE ATTACK p0%E%: ELECTR0C0Tx(: WH0CH ARE E� −.s − c% -T ALSO ASSUMESTHAT THE BENEffiTS OF DOUBLE SPEND0NG CANCEL OUT THE COST OF THE DECL0NE OF THE VALUE OF THE ATTACKER"S @0TCO0N HOLD0NGS:AS EwPLA0NED 0N FOOTNOTE oz%

97/HE @0TMA0N �NTM0NER rn: /n.: AND un ARE THREE OF THE MOST ECONOM0CALLx EffC0ENT M0N0NG R0GS WE COULDffiND AMONG A LARGER SET OF R0GS W0TH DATA AVA0LABLE ON BOTH THE R0G"S HASH RATE AND 0TS COST% �T THE lARCH 3zoeAVERAGE LEVEL OF THE /OTAL ¯ETWORK gASH ’ATE p/¯g’( OF ABOUT 3fi M0LL0ON /g6S: ONE WOULD NEED TO PURCHASEABOUT o%n M0LL0ON rn"S: 3%fl M0LL0ON /n."S: OR 7%3 M0LL0ON un"S TO ACH0EVE /¯g’: WH0CH AT CURRENT CONSUMER POSTEDPR0CES WOULD COME TO ∆3%3BN: ∆o%7BN: AND ∆o%fiBN: RESPECT0VELx% p1LEASE SEE @LOCKCHA0N%0NFO p3zoe( FOR THE /¯g’AND @0TMA0N p3zoe( FOR PR0CES AND HASH RATES FOR THE0R �NTM0NER R0GS(% 1RESUMABLx A LARGEhSCALE PURCHASER COULDOBTA0N @0TCO0N �r-•S AT PR0CES THAT ARE LOWER THAN THE PR0CES THAT ARE AVA0LABLE TO CONSUMERS% lORE 0MPORTANTLx:AS @0TCO0N �r-• TECHNOLOGx BECOMES MORE MATURE 8 E%G%: rAMSUNG 0S NOW ENTER0NG @0TCO0N �r-• MANUFACTUR0NGp’USSELL: 3zoe( 8 0T SEEMS L0KELx THAT PR0CES W0LL FALL: AND6OR ONE COULD CHEAPLx REPURPOSE OLDER �r-•S THAT AREECONOM0CALLx 0NEffC0ENT FOR M0N0NG pAS D0SCUSSED 0N CASE 9t( TO MORE CHEAPLx CONDUCT AN ATTACK%

ofl

t)t bOLLAPSE rCENARzOS

rUPPOSE: FOR THE PURPOSE OF D0SCUSS0ON: THAT THE ∗0TCO0N BLOCKCHA0N CURRENTLY DOES SAT0SFY CONSTRA0NTp˜∗( BUT DOES NOT SAT0SFY CONSTRA0NT p˜(: AND THAT THE D0fERENCE BETWEEN THESE TWO CONSTRA0NTS HELPSEXPLA0N WHY THE ∗0TCO0N BLOCKCHA0N HAS NOT HAD A MAiOR ATTACK% vHAT DOES TH0S ANALYS0S THEN0MPLY ABOUT ∗0TCO0N‘S SECUR0TY 0N THE FUTUREq

/HE MODEL SUGGESTS t POSS0BLE SCENAR0OS TO WORRY ABOUTc

o% 2LTRAhCHEAP SPEC0AL0yED �r-]S%

pA( �S ∗0TCO0N �r-] TECHNOLOGY MATURES: ∗0TCO0N �r-]S BECOME PLENT0FUL AND VERY CHEAP:ESPEC0ALLY VERS0ONS THAT ARE NOT AT THE FRONT0ER 0N TERMS OF ENERGY EffC0ENCY% /HEN WEARE 0N CASE 9t ABOVE%

pB( -F ∗0TCO0N‘S VALUE WERE TO FALL pFOR OTHER REASONS(: THAT WOULD LEAD TO A GLUT OF SPEC0AL0yED�r-]S RELAT0VE TO THE AMOUNT NEEDED PER EQUAT0ON po(: EVEN HOLD0NG �r-] TECHNOLOGYPER SE ffiXED%

˜% $ffC0ENThENOUGH REPURPOSABLE CH0PS%

pA( -F EXC0TEMENT ABOUT THE BLOCKCHA0N CONT0NUES TO GROW: THEN 0T SEEMS PLAUS0BLE THATREPURPOSABLE CH0PS W0LL GET MORE EffC0ENT AT HASH0NG% /HEY WOULD NEVER CATCH UP W0THSPEC0AL0yED �r-]S 0N TERMS OF ECONOM0C EffC0ENCY: BUT PERHAPS THE GAP CLOSES FROM AFACTOR OF SEVERAL THOUSAND TO SOMETH0NG MEAN0NGFULLY SMALLER% /H0S 0S CASE 9˜ ABOVE%

pB( �DVANCES 0N NANOTECHNOLOGY COULD LEAD TO MEAN0NGFUL 0MPROVEMENTS 0N !14�hL0KETECHNOLOGY: 0%E%: 0NNOVAT0ONS THAT A0M AT THE GOAL OF GENERALhPURPOSE THERMODYNAM0hCALLY OPT0MAL COMPUTAT0ON% /H0S WOULD ALSO BE CASE 9˜ ABOVE%

t% $CONOM0C SABOTAGE BECOMES SUffC0ENTLY TEMPT0NG%

pA( ∗0TCO0N FUTURES MARKETS GROW 0N ECONOM0C 0MPORTANCE: 0NDUC0NG A SHORThSELLER ATTACK%pB( ∗0TCO0N GROWS 0N ECONOM0C 0MPORTANCE: 0NDUC0NG A SABOTAGE TO HARM ∗0TCO0N PER SE%

5 bONCL2SzON

/HE ANONYMOUS: DECENTRAL0yED TRUST ENABLED BY THE ¯AKAMOTO p˜zze( BLOCKCHA0N: WH0LE 0NGEN0OUS:0S EXPENSzVE% $QUAT0ON pt( SAYS THAT FOR THE TRUST TO BE MEAN0NGFUL REQU0RES THAT THE 5OW COSTOF RUNN0NG THE BLOCKCHA0N 0S LARGE RELAT0VE TO THE ONEhSHOT VALUE OF ATTACK0NG 0T% -N THE DOUBLEhSPEND0NG ATTACK CONS0DERED 0N rECT0ON ˜%o: THE 0MPL0CAT0ON 0S THAT THE TRANSACT0ON COSTS OF THEBLOCKCHA0N MUST BE LARGE 0N RELAT0ON TO THE LARGESThPOSS0BLE ECONOM0C USES OF THE BLOCKCHA0N: WH0CHCAN BE 0NTERPRETED AS A LARGE 0MPL0C0T TAX% /HE ARGUMENT THAT AN ATTACK 0S ACTUALLY MORE EXPENS0VE

ofi

THAN TH0S 5OW COST: CONS0DERED 0N rECT0ON t: REQU0RES ONE TO CONCEDE BOTH p0( THAT THE SECUR0TYOF THE BLOCKCHA0N ACTUALLY REL0ES ON 0TS USE OF SCARCE: NONhREPURPOSABLE TECHNOLOGY pCOUNTER TOTHE ¯AKAMOTO p˜zze( V0S0ON OF jONEh]12hONEhVOTE“(: AND p00( THAT THE BLOCKCHA0N 0S VULNERABLETO SABOTAGE: AND AT A COST THAT 0S L0NEAR 0N THE AMOUNT OF SPEC0AL0yED COMPUTAT0ONAL EQU0PMENTDEVOTED TO 0TS MA0NTENANCE% /HESE CONCESS0ONS LEAVE THE BLOCKCHA0N VULNERABLE TO COLLAPSE 0F E0THERCOND0T0ONS CHANGE 0N THE SPEC0AL0yED CH0P MARKET OR 0F THE ∗0TCO0N BLOCKCHA0N BECOMES ECONOM0CALLY0MPORTANT ENOUGH TO TEMPT A SABOTEUR% #VERALL: THE RESULTS PLACE POTENT0ALLY SER0OUS ECONOM0CCONSTRA0NTS ON THE USE OF THE ¯AKAMOTO p˜zze( BLOCKCHA0N 0NNOVAT0ON%

-T BEARS EMPHAS0S THAT THE EARL0EST USE CASES OF ∗0TCO0N8BLACKhMARKET TRANSACT0ONS: PURCHASESBY COMPUTER HOBBY0STS: 0NTRAhFAM0LY 0NTERNAT0ONAL TRANSFERS: ETC%: ALL OF RELAT0VELY MODEST VALUE8ARECOMPLETELY CONS0STENT W0TH THE MODEL 0N TH0S PAPER% -N THE LANGUAGE OF THE MODEL: mtsoPlrPbsgnl 0S LOWRELAT0VE TO THE ACCEPTABLE LEVELS OF ksoPlrPbsgnl FOR SUCH TRANSACT0ONS% ’ATHER: TH0S PAPER SUGGESTSSKEPT0C0SM AND CAUT0ON ABOUT LARGERhSCALE USES OF TH0S TECHNOLOGY: SUCH AS ∗0TCO0N AS A jSTORE OFVALUE“ AK0N TO GOLD: OR THE USE OF THE ¯AKAMOTO p˜zze( BLOCKCHA0N BY BUS0NESSES AND GOVERNMENTS%lOST BUS0NESSES AND GOVERNMENTS PRESUMABLY HAVE ACCESS TO CHEAPER FORMS OF DATA SECUR0TY: E%G%:D0STR0BUTED LEDGERS OR DATABASES THAT REQU0RE A TRUSTED PARTY pE%G%: THE BUS0NESS OR BUS0NESSESTHEMSELVES(: RATHER THAN HAV0NG TO PAY THE H0GH COSTS OF THE TRUST THAT 0S EMERGENT FROM A LARGENETWORK OF UNTRUSTED COMPUTERS COORD0NAT0NG ON MAX0MUM PROOFhOFhWORK%

’ELATEDLY TO TH0S LAST PO0NT: AN 0MPORTANT CLAR0ffiCAT0ONc AS 0NTEREST 0N ∗0TCO0N AND 0TS BLOCKCHA0NHAVE SURGED: SOME HAVE STARTED TO USE THE PHRASE jBLOCKCHA0N“ TO REFER AS WELL TO THE USE OFD0STR0BUTED LEDGERS OR DATABASES AMONG JNnWN: TRUSTED PART0ES8THAT 0S: WzTgnUT THE ANONYMOUS:DECENTRAL0yED TRUST 0NNOVAT0ON OF ¯AKAMOTO p˜zze(% �N EXAMPLE 0S THE USES BY vALMART AND ∗R0T0SH�0RWAYS DESCR0BED 0N ¯ASH p˜zoe(8ESSENT0ALLY: THE USE OF WELLhARCH0TECTED DATABASES: STRONG VERS0ONCONTROL pPOSS0BLY UT0L0y0NG ONEhWAY HASH FUNCT0ONS(: AND ALLOW0NG MULT0PLE 0NTERESTED PART0ES TOEAS0LY SEARCH OR UPDATE THE DATA 0N ACCORDANCE W0TH PRESCR0BED BUS0NESS PRACT0CES% �S ONE ffiNANC0ALCOLUMN0ST ASTUTELY OBSERVEDc j-F YOU ANNOUNCE THAT YOU ARE UPDAT0NG THE DATABASE SOFTWARE USEDBY A CONSORT0UM OF BANKS TO TRACK DER0VAT0VES TRADES: THE ¯EW xORK /0MES W0LL NOT WR0TE AN ART0CLEABOUT 0T% -F YOU SAY THAT YOU ARE BLOCKCHA0N0NG THE BLOCKCHA0N SOFTWARE USED BY A BLOCKCHA0N OFBLOCKCHA0NS TO BLOCKCHA0N BLOCKCHA0N BLOCKCHA0NS: THE ¯EW xORK /0MES W0LL BLOCKCHA0N A BLOCKCHA0NABOUT 0T%“pkEV0NE: ˜zo;( /HE vrI REPORTS THAT j]OMPAN0ES THAT HAVE TAKEN AN ?-F 0T A0N‘T BROKE:DON‘T ffiX 0T‘ ATT0TUDE TOWARD BACKhOffCE PROCESSES AND LOG0ST0CS -/ M0GHT BE READY TO SPEND B0GON UPDAT0NG THOSE SYSTEMS WHEN THEY HEAR THE BUyyWORD ?BLOCKCHA0N‘%“pl0MS: ˜zoe( �S SHOULD BEQU0TE CLEAR: TH0S PAPER‘S CR0T0QUE 0S ABOUT BLOCKCHA0N 0N THE SENSE OF ¯AKAMOTO p˜zze(: NOT ABOUTTHE USE OF D0STR0BUTED DATABASES MORE BROADLY% -NDEED: WHAT TH0S PAPER H0GHL0GHTS 0S THAT 0T 0SEXACTLY THE ASPECT OF ∗0TCO0N AND ¯AKAMOTO p˜zze( THAT 0S SO 0NNOVAT0VE RELAT0VE TO TRAD0T0ONAL

o7

D0STR0BUTED DATABASES 8 THE ANONYMOUS: DECENTRAL0yED TRUST THAT EMERGES FROM PROOFhOFhWORK 8THAT 0S SO ECONOM0CALLY L0M0T0NG%

�N 0NTEREST0NG OPEN QUEST0ON RA0SED BY TH0S PAPER 8 PERHAPS MORE FOR COMPUTER SC0ENT0STSTHAN FOR ECONOM0STS: OR PERHAPS REQU0R0NG BOTH PERSPECT0VES 8 0S WHETHER THERE 0S SOME OTHERAPPROACH TO GENERAT0NG ANONYMOUS: DECENTRAL0yED TRUST 0N A PUBL0C LEDGER THAT 0S LESS ECONOM0CALLYCONSTRA0NED BY THE POSS0B0L0TY OF AN ATTACK% lORE PREC0SELY: ALLOW0NG THAT SOME VERS0ON OF EQUAT0ONSpo(hpt( SEEMS 0NTR0NS0C TO ANY ANONYMOUS: DECENTRAL0yED BLOCKCHA0N PROTOCOL: 0S THERE AN ALTERNAT0VETO ¯AKAMOTO p˜zze( THAT E0THER REDUCES PPssPbi OR RA0SES �: RELAT0VE TO A G0VEN LEVEL OF PAYMENTFOR MA0NTENANCE OF THE LEDGER: Naknbi% v0TH0N THE PROOFhOFhWORK PARAD0GM: THE MOST NATURAL 0DEA0S TO ffiND A MOD0ffiCAT0ON TO THE LONGESThCHA0N CONVENT0ON THAT UT0L0yES THE FACT THAT: 0N THE EVENTOF AN ATTACK: 0T W0LL BE W0DELY jNOT0CED“% #R: PERHAPS ONE CAN PROVE A THEOREM THAT SHOWS THATNO SUCH MOD0ffiCAT0ON CAN EX0ST WH0LE PRESERV0NG ANONYM0TY AND DECENTRAL0yAT0ON: SU0TABLY DEffiNED%�NOTHER 0NTEREST0NG 0DEA 0N TH0S REGARD 0S PROOFhOFhSTAKE pCF%: ∗UTER0N AND 4R0ffTH p˜zo;(: $THEREUMv0K0 p˜zoeB((% /HE USUAL MOT0VAT0ON FOR PROOFhOFhSTAKE OVER PROOFhOFhWORK 8 THE DEADWE0GHT LOSSAND ENV0RONMENTAL HARM ASSOC0ATED W0TH PROOFhOFhWORK M0N0NG: CURRENTLY EST0MATED TO UT0L0yE OVERz%tz) OF GLnBAL ELECTR0C0TY CONSUMPT0ON p,0G0CONOM0ST: ˜zoes uR0ES: ˜zoes rALEH: ˜zoe( 8 0S 0N FACTCOMPLETELY ORTHOGONAL TO THE CONCERNS RA0SED 0N TH0S PAPER% IUST CONCEPTUAL0yE a AS THE PERhBLOCKOPPORTUN0TY COST OF HOLD0NG ONE UN0T OF STAKE: AND VERS0ONS OF EQUAT0ONS po(hpt( OBTA0N 0MMED0ATELY%∗UT: THE USE OF jSTAKES“ 0NSTEAD OF COMPUTAT0ONAL WORK MAY OPEN NEW POSS0B0L0T0ES FOR THWART0NGATTACKS: E%G%: CONffiSCAT0ON OF AN ATTACKER‘S STAKE: OR BU0LD0NG SOME L0M0TED FORMS OF REPUTAT0ON pE%G%:∗UTER0N: ˜zo7(% -T W0LL BE 0NTEREST0NG TO WATCH TH0S RESEARCH DEVELOP: AND SEE WHETHER OR NOT 0TCONST0TUTES A VAL0D RESPONSE TO THE CR0T0QUE 0N TH0S PAPER%

o;

’EFERENCES

�THEx: r2SAN: -VO 1ARASHKEVOV: uzSHN2 rAR2KKAz: AND IzNG wzA) ˜zo7% j∗0TCO0N 1R0C0NG:�DOPT0ON: AND 2SAGEc /HEORY AND $V0DENCE%“ r-$1’ vORK0NG 1APER ¯O% o;hztt%

azAzS: aR2NO: bHRzSTOPHE azSzjRE: lATTHzE2 aO2VARD: AND bATHERzNE bASAMATTA) ˜zo;%j/HE ∗LOCKCHA0N !OLK /HEOREM%“ /r$ vORK0NG 1APER ¯O% o;heo;% ’EV0SED IANUARY fl: ˜zoe%

azTCOzN)ORG) ˜zoe% j∗0TCO0N ,EVELOPER 4U0DE%“ ’ETR0EVED �PR0L z˜: ˜zoe: FROM gTTPSc66B0TC#0Np

#?46EN6DEVEk#PE?h420DE%

azTCOzN vzKz) ˜zofi% j¯ONhrPEC0AL0yED >ARDWARE ]OMPAR0SON%“ kAST lOD0ffiED �UGUST zfl: ˜zofi%’ETR0EVED �PR0L ˜fi: ˜zoe FROM gTTPSc66ENpB0TC#0Np0T6W0I06m#NhSPEC0Ak0yEDugA?DWA?Eu

C#MPA?0S#N%

azTCOzN vzKz) ˜zo;% j∗0TCO0N 1ROTOCOL ’ULES%“ kAST MOD0ffiED �UGUST ˜fi: ˜zo;% ’ETR0EVED lARCHo˜: ˜zoe FROM gTTPSc66ENpB0TC#0Np0T6W0I061?#T#C#ku?2kES9p33Bk#CIp33uMESSA4ES%

azTCOzN vzKz) ˜zoeA% j�LTERNAT0VE >0STORY �TTACK%“ kAST MOD0ffiED !EBRUARY oe: ˜zoe% ’ETR0EhVED !EBRUARY ˜e: ˜zoe FROM gTTPSc66ENpB0TC#0Np0T6W0I06-??EVE?S0BkEu/?ANSACT0#NS9

�kTE?NAT0VEug0ST#?xuATTACI%

azTCOzN vzKz) ˜zoeB% j�TTACKER >AS � kOT OF ]OMPUT0NG 1OWER%“ kAST MOD0ffiED !EBRUARYzfl: ˜zoe% ’ETR0EVED !EBRUARY ˜e: ˜zoe: FROM gTTPSc66ENpB0TC#0Np0T6W0I06vEAINESSES9

�TTACIE?ugASuAuk#Tu#FuC#MP2T0N4uP#WE?%

azTCOzN vzKz) ˜zoeC% j$NERGY ]ONSUMPT0ON%“ kAST MOD0ffiED !EBRUARY zfl: ˜zoe% ’ETR0EVED !EBRUhARY ˜e: ˜zoe: FROM gTTPSc66ENpB0TC#0Np0T6W0I06vEAINESSES9dNE?4xub#NS2MPT0#N%

azTCOzN vzKz) ˜zoeD% jlAiOR0TY �TTACK%“ kAST MOD0ffiED !EBRUARY oe: ˜zoe% ’ETR0EVED !EBRUARY ˜e:˜zoe: FROM gTTPSc66ENpB0TC#0Np0T6W0I06-??EVE?S0BkEu/?ANSACT0#NS9lAi#?0TxuATTACI%

azTMAzN) ˜zoe% j�NTM0NER #NL0NE rTORE%“ ’ETR0EVED lARCH ˜n: ˜zoe FROM gTTPSc66Sg#Pp

B0TMA0NpC#M6P?#D2CT6MA0NqkAN48EN%

aLOCKCHAzN)zNFO) ˜zoe% j>ASH ’ATE%“ ’ETR0EVED �PR0L z˜: ˜zoe: FROM gTTPSc66Bk#CICgA0Np0NF#6

CgA?TS6gASgh?ATEqT0MESPAN8tzDAxSaSg#W:ATA1#0NTS8T?2E%

aèHME: ’AzNER: mzCOLAS bHRzSTzN: aENiAMzN dDELMAN: AND sxLER lOORE) ˜zofi% j∗0TCO0Nc$CONOM0CS: /ECHNOLOGY: AND 4OVERNANCE%“ InURNAL nF dCnNnMzC 1ERSPECTzVES: ˜np˜(c ˜ot—˜te%

oe

aONNEA2: IOSEPH) ˜zoe% j>OST0LE ∗LOCKCHA0N /AKEOVERS prHORT 1APER(%“ -N azTCnzN Qoec 1RnCEEhDzNGS nF TgE fh� vnRJSgnP nN azTCnzN AND aLnCJCgAzN ’ESEARCg%

a2DzSH: dRzC: 1ETER bRAMTON: AND IOHN rHzM) ˜zofi% j/HE >0GHh!REQUENCY /RAD0NG �RMS’ACEc !REQUENT ∗ATCH �UCT0ONS AS A lARKET ,ES0GN ’ESPONSE%“ .UARTERLx InURNAL nF dCnNnMzCS:oztpfl(c ofifl;—o7˜o%

a2TERzN: uzTALzK) ˜zo7% j� 1ROOF OF rTAKE ,ES0GN 1H0LOSOPHY%“ lEDzUM: ,ECEMhBER tz% ’ETR0EVED lAY tz: ˜zoe FROM gTTPSc66MED02MpC#M6&_0TAk0I@2TE?0N6

AhP?##Fh#FhSTAIEhDES04NhPg0k#S#Pgxhfz7fefnseDfo%

a2TERzN: uzTALzK: AND uzRGzL 4RzfTH) ˜zo;% j]ASPER THE !R0ENDLY !0NAL0TY 4ADGET%“ ARwzVPREPRzNT% ARw0Vco;oz%znflt;%

bBOE) ˜zoe% j]BOE !UTURES $XCHANGE ,A0LY lARKET rTAT0ST0CS%“ ’ETR0EVED lARCH z7: ˜zoe: FROMgTTPSc66MA?IETSpCB#EpC#M62S6F2T2?ES6MA?IETuSTAT0ST0CS6DA0kx6%

bHz2: IONATHAN: AND sHORSTEN u) JOEPPL) ˜zo;% j/HE $CONOM0CS OF ]RYPTOCURRENC0ES h∗0TCO0N AND ∗EYOND%“ +UEEN‘S $CONOM0CS ,EPARTMENT vORK0NG 1APER ¯O% oten%

bHRzSTzN: mzCOLAS) ˜zo;% j�N $2h!OCUSED �NALYS0S OF ,RUG rUPPLY ON THE #NL0NE �NONYMOUSlARKETPLACE $COSYSTEM%“ $UROPEAN lON0TOR0NG ]ENTRE FOR ,RUGS AND ,RUG �DD0CT0ON ’EPORT%

bld 4RO2P) ˜zoeA% j∗0TCO0N uOLUME%“ ’ETR0EVED lARCH z7: ˜zoe: FROM gTTPc66WWWpCME4?#2Pp

C#M6T?AD0N46EQ20Txh0NDEw62Sh0NDEw6B0TC#0NuQ2#TESuV#k2MEuV#0pgTMkq#PT0D8e5se%

bld 4RO2P) ˜zoeB% j,A0LY lETALS uOLUME AND #PEN -NTEREST%“ ’ETR0EVED lARCH z7: ˜zoe: FROMgTTPc66WWWpCME4?#2PpC#M6MA?IEThDATA6V#k2MEh#PENh0NTE?EST6METAkShV#k2MEpgTMk%

bOCHRANE: IOHN) ˜zo;% j∗0TCO0N AND ∗UBBLES%“ sgE 4RUMPx dCnNnMzST: ¯OVEMBER tz% ’ETR0EVEDFROM gTTPSc66i#gNgC#Cg?ANEpBk#4SP#TpC#M63zos6oo6B0TC#0NhANDhB2BBkESpgTMk%

bOWEN: sxLER) ˜zo;A% j∗0TCO0N -S A ∗0T OF A l0RACLE AT �NY 1R0CE%“ aLnnMBERG uzEW:,ECEMBER oo% ’ETR0EVED FROM gTTPSc66WWWpBk##MBE?4pC#M6V0EW6A?T0CkES63zosho3hoo6

B0TC#0Nh0ShAhB0Th#FhAhM0?ACkEhAThANxhP?0CE%

bOWEN: sxLER) ˜zo;B% jxOU‘RE 4ONNA ¯EED � ∗0GGER u0RTUAL vALLET%“ aLnnMBERGuzEW: �UGUST zn% ’ETR0EVED FROM gTTPSc66WWWpBk##MBE?4pC#M6V0EW6A?T0CkES63zoshzehzn6

x#2h?Eh4#NNAhNEEDhAhB044E?hV0?T2AkhWAkkET%

,zGzCONOMzST) ˜zoe% j∗0TCO0N $NERGY ]ONSUMPT0ON -NDEX%“ ’ETR0EVED IUNE zfl: ˜zoe FROM gTTPSc

66D040C#N#M0STpNET6B0TC#0NhENE?4xhC#NS2MPT0#N%

on

dASLEx: ,AVzD: lA2REEN #qgARA: AND rO2MxA aAS2) ˜zo;% j!ROM l0N0NG TO lARKETSc /HE$VOLUT0ON OF ∗0TCO0N /RANSACT0ON !EES%“ ]ORNELL 2N0VERS0TY vORK0NG 1APER%

dTHERE2M vzKz) ˜zoeA% j� ¯EXTh4ENERAT0ON rMART ]ONTRACT AND ,ECENTRAL0yED �PPL0CAT0ON1LATFORM%“ kAST lOD0ffiED �PR0L oo: ˜zoe% ’ETR0EVED �PR0L o˜: ˜zoe FROM gTTPSc6640Tg2BpC#M6

ETgE?E2M6W0I06W0I06vg0TEh1APE?%

dTHERE2M vzKz) ˜zoeB% j1ROOF OF rTAKE !�+%“ kAST lOD0ffiED lAY ˜fi: ˜zoe% ’ETR0EVED lAY tz:˜zoe FROM gTTPSc6640Tg2BpC#M6ETgE?E2M6W0I06W0I061?##Fh#FhrTAIEh=�.%

dxAL: -TTAx: AND dMzN 42N rzRER) ˜zofl% jlAiOR0TY 0S NOT $NOUGHc ∗0TCO0N l0N0NG 0S uULNERAhBLE%“ -N 1RnCEEDzNGS nF TgE oeTg -NTERNATznNAL bnNFERENCE nN 8zNANCzAL bRxPTnGRAPgx AND ,ATArECURzTx p8b(% flt7—flfifl%

4OLDMAN rACHS) ˜zoe% j∗LOCKCHA0N h /HE ¯EW /ECHNOLOGY OF /RUST%“ ’ETR0EVED �PR0L oo: ˜zoe:FROM gTTPc66WWWp4#kDMANSACgSpC#M6#2?hTg0NI0N46PA4ES6Bk#CICgA0N6%

g2BERMAN: 42R: IACOB ,) kESHNO: AND bzAMAC b) lOALLEMz) ˜zo;% jlONOPOLY W0THOUT AlONOPOL0STc �N $CONOM0C �NALYS0S OF THE ∗0TCO0N 1AYMENT rYSTEM%“ ]OLUMB0A ∗US0NESS rCHOOL’ESEARCH 1APER ¯O% o;hn˜%

g2zLLET: lARzE) ˜zoe% j$THEREUM ]OMMUN0TY ]ONS0DERS >ARD !ORK /O !0GHT �r-]l0NERS%“ bnzNsELEGRAPg: �PR0L zt% ’ETR0EVED FROM gTTPSc66C#0NTEkE4?APgpC#M6NEWS6

ETgE?E2MhC#MM2N0TxhC#NS0DE?ShgA?DhF#?IhT#hF04gThAS0ChM0NE?S%

JROLL: IOSH2A �): -AN b) ,AVEx: AND dDWARD v) eELTEN) ˜zot% j/HE $CONOM0CS OF ∗0TCO0Nl0N0NG OR: ∗0TCO0N 0N THE 1RESENCE OF �DVERSAR0ES%“ -N otTg vnRJSgnP nN TgE dCnNnMzCS nF-NFnRMATznN rECURzTx%

kEVzNE: lATT) ˜zo;% j∗ANK ∗LOCKCHA0NS AND AN �L0BABA ∗OX%“ aLnnMBERG uzEW:IANUARY oz% ’ETR0EVED FROM gTTPSc66WWWpBk##MBE?4pC#M6V0EW6A?T0CkES63zoshzohoz6

BANIhBk#CICgA0NShANDhANhAk0BABAhB#w%

lAzLATH: 4EORGE I): AND kARRx rAM2ELSON) ˜zz7% ’EPEATED 4AMES AND ’EPUTATznNSc knNGh’UN ’ELATznNSgzPS) ¯EW xORK: ¯xc#XFORD 2N0VERS0TY 1RESS%

lA: I2NE: IOSH2A r) 4ANS: AND ’ABEE sO2RKx) ˜zoe% jlARKET rTRUCTURE 0N ∗0TCO0N l0N0NG%“¯∗$’ vORK0NG 1APER ˜fl˜fl˜%

˜z

lzMS: bHRzSTOPHER) ˜zoe% jvHY ∗LOCKCHA0N v0LL rURV0VE: $VEN -F ∗0TCO0N ,OESN‘T%“vALL rTREET InURNAL: lARCH oo% ’ETR0EVED FROM gTTPSc66WWWpWSipC#M6A?T0CkES6

WgxhBk#CICgA0NhW0kkhS2?V0VEhEVENh0FhB0TC#0NhD#ESNThof3zs7n7zz%

mAKAMOTO: rATOSHz) ˜zze% j∗0TCO0Nc � 1EERhTOh1EER $LECTRON0C ]ASH rYSTEM%“ ’ETR0EVED FROMgTTPSc66B0TC#0Np#?46B0TC#0NpPDF%

mARAxANAN: �RVzND: IOSEPH aONNEA2: dDWARD eELTEN: �NDREW lzLLER: AND rTEVEN4OLDFEDER) ˜zo7% azTCnzN AND bRxPTnCURRENCx sECgNnLnGzESc � bnMPREgENSzVE -NTRnDUCTznN)1R0NCETON: ¯Ic1R0NCETON 2N0VERS0TY 1RESS%

mASH: JzM r) ˜zoe% j∗US0NESS -NTEREST 0N ∗LOCKCHA0N 10CKS 2PvH0LE ]RYPTOCURRENCY ]AUSES ]ONN0PT0ONS%“ vALL rTREET InURNAL: !EhBRUARY z7% ’ETR0EVED FROM gTTPSc66Bk#4SpWSipC#M6C0#63zoe6z36z76

B2S0NESSh0NTE?ESTh0NhBk#CICgA0NhP0CISh2PhWg0kEhC?xPT#C2??ENCxhCA2SEShC#NN0PT0#NS6%

mOBEL 1RzyE bOMMzTTEE) ˜zzfi% j’OBERT �UMANN‘S AND /HOMAS rCHELL0NG‘S ]ONTR0hBUT0ONS TO 4AME /HEORYc �NALYSES OF ]ON50CT AND ]OOPERAT0ON%“ ’ETR0EVED FROMgTTPSc66WWWpN#BEkP?0yEp#?46N#BEkuP?0yES6EC#N#M0ChSC0ENCES6kA2?EATES63zzf6

ADVANCEDhEC#N#M0CSC0ENCES3zzfpPDF%

#qkEARx: ’ACHEL ’OSE) ˜zoe% j$THEREUM �r-]S �RE >EREc vHAT THE ¯EW l0NERS lEAN ANDvHAT‘S ¯EXT%“ bnzN,ESJ: �PR0L zt% kAST lOD0ffiED �PR0L zfi: ˜zoe% ’ETR0EVED FROM gTTPSc66WWWp

C#0NDESIpC#M6ETgE?E2MhAS0CShMEANShWgATShNEwT6%

’OSENFELD: lENz) ˜zo˜% j�NALYS0S OF >ASHRATEh∗ASED ,OUBLEhrPEND0NG%“ ARwzV PREPRzNT%ARw0Vcoflz˜%˜zzn%

’2SSELL: ION) ˜zoe% jrAMSUNG ]ONffiRMS 0T 0S lAK0NG �r-] ]H0PS FOR ]RYPTOCURRENCYl0N0NG%“ sECgbRUNCg: IANUARY to% ’ETR0EVED FROM gTTPSc66TECgC?2NCgpC#M63zoe6zo6to6

SAMS2N4hC#NF0?MShAS0ChCg0PS6%

rALEH: eAHAD) ˜zoe% j∗LOCKCHA0N v0THOUT vASTEc 1ROOFhOFhrTAKE%“ vORK0NG 1APER% ’ETR0EVEDFROM gTTPSc66PAPE?SpSS?NpC#M6S#kt6PAPE?SpCFMqABST?ACTu0D8toetntf%

rCHELLzNG: s)b) onfi7% j�N $SSAY ON ∗ARGA0N0NG%“ �MERzCAN dCnNnMzC ’EVzEW: fl7pt(c ˜eo—tz7%

rOSKA: JxLE: AND mzCOLAS bHRzSTzN) ˜zofi% jlEASUR0NG THE kONG0TUD0NAL $VOLUT0ON OF THE #NL0NE�NONYMOUS lARKETPLACE $COSYSTEM%“ -N 1RnCEEDzNGS nF TgE tflTg 2rdm-w rECURzTx rxMPnSzUM%tt—fle% vASH0NGTON: ,]%

˜o

sAxLOR: lzCHAEL aEDFORD) ˜zo;% j/HE $VOLUT0ON OF ∗0TCO0N >ARDWARE%“ bnMPUTER: fizpn(c fie—77%

uRzES: �LEX ,E) ˜zoe% j∗0TCO0N‘S 4ROW0NG $NERGY 1ROBLEM%“ InULE: ˜pfi(c ezo—ezfi%

vzKzPEDzA) ˜zoe% j∗LOCKCHA0N%“ ’ETR0EVED lARCH zfi: ˜zoe: FROM gTTPSc66ENpW0I0PED0Ap#?46

W0I06@k#CICgA0N%

vzLMOTH: IOSzAH) ˜zoe% j∗0TCO0N 4OLD >0T BY ,OUBLE rPEND �TTACK: $XhCHANGES kOSE l0LL0ONS%“ bbm: lAY ˜t% ’ETR0EVED FROM gTTPSc66WWWpCCNpC#M6

B0TC#0Nh4#kDhg0ThBxhD#2BkEhSPENDhATTACIhEwCgAN4EShk#SEhM0kk0#NS6%

vONG: IOON -AN) ˜zoe% j$VERY ]RYPTOCURRENCY‘S ¯0GHTMARE rCENAR0O 0S >APPEhN0NG TO ∗0TCO0N 4OLD%“ .UARTy: lAY ˜fl% ’ETR0EVED FROM gTTPSc66QypC#M6o3esszo6

B0TC#0Nh4#kDShfohATTACIh0ShEVE?xhC?xPT#C2??ENCxShN04gTMA?EhSCENA?0#6%

˜˜

sAakc olAinpyTu �TTACe bnM1tTATynmAk ryMtkATynmS

�% $XPECTED ,URAT0ON OF �TTACKc – z c – o c – 7 c – oz c – ozz c – ozzz

> – oϵzfi ˜7%fiz tz%ez fl7%z˜ fifi%fle oe˜%fl o:z7e%e> – oϵo ofl%z˜ o7%flt ˜fi%fiz to%tfi o˜7%e o:zzfl%n> – oϵ˜ ;%;n n%˜e ofi%t; on%77 oz7%o o:zz˜%z> – oϵ˜fi 7%fifl ;%e7 ot%flo o;%flt ozt%e o:zz˜%z> – oϵtt fi%tfl 7%fln oo%fie ofi%flz oz˜%fi o:zz˜%z> – oϵfi fl%ze fi%z; n%;; ot%fln oz˜%z o:zz˜%z> – ˜ ˜%en t%;e e%tn o˜%˜t oz˜%z o:zz˜%z> – fi ˜%o˜ t%z7 e%zz o˜%zz oz˜%z o:zz˜%z

∗% $XPECTED ]OMPUTAT0ONAL ]OST OF �TTACKc – z c – o c – 7 c – oz c – ozz c – ozzz

> – oϵzfi ˜;%et t˜%tfl fle%t˜ fie%˜7 ono%fi o:o˜˜%˜> – oϵo ofi%fl˜ oe%z; ˜e%zfi tfl%fle otn%fi o:ozfi%fl> – oϵ˜ n%tfl oo%ot oe%flfl ˜t%fin o˜;%fl o:˜z˜%fl> – oϵ˜fi e%oe n%e˜ o7%;7 ˜o%;n o˜n%; o:˜fi˜%fi> – oϵtt ;%oo e%7fl ofi%flz ˜z%fle ot7%t o:tt˜%;> – oϵfi 7%o˜ ;%7o ofl%7fi ˜z%˜fl ofit%z o:fizt%z> – ˜ fi%;e ;%fi7 o7%;e ˜fl%flfi ˜zfl%z ˜:zzfl%z> – fi oz%fin ofi%˜n flz%zo 7z%zz fioz%z fi:zoz%z

]% $XPECTED ]OST OF �TTACK: ¯ET OF ∗LOCK ’EWARDSc – z c – o c – 7 c – oz c – ozz c – ozzz

> – oϵzfi o%tfl o%fifi ˜%tt ˜%ez n%˜ fit%fi> – oϵo o%flz o%7fl ˜%fifi t%ot o˜%; ozz%fi> – oϵ˜ o%fi7 o%e7 t%z; t%nt ˜o%˜ ˜zz%fl> – oϵ˜fi o%7fl o%n7 t%tfi fl%t7 ˜fi%n ˜fiz%fi> – oϵtt o%;7 ˜%ofl t%e˜ fi%ze tt%e ttz%;> – oϵfi ˜%zfl ˜%fifl fl%ee 7%;fi fio%z fizo%z> – ˜ ˜%en t%;e e%tn o˜%˜t oz˜%z o:zz˜%z> – fi e%fl; o˜%˜t t˜%zo fle%zz flze%z fl:zze%z

ens:’c 1ANEL � 0S REPORTED 0N NUMBER OF BLOCKS% 1ANELS @ AND •ARE REPORTED 0N UN0TS OF Naknbi — E�b% /HE PROBAB0L0Tx THAT THE ATTACKERW0NS 0N THE KhTH PER0OD 0S EST0MATED Bx S0MULAT0NG ozzl ATTACKS% !OR EACHSET OF PARAMETERS: THE S0MULAT0ON ENDS AFTER THE LARGER OF oz:zzz PER0ODS ORTHE PER0OD AT WH0CH nn%nnn) OF ATTACKS HAVE BECOME SUCCESSFULs UNRESOLVEDATTACKS ARE ABANDONED: 0NCURR0NG COMPUTE COSTS W0THOUT BLOCK REWARDS%r0MULAT0ON ASSUMPT0ONSc po( PURCHASED GOODS6ASSETS ARE HELD 0N ESCROW FORc PER0ODSs p3( ATTACKER SOLVES BLOCKS 0N AvonlclsgVkp.( T0ME AT COMPUTAT0ONCOST . PER BLOCK: HONEST •12S SOLVE BLOCKS 0N AvonlclsgVkpo( T0MEs pt( ANATTACK 0S SUCCESSFUL AFTER BOTH p0( ALL GOODS6ASSETS HAVE BEEN RELEASED FROMESCROW AND p00( ATTACKER HAS SOLVED MORE BLOCKS THAN HONEST •12S%